This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stan_Mazur
Participant
‎2018-08-06 11:47 AM

VSX FW1_dev 140% cpu.

Is there a way to not accelerate service on SecureXL on VSX. The issue is I have a admin in VM team that kick's

off replication jobs(8-10 of them) and it pumping between 100 to 400 Mbps on service port ideafarm-door (902), which

seems to stay with FWK1-DEV. When I push policy to that device it fails, because it times out. So I have to reach

out to the admin to pause his jobs, so I can push policy. Everything else work fine. Is this VSX bug?

7 Replies
_Val_
Admin
Admin
‎2018-08-06 12:56 PM

Firstly, yes, you can disable SecureXL on per VS basis using CLI "fwaccell off" command from a VS content. However, this will only add to your current issue, instead of resolving it. 

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-06 02:37 PM

Hi. It's not a bug, you just need to tweak CoreXL and SXL to meet traffic requirements. It could well be that system will be underpowered to deal with such traffic volume. Therefore, can you share top command output showing all 16 individual core utilisation when it happens? Just to see which cores are maxed out.

As Valeri said SXL is actually your friend in high volume traffic, it should help free up CPU usage.

0 Kudos
Vladimir
Champion
Champion
‎2018-08-06 05:34 PM

Could it be an interface buffer size issue?

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-08-06 09:13 PM
In response to Vladimir

Don't think so but can't tell from logs provided. CoreXL allocation is not exactly right as cores 2 and 3 seems to be used for SXL and generic firewall tasks (except fwk). We need to see detailed CPU usage to make correct call 

0 Kudos
JanVC
Collaborator
‎2018-08-07 02:06 AM

fwk1_dev is the combination of the 4 cores allocated to this vs

while in top, press shift+h to show the individual threads (worker cores)

148% means 1.5 of the 4 assigned cores being used

0 Kudos
Stan_Mazur
Participant
‎2018-08-09 12:42 PM

Check Point support conclusion is related MTU size on vs 1 interfaces. Where running 10g interface with MTU size 9000,according,to CP they our working 

on Hotfix." The recommended hotfix was not yet ported to Take_317, the latest version was for Take_302. I tested this version and it is not compatible

with 317"

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2018-11-18 12:01 PM

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: R80.x Performance Tuning and Debug Tips – fw monitor 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events