This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christophe_SIEB
Participant
‎2018-02-17 10:37 AM
Jump to solution

Why is memory swapping on the gateway ?

Hello,
See this post https://community.checkpoint.com/thread/6883-memory-status-shows-red-color-on-management-server  for the beginning of this thread and the relevant screenshots.
I'm posting here to have clues to understand why memory is swapping on our active gateway.

We have a cluster of two 5400 appliances and one SMS server to handle the management, logging and monitoring.
These gateways are new and running for 2 weeks now (we were not on Check Point before) and we observe recently some swapping on the active gateway, after days of continuous growth of memory consumption (about 2% by day). After 80%, The SMS showed memory consumption in red color. Running top command on the active gateway and sorting on memory (hitting M) shows that the wstlsd process is consuming (or reserving ?) a fair amount of memory. And this amount consumed seems to stay at the same level at night or during non-business days.

Running a "show version all" on the active gateway gives:
Product version Check Point Gaia R80.10
OS Build 462
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

We have both HTTPS inspection AND "Categorize HTTPS sites" enabled in AC & URL filtering (I understood that the latter is not working if the former is enabled). The vast majority of https traffic is by now bypassed and we are in the process of gradually deploying root certicate on computers to actively inspect the ssl connections.

To my knowledge, the result of tha command "sar -W" (screenshot taken today) tend to show that the system is actively swapping .

Is the wstlsd process allocating memory even if it does not use it ? Is it possible to have a list of the connections handled by this process ?

Thanks

0 Kudos
1 Solution

Accepted Solutions
Christophe_SIEB
Participant
‎2018-06-27 05:55 AM
Jump to solution

Hello, the gateway is no longer swapping since last JHA n°103 was applied (all rules and parameters unchanged). See picture. Thanks.Memory consumption and jha

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2018-02-23 12:16 PM
Jump to solution

Categorize HTTPS Sites and HTTPS Inspection are mutually exclusive options, FYI.

wstlsd handles connections that are being HTTPS Inspected.

You can debug it using the following SK if needed: How to debug WSTLSD daemon 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-02-24 02:04 PM
Jump to solution

It is normal to see a low amount of pswpins/s with sar -W as processes read various types of data off the hard drive such as code pages, libraries, conf files, etc.  Default pagesize in Linux is 4KB, and the highest number shown in your output is 0.53 pages swapped in per second, or approximately 2KB per second being read from the hard drive which is inconsequential.

Notice that pswpout/s is always zero in your screenshot which means no pages of memory are getting involuntarily thrown out of memory to the hard drive due to a shortage of RAM.  When this number is nonzero then you have some cause for concern.

The memory growth you are seeing is probably due to use of RAM for buffering/caching of hard drive operations, please post output of free -m

As Dameon Welch Abernathy‌ noted, wstlsd is related to HTTPS Inspection and the "Categorize HTTPS Sites" checkbox and was covered in my book.  While the memory allocated by each wstlsd process may look concerning, a large amount of that memory is actually being shared amongst the wstlsd processes since they are all doing pretty much the same operations.  So the overall amount of memory being consumed by these processes can appear far higher than it is in actuality.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Christophe_SIEB
Participant
‎2018-06-27 05:55 AM
Jump to solution

Hello, the gateway is no longer swapping since last JHA n°103 was applied (all rules and parameters unchanged). See picture. Thanks.Memory consumption and jha

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top