This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2024-12-27 07:49 AM

cpu detective and SND congestion

I have just noticed that the CPU detective is only designed to capture elephant flows if the FW worker is the problem.
If the SND process is congested then the CPU detective doesn't capture heavy connections.

sk166454 article is consistent what it has been described above.

I was wondering if someone knows how to workaround this constrain

I think it make sense and it would be very useful if we could find heavy connection if the SND is congested.


0 Kudos
8 Replies
AkosBakos
Leader Leader
Leader
‎2024-12-27 10:16 AM

Hi @Luis_Miguel_Mig 

And what about spike_detective?

I usually use this to determinate the high CPU usage on the GW.

Search for this string in the /var/log/messages.

akos

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-12-27 10:24 AM

Hi @Luis_Miguel_Mig 

And one more really useful command: fw ctl multik print_heavy_conn

https://support.checkpoint.com/results/sk/sk178070

Maybe it can help.

Akos

 

----------------
\m/_(>_<)_\m/
(1)
the_rock
Legend
Legend
‎2024-12-27 11:46 AM
In response to AkosBakos

I had seen Tim Hall give that command many times, its great!

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-12-27 12:09 PM

On a Quantum Force (9000/19000/29000) or Lightspeed appliance, 100% CPU utilization on the SND cores (at least as reported by Linux-based tools such as vmstat or top) does not necessarily indicate congestion as UPPAK is enabled, which uses poll mode instead of interrupts to grab traffic for processing.

Please provide more information about your appliance model number and Jumbo HFA version.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-12-30 02:05 AM
In response to Timothy_Hall

My two cores dedicated to SND are usually around 15% utilization. During this period of heavy traffic  no only the cpu was over 80% but it also had a big impact in traffic latency traversing the FW.

I could see the cpu cores over 80% (and caused by SNDs) during the traffic spike thanks to CPU spike detective and cpview -t.

As I said, sk166454 article describes how CPU spike detective only captures elephant flows when the FW worker is under pressure.

My question is if anybody knows any workaround, trick or configuration settings that could allow CPU spike detective to capture "fw ctl multik print_heavy_conn" when SND is over 80% usage.

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-12-30 05:33 AM
In response to Luis_Miguel_Mig

Having the Spike Detective report spikes on the SNDs doesn't seem possible, as it is oriented to detecting user/process space thread/process spikes, whereas SecureXL/sim is mostly in the kernel on the SNDs.  Could probably write some kind of monitoring script that would check the SND load every 60 seconds or something, then try to grab some stats when it goes over some threshold.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-12-30 05:43 AM
In response to Luis_Miguel_Mig

Also you bring up a good point; I'm not sure that fw ctl multik print_heavy_conn will show elephant/heavy flows detected on an SND core, as the detection mechanism was originally developed to trigger Priority Queueing which only happens on the worker instances.  Tagging @AmitShmuel for a clarification on whether elephant flow detection happens on SND cores for fastpath traffic; I believe the answer is no.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Luis_Miguel_Mig
Advisor
‎2025-01-02 02:12 AM
In response to Timothy_Hall

Yeah, you are right.  I guess that the only options we have in that case is either netflow or rule accounting.
I guess none of them may help, they both will require more resources just when the firewall is congested due to an elephant flow.
My guess that rule accounting may be less demanding in terms of cpu resources, the problem is that it may be a pain to set it up for all the rules in your firewall.
It would be nice if there was an option to option in the global settings activate rule accounting for all the rules.

I guess another option may be to use the REST api and active rule accounting one by one with a script.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events