Re: Maestro packet delays

Arturxr · ‎2026-03-11

Hello, we're experiencing slight packet delays on the incoming interface, mostly during periods of increased user activity. This is presumably related to CPU load. Could you please tell me how to optimize Maestro settings or identify the cause of the problem?

- We rebooted, but afterward, CPU load increased.
- Packet loss is definitely less than 1%.
- Version 81.10. We wanted to configure core balancing, but it's only available with 81.20.
- Judging by the logs from one of the sercurity group members, there are no logs in the Smart Console.

Martijn · ‎2026-03-11

Hi,

Support on R81.10 will end this month so the an upgrade to a newer version is adviced.
Then you can benefit from all the new features when it comes to performance en optimization.

Can you tell us more about the setup?

- Hardware
- Hotfix version
- Gateway or VSX Gateway
- Single Site or Dual Site
- Active Blades
- What did you already check

You can check the distribution mode to see traffic is evenly distributed among the SGM's.
Maybe a misconfiguration in one of the blades?

Check the whole setup with 'asg diag verify' to see if the set is healthy?

There are some good posts on this channel you can review.

Maestro Troubleshooting in Practice - Check Point CheckMates
Maestro Masters 2025: Quantum Maestro Architecture... - Check Point CheckMates

Maybe not all relevant for R81.10, but you might get some tips to investigate your issue.

Regards,
Martijn

Arturxr · ‎2026-03-12

-7000

-JHF 110

-Gateway

-Dual Site

-fw vpn urlf av appi ips identityServer anti_bot

- FW and SND core load - there's 1 FWD core, 4 are listed as OTHER, the rest are FW, OTHER, as I understand it, are SND, and they are loaded to 90-95%.
RX drops were also checked on the interfaces; they are very small and only on the incoming interface.
Many errors in $FWDIR/log/fwd.elg and messages (asg_copy_capture). sk182634 didn't help, we plan to try sk170331 (this concerns the log issues).

No new issues have been found recently.
The only thing is that the configs were slightly different; I adjusted them as in sk sk181299.
There are no issues with distribution.

Wolfgang · ‎2026-03-12

How many 7000 appliances do you have on every site ?

Are you using VSX ?

If your SNDs are overloaded you can configure more cores for SND then fw_worker.

Arturxr · ‎2026-03-12

4 in total, 2 at each site

Arturxr · ‎2026-03-12

No, we don't use vsx. We considered adding another SND, but we wouldn't want to break anything, since it's a Maestro and the configuration must match for all group members.

Martijn · ‎2026-03-12

Hi,

Have you checked the release notes for recent jumbo hotfixes. You are on take 110 which became recommended August 2023.
So this JHF is almost 3 years old and we are on take 183 at the moment.

Installing a JHF maybe less interruptive than changing CoreXL settings.

Martijn

If you do not want to add more SND's, you could try to install the latest recommended take and see what happens.

Arturxr · ‎2026-03-12

It's just strange that after the reboot the CPU load also increased, although we hadn't observed this before.

Timothy_Hall · ‎2026-03-12

Please run the Super Seven commands via s7pac on the SMO Master gateway when the problem is happening and post the results:

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

Sounds like you don't have enough SNDs, which could be due to a lot of fastpath traffic or elephant flows.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Arturxr · ‎2026-03-12

Thanks, I use this script a lot, but after running it I didn't see any problems that could affect the CPU load. Maybe we really should update to the new version.