Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Trevor_Bruss
Contributor
Jump to solution

Single SND on 8 core

We have a single site Maestro setup with two 6500 units in a security group. I feel like CPU usage has risen after migrating to R81.10. We've seen some of outages to traffic during some of the CUL moments which we're working with TAC on, but we're uncertain if the higher usage and spikes are the reason.

Given the 8 cores are currently split 2/6, I monitored the two SND cores on each unit and they run 10-15% on average, could I feasibly configure the group to use 7 cores on each member for firewall processing leaving a single CPU for SND? Given these just connect up to the Orchestrator fabric, I didn't know if that would hurt us in any way. Maybe I'm oversimplifying by thinking the CPU usage with one core would just average a but higher.

 

I realize ultimately I need to see if there is anything we need to do to optimize the performance to lower CPU. I'll leave that for when I have more time to leave results of our super 7.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

You can do this with Maestro just like with a normal firewall!
With 1/7 you will reduce the throughput on the downlinks.

I wouldn't do this unless the CoreXL instances are all running at 90%-100% core utilisation.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

4 Replies
HeikoAnkenbrand
Champion Champion
Champion

You can do this with Maestro just like with a normal firewall!
With 1/7 you will reduce the throughput on the downlinks.

I wouldn't do this unless the CoreXL instances are all running at 90%-100% core utilisation.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend

Agree with Heiko here, I don't think going from a 2/6 split to a 1/7 split will make a huge difference in your scenario.  It might, but you need to understand where the spikes are coming from first before trying to tune things.  Please provide the output of enabled_blades on your 6500 as well as the Super Seven outputs:

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

If you are on R81.10 Dynamic Split should be enabled by default anyway, although perhaps that feature is not supported when used with Maestro.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Trevor_Bruss
Contributor

These are the enabled blades:

fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot

 

I've also included a recent Super7 from each member of the security group.

 

One thing I did implement yesterday was the penalty box feature. Also, according to sk164155, Maestro units do not support Dynamic Split.

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Looks like you could move to a 1/7 split and the single SND will be able to keep up with the load.  Everything looks like it is running pretty well based on the blades you have enabled, the zero templating rate (conns in fwaccel stats -s) is caused by Anti-bot and you can't really do anything about it.

One thing that is slightly high is your percentage of F2F traffic in the mid 20's.  Ideally that should be 10% or lower, this F2F percentage could be caused by a large number of drops invoking excessive rulebase lookups which the penalty box should help with.  Run the command fw ctl multik gconn and compare it with fwaccel conns (which does not show F2F connections), are there any common attributes of connections that are being handled F2F?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos