Hello all,
I was checking /var/log/messages from the active node (Check Point R80.10 Cluster in Open Server - Take 154) and I found these entries; please can you help me to understand what they means and address the investigation:
1. kernel: [fw4_0];fwmultik_dispatch_inbound: instance mismatch (on connection <IP Address>(80) -> <IP Address> (9307) IPP 6): predefined says 2 lookup says 0)
2. kernel: [fw4_0];fwpslglue_do_log: Log buffer is full
3. kernel: [fw4_1];FW-1: Starting CUL mode because CPU usage (81%) on the local member increased above the configured threshold (80%).
4. kernel: [fw4_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.
kernel: [fw4_1];fwioctl: Policy has ended. Continuing extending dead timouts (fwha_cul_policy_done_time=8522491)
I also notices the $FWDIR/log/fw.log is unreadable:
Is that a normal behavior ? I don't think so...
Any useful information is really appreciated.
Thank you very much,
Luca
Hello Dmitry,
first of all, the "CPLogFilePrint $FWDIR/log/fw.log" worked fine, thank you.
Now, regarding the point 3: kernel: [fw4_1];FW-1: Starting CUL mode because CPU usage (81%) on the local member increased above the configured threshold (80%).
The entry appears when there is an high CPU usage (one of three fw_worker_<nn> process consumes about 70%, 80%, 85% and 90% percentage).
Casually I reproduced the issue: I was downloading a Windows 10 iso file from my client PC, then I noticed a 57% CPU usage (see screenshot below).
We have HTTPs Inspection and Application & URL Filtering enabled; Application & URL Filtering is enabled for ALL; however HTTPs Inspection is in ByPass for ALL, with the exception of my client computer where it was set to Inspect (because I'm testing HTTPs inspection before applying it to all users).
How is possible a simple file download from one client will use a lot of that CPU ? Do you think it is due to limited CPU license we are just using in our Check Point ?
Regarding the other points, I'll give you more information asap.
Thank you,
Luca
Excellent, looking forward to seeing it 
CPLogFilePrint seems to provide more details than fw log, which has been around since at least FireWall-1 version 2
| User | Count |
|---|---|
| 13 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management WorkshopThu 05 Dec 2024 @ 10:00 AM (CET)
Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEATue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsThu 05 Dec 2024 @ 10:00 AM (CET)
Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEAThu 05 Dec 2024 @ 05:00 PM (CET)
Impactful Intelligence: Introducing Check Point Infinity External Risk Management - AMERTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
