Hello all,
I was checking /var/log/messages from the active node (Check Point R80.10 Cluster in Open Server - Take 154) and I found these entries; please can you help me to understand what they means and address the investigation:
1. kernel: [fw4_0];fwmultik_dispatch_inbound: instance mismatch (on connection <IP Address>(80) -> <IP Address> (9307) IPP 6): predefined says 2 lookup says 0)
2. kernel: [fw4_0];fwpslglue_do_log: Log buffer is full
3. kernel: [fw4_1];FW-1: Starting CUL mode because CPU usage (81%) on the local member increased above the configured threshold (80%).
4. kernel: [fw4_0];FW-1: SIM (SecureXL Implementation Module) SecureXL device detected.
kernel: [fw4_1];fwioctl: Policy has ended. Continuing extending dead timouts (fwha_cul_policy_done_time=8522491)
I also notices the $FWDIR/log/fw.log is unreadable:
Is that a normal behavior ? I don't think so...
Any useful information is really appreciated.
Thank you very much,
Luca
Hello Dmitry,
first of all, the "CPLogFilePrint $FWDIR/log/fw.log" worked fine, thank you.
Now, regarding the point 3: kernel: [fw4_1];FW-1: Starting CUL mode because CPU usage (81%) on the local member increased above the configured threshold (80%).
The entry appears when there is an high CPU usage (one of three fw_worker_<nn> process consumes about 70%, 80%, 85% and 90% percentage).
Casually I reproduced the issue: I was downloading a Windows 10 iso file from my client PC, then I noticed a 57% CPU usage (see screenshot below).
We have HTTPs Inspection and Application & URL Filtering enabled; Application & URL Filtering is enabled for ALL; however HTTPs Inspection is in ByPass for ALL, with the exception of my client computer where it was set to Inspect (because I'm testing HTTPs inspection before applying it to all users).
How is possible a simple file download from one client will use a lot of that CPU ? Do you think it is due to limited CPU license we are just using in our Check Point ?
Regarding the other points, I'll give you more information asap.
Thank you,
Luca
Excellent, looking forward to seeing it 
CPLogFilePrint seems to provide more details than fw log, which has been around since at least FireWall-1 version 2
| User | Count |
|---|---|
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 |
Thu 14 Nov 2024 @ 03:00 PM (CET)
AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - EMEA SessionThu 14 Nov 2024 @ 11:00 AM (EST)
Tips and Tricks 2024 #20: When Every Second Counts: Cybersecurity Incident ResponseThu 14 Nov 2024 @ 02:00 PM (EST)
AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - Americas SessionTue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSThu 14 Nov 2024 @ 03:00 PM (CET)
AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - EMEA SessionThu 14 Nov 2024 @ 11:00 AM (EST)
Tips and Tricks 2024 #20: When Every Second Counts: Cybersecurity Incident ResponseThu 14 Nov 2024 @ 02:00 PM (EST)
AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - Americas SessionWed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cybersecurity: What’s New in Check Point’s Quantum Firewall R82Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSThu 21 Nov 2024 @ 02:00 PM (MST)
Denver North: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management Workshop
