Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kosin_Usuwanthi
Collaborator

How to monitor bandwidth limit for application control

Hi

Anyone can advice. How to monitor bandwidth limit for application control ?

MGMT R80.10

GW R77.30

Bandwidth limit

15 Replies
Danny
Champion Champion
Champion

SmartEvent Views is what you are looking for.

Kosin_Usuwanthi
Collaborator

Hi Danny

Thank you for your advice but I would like to see real time utilize or exceed drop for limit policy  when user complain about slow access.

0 Kudos
Nico_Seddig
Explorer

Hi all,

after a long time for that question i would like to ask if someone found a real solution . I have the same question and tried to figure out the possibility with a view from Logs&Monitor page. The problem ist that  i found based on sk144192 the table fields for limit_request, limit_applied, etc. but i cant choose it within the table settings of the view. The table fields were indexed but no name that i can search for. Any hint would be helpfully.

0 Kudos
PhoneBoy
Admin
Admin

SmartEvent can only create reports on fields that are directly indexed.
These fields are not, presumably, which is why they can't be specified for reports.
Sometimes, specific fields can be enabled through an RFE with your local Check Point office.

0 Kudos
Nico_Seddig
Explorer

Hello again, thanks for the quick response. I will go back to our customer with that information and will discuss it maybe with our Channel Partner SE. Thanks and have a nice day.

0 Kudos
Kosin_Usuwanthi
Collaborator

Note - The Security Gateway implements the Limit action by dropping successive packets which exceed the allowed bandwidth.

How to monitor exceed drop ? I have no see this log from SmartConsole.

Danny
Champion Champion
Champion

Then you want to use SmartLog like this:

Ed_Eades
Contributor

I do not get any results when using the filter, "bandwidth AND appi_name:YouTube".  However I do get results if use the filter, "bandwidth" by itself or "appi_name:YouTube" by itself.

I am very interested in getting the results like the screen shot from Kosin.

Hugo_vd_Kooij
Advisor

Bandwidth management by dropping packets is a bad strategy. You can get much better results by changing (reducing) window sizes in responses and holding back acknowledgement packets.

Nothing gets dropped but you let the TCP protocol do the bandwidth limiting.

Not somethink I invented. Companies like PacketShaper (bought by Blue Coat, bought in turn by Symantec) did create great appliances with features like this.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Kosin_Usuwanthi
Collaborator

Thank you Danny. Now I can see drop log from smartview for bandwidth limit policy.

ovidiu_catrina
Contributor

hi

i have the same question as you.

Could you please guide me on how to get those statistics as you did?

thanks

0 Kudos
Greg_Harbers
Collaborator

Hi,
are you able to provide any additonal details as to how you got this report?
Thanks

0 Kudos
Timothy_Hall
Legend Legend
Legend

When researching my book I dug into the APCL Limit feature, trying to find a way to disable APCL limits "on the fly" for testing purposes or to monitor real-time statistics for packets dropped due to a Limit.  The goal was to ensure an enforced Limit was not the cause of poor performance.  Other than the statistics that are included in the traffic logs as demonstrated by Danny Jung‌ above, there isn't a direct way to do that.  I also discovered that APCL/URLF cannot be disabled "on the fly" like Threat Prevention can with fw amw unload.

However fw ctl zdebug drop will show real-time packet drops due to an APCL limit with the message: PSL Drop: APPI_LIMIT

Also watch out for this issue when limits are applied to traffic subject to HTTPS Inspection:

sk70600: Connectivity issues when configuring Application Control limit and enabling HTTPS Inspectio...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
phlrnnr
Advisor

@Timothy_Hall doesn't sk70600 only apply to R75.40?  Or does it apply to the R80 trains as well?

0 Kudos
Timothy_Hall
Legend Legend
Legend

The cpas_tcp_do_sack variable still exists in the R80.40 kernel and its default value is 1.  If I'm reading the SK correctly you only need to flip this variable if the two hosts are using very large TCP windows and packet loss is present.  There were a ton of changes to CPAS (R80.20) and TLS Inspection (R80.30) so this variable may not even be relevant anymore.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events