This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kosin_Usuwanthi
Collaborator
‎2017-09-19 08:04 PM

How to monitor bandwidth limit for application control

Hi

Anyone can advice. How to monitor bandwidth limit for application control ?

MGMT R80.10

GW R77.30

Bandwidth limit

15 Replies
Danny
Champion Champion
Champion
‎2017-09-20 05:56 AM

SmartEvent Views is what you are looking for.

Kosin_Usuwanthi
Collaborator
‎2017-09-20 11:59 PM

Hi Danny

Thank you for your advice but I would like to see real time utilize or exceed drop for limit policy  when user complain about slow access.

0 Kudos
Nico_Seddig
Explorer
‎2023-03-08 02:42 AM
In response to Kosin_Usuwanthi

Hi all,

after a long time for that question i would like to ask if someone found a real solution . I have the same question and tried to figure out the possibility with a view from Logs&Monitor page. The problem ist that  i found based on sk144192 the table fields for limit_request, limit_applied, etc. but i cant choose it within the table settings of the view. The table fields were indexed but no name that i can search for. Any hint would be helpfully.

Table_fields.PNG
Preview file
29 KB
Table_settings.PNG
Preview file
62 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-08 09:54 AM
In response to Nico_Seddig

SmartEvent can only create reports on fields that are directly indexed.
These fields are not, presumably, which is why they can't be specified for reports.
Sometimes, specific fields can be enabled through an RFE with your local Check Point office.

0 Kudos
Nico_Seddig
Explorer
‎2023-03-09 12:07 AM
In response to PhoneBoy

Hello again, thanks for the quick response. I will go back to our customer with that information and will discuss it maybe with our Channel Partner SE. Thanks and have a nice day.

0 Kudos
Kosin_Usuwanthi
Collaborator
‎2017-09-21 12:26 AM

Note - The Security Gateway implements the Limit action by dropping successive packets which exceed the allowed bandwidth.

How to monitor exceed drop ? I have no see this log from SmartConsole.

Danny
Champion Champion
Champion
‎2017-09-21 01:23 AM
In response to Kosin_Usuwanthi

Then you want to use SmartLog like this:

Ed_Eades
Contributor
‎2018-11-13 03:15 PM
In response to Danny

I do not get any results when using the filter, "bandwidth AND appi_name:YouTube".  However I do get results if use the filter, "bandwidth" by itself or "appi_name:YouTube" by itself.

I am very interested in getting the results like the screen shot from Kosin.

Hugo_vd_Kooij
Advisor
‎2017-09-21 05:39 AM
In response to Kosin_Usuwanthi

Bandwidth management by dropping packets is a bad strategy. You can get much better results by changing (reducing) window sizes in responses and holding back acknowledgement packets.

Nothing gets dropped but you let the TCP protocol do the bandwidth limiting.

Not somethink I invented. Companies like PacketShaper (bought by Blue Coat, bought in turn by Symantec) did create great appliances with features like this.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Kosin_Usuwanthi
Collaborator
‎2017-09-24 08:37 PM

Thank you Danny. Now I can see drop log from smartview for bandwidth limit policy.

ovidiu_catrina
Contributor
‎2018-02-15 03:23 AM
In response to Kosin_Usuwanthi

hi

i have the same question as you.

Could you please guide me on how to get those statistics as you did?

thanks

0 Kudos
Greg_Harbers
Collaborator
‎2023-05-22 04:38 PM
In response to Kosin_Usuwanthi

Hi,
are you able to provide any additonal details as to how you got this report?
Thanks

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-02-15 01:40 PM

When researching my book I dug into the APCL Limit feature, trying to find a way to disable APCL limits "on the fly" for testing purposes or to monitor real-time statistics for packets dropped due to a Limit.  The goal was to ensure an enforced Limit was not the cause of poor performance.  Other than the statistics that are included in the traffic logs as demonstrated by Danny Jung‌ above, there isn't a direct way to do that.  I also discovered that APCL/URLF cannot be disabled "on the fly" like Threat Prevention can with fw amw unload.

However fw ctl zdebug drop will show real-time packet drops due to an APCL limit with the message: PSL Drop: APPI_LIMIT

Also watch out for this issue when limits are applied to traffic subject to HTTPS Inspection:

sk70600: Connectivity issues when configuring Application Control limit and enabling HTTPS Inspectio...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
phlrnnr
Advisor
‎2020-04-01 09:01 AM
In response to Timothy_Hall

@Timothy_Hall doesn't sk70600 only apply to R75.40?  Or does it apply to the R80 trains as well?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-04-01 09:11 AM
In response to phlrnnr

The cpas_tcp_do_sack variable still exists in the R80.40 kernel and its default value is 1.  If I'm reading the SK correctly you only need to flip this variable if the two hosts are using very large TCP windows and packet loss is present.  There were a ton of changes to CPAS (R80.20) and TLS Inspection (R80.30) so this variable may not even be relevant anymore.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top