This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nlegastelois
Explorer
‎2021-09-01 04:44 AM

unable to find who is consuming bandwidth

Hello,

I am using a clusterXL with gateways on R80.30 and I am trying to find a way to identify who is consuming the bandwidth when our network is oveloaded.

I tried cpview but the top connection in network is not there anymore.

I tried using smart monitor but there is no the option maybe because I don't have the monitoring licence.

I tried running the script to find the top talkers but it's not based on the bandwidth.

So do you know what could be the solution ?

Thanks

Nicolas

0 Kudos
8 Replies
Timothy_Hall
Champion
Champion
‎2021-09-01 05:04 AM

Load R80.30 Jumbo HFA Take 227 or higher and several helpful cpview screens (including Top Connections) will return.  You can also try running  fw ctl multik print_heavy_conn which will show you all the elephant flows in the last 24 hours.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Mattias_Jansson
Contributor
‎2022-03-28 01:06 AM
In response to Timothy_Hall

There is a note for enabling top connections in cpview as described in sk167903 saying:
Note: enabling this feature may cause a performance impact!

We are on 23900 appliance with R80.30 take 237 on vsx (vsls) with cpu peaking at 40-45%. I am seeing much higher througput then normal for a couple of days. Is it safe to enable the feature to find the connections causing high traffic?

Btw: is fw ctl multik print_heavy_conn not supported on vsx?

0 Kudos
shais
Employee
Employee
‎2022-03-28 02:54 AM
In response to Mattias_Jansson

Hi,

It's safe to enable the top connections/protocol, at ~45% CPU you won't see much impact from this.

Note that this will only enable the view under Network tab, not CPU tab.

Timothy_Hall
Champion
Champion
‎2022-03-28 04:47 AM
In response to Mattias_Jansson

fw ctl multik print_heavy_conn does not work in VSX until R80.40 Jumbo HFA Take 78+ and later.  I've never noticed a performance impact by enabling this feature.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
the_rock
Champion
Champion
‎2021-09-01 05:58 AM

I thought I saw option for that in SV monitor, but I could be wrong. Let me look it up in the R80.40 lab.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-01 06:07 AM

You have to take specifics steps to enable top connections after installing JHF 227 or above on R80.30.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
nlegastelois
Explorer
‎2021-09-03 12:25 AM
In response to PhoneBoy

Unfortunatly I have a specific hotfix on the take 196 that will not follow the upgrade to the take 227 so I have to find a solution in waiting.

Thanks for your answers

0 Kudos
the_rock
Champion
Champion
‎2021-09-03 01:04 AM
In response to nlegastelois

The best advice I could offer in that case would be to ask TAC if port fix would be possible by R&D, so you dont lose feature of custom fix given on top of take 196, if they could include that in take 227.

0 Kudos