Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nlegastelois
Explorer

unable to find who is consuming bandwidth

Hello,

I am using a clusterXL with gateways on R80.30 and I am trying to find a way to identify who is consuming the bandwidth when our network is oveloaded.

I tried cpview but the top connection in network is not there anymore.

I tried using smart monitor but there is no the option maybe because I don't have the monitoring licence.

I tried running the script to find the top talkers but it's not based on the bandwidth.

So do you know what could be the solution ?

Thanks

Nicolas

0 Kudos
8 Replies
Timothy_Hall
Champion
Champion

Load R80.30 Jumbo HFA Take 227 or higher and several helpful cpview screens (including Top Connections) will return.  You can also try running  fw ctl multik print_heavy_conn which will show you all the elephant flows in the last 24 hours.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Mattias_Jansson
Contributor

There is a note for enabling top connections in cpview as described in sk167903 saying:
Note: enabling this feature may cause a performance impact!

We are on 23900 appliance with R80.30 take 237 on vsx (vsls) with cpu peaking at 40-45%. I am seeing much higher througput then normal for a couple of days. Is it safe to enable the feature to find the connections causing high traffic?

Btw: is fw ctl multik print_heavy_conn not supported on vsx?

0 Kudos
shais
Employee
Employee

Hi,

It's safe to enable the top connections/protocol, at ~45% CPU you won't see much impact from this.

Note that this will only enable the view under Network tab, not CPU tab.

Timothy_Hall
Champion
Champion

fw ctl multik print_heavy_conn does not work in VSX until R80.40 Jumbo HFA Take 78+ and later.  I've never noticed a performance impact by enabling this feature.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
the_rock
Champion
Champion

I thought I saw option for that in SV monitor, but I could be wrong. Let me look it up in the R80.40 lab.

0 Kudos
PhoneBoy
Admin
Admin

You have to take specifics steps to enable top connections after installing JHF 227 or above on R80.30.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
nlegastelois
Explorer

Unfortunatly I have a specific hotfix on the take 196 that will not follow the upgrade to the take 227 so I have to find a solution in waiting.

Thanks for your answers

0 Kudos
the_rock
Champion
Champion

The best advice I could offer in that case would be to ask TAC if port fix would be possible by R&D, so you dont lose feature of custom fix given on top of take 196, if they could include that in take 227.

0 Kudos