Re: Question about bandwidth usage

Belmin

Hello,

I have a question regarding the throughput on the Quantum Spark 1570 Appliance. The client had 630/180 speed from the ISP, after some time they requested from the ISP a new speed which is 730/190. The ISP changed the modem and after measuring on the modem the speed is as espected. But measuring on the checkpoint the speed is not even near the one on the modem. Does anyone have any ideas? I tried to disabling QoS, MTU set to 1500.

PhoneBoy

What version of firmware?
What is the connectivity method?
How precisely is the bandwidth being measured?
What blades are active on the gateway?
Output of the following while testing might also be helpful: https://community.checkpoint.com/t5/SMB-Gateways-Spark/Super-Seven-Performance-Assessment-Commands-S...

Belmin

Firmware version: R81.10.10 (996002993)

Connectivity method: Fiber optic to ISP modem, from modem to checkpoint ethernet

How precisely is the bandwidth being measured: Speed test on the modem 730/190, speed test on the chekpoint and local pc's 190/80

What blades are active on the gateway: Firewall blade Standard, User awareness blade on, QoS blade off

fwaccel stat

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
LightSpeed Accel : disabled

fwaccel stats -s

Accelerated conns/Total conns : 6/2960 (0%)
LightSpeed conns/Total conns : 0/2960 (0%)
Accelerated pkts/Total pkts : 2069783812/2179120873 (94%)
LightSpeed pkts/Total pkts : 0/2179120873 (0%)
F2Fed pkts/Total pkts : 109337061/2179120873 (5%)
F2V pkts/Total pkts : 7916896/2179120873 (0%)
Smart Accel pkts/Total pkts : 94245553/2179120873 (4%)
CPASXL pkts/Total pkts : 0/2179120873 (0%)
PSLXL pkts/Total pkts : 1974112393/2179120873 (90%)
CPAS pipeline pkts/Total pkts : 0/2179120873 (0%)
PSL pipeline pkts/Total pkts : 0/2179120873 (0%)
CPAS inline pkts/Total pkts : 0/2179120873 (0%)
PSL inline pkts/Total pkts : 0/2179120873 (0%)
QOS inbound pkts/Total pkts : 0/2179120873 (0%)
QOS outbound pkts/Total pkts : 0/2179120873 (0%)
Corrected pkts/Total pkts : 0/2179120873 (0%)

fw ctl affinity -l -r
CPU 0: fw_0 (active)
CPU 1: fw_1 (active)
CPU 2: fw_2 (active)
All: WAN
ted iked wsdnsd ted iked wsdnsd

fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 0 | 1235 | 10483
1 | Yes | 1 | 1305 | 10497
2 | Yes | 2 | 1275 | 10896

cpstat os -f multi_cpu

Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
| 1| 10| 29| 61| 31| -| 15624|
| 2| 13| 28| 59| 31| -| 15606|
| 3| 12| 26| 63| 28| -| 15606|
---------------------------------------------------------------------------------

fw ctl pstat

System Capacity Summary:
Memory used: 55% (744 MB out of 1339 MB) - below watermark
Concurrent Connections: 2% (4165 out of 149900) - below watermark
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:
Total memory allocated: 623915008 bytes in 152323 (4096 bytes) blocks using 41 pools
Initial memory allocated: 276824064 bytes (Hash memory extended by 347090944 bytes)
Memory allocation limit: 629145600 bytes using 512 pools
Total memory bytes used: 0 unused: 623915008 (100.00%) peak: 706861396
Total memory blocks used: 0 unused: 152323 (100%) peak: 177987
Allocations: 4134986892 alloc, 150 failed alloc, 4132501181 free

System kernel memory (smem) statistics:
Total memory bytes used: 958899908 peak: 1053662320
Total memory bytes wasted: 6156815
Blocking memory bytes used: 2923432 peak: 10464144
Non-Blocking memory bytes used: 955976476 peak: 1043198176
Allocations: 18135583 alloc, 0 failed alloc, 18130702 free, 0 failed free
vmalloc bytes used: 951644984 expensive: no

Kernel memory (kmem) statistics:
Total memory bytes used: 643444940 peak: 1035286192
Allocations: 4153115279 alloc, 0 failed alloc
4150626484 free, 0 failed free
External Allocations:
Packets: 715936, SXL: 4524680, Reorder: 0
Zeco: 0, SHMEM: 4320, Resctrl: 0
ADPDRV: 0, PPK_CI: 1720672, PPK_CORR: 0

Cookies:
3711271711 total, 24509026 alloc, 24509025 free,
778849115 dup, 655512408 get, 2003712517 put,
4187130447 len, 1701613363 cached len, 0 chain alloc,
0 chain free

Connections:
16518684 total, 4291951 TCP, 5608518 UDP, 6618214 ICMP,
1 other, 0 anticipated, 52506 recovered, 4165 concurrent,
31896 peak concurrent

Fragments:
2594 fragments, 1285 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
16726069/0 forw, 13343604/0 bckw, 781084759 tcpudp,
19463665 icmp, 16681581-15578721 alloc

G_W_Albrecht

Can you test more connections at once ? There is a limit on what one connection can grab ressource-wise...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy

Relevant to the discussion is the device datasheet: https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf

"Speed test" by what precise method(s)?
Please be as explicit as possible here.
I assume the 730 you refer to is megabits per second download.

Your claim is that you only have Firewall and User Awareness on, yet 90% of the packets are in PXL.
This indicates some other functionality being used (e.g. App Control/URL Filtering and/or Threat Prevention).
Worst case (Threat Prevention), the appliance is rated for 500mb/s, which exceeds your ISP bandwidth.
The datasheet numbers also assume multiple connections, not a single connection, as many speed tests do.

As such, what you're seeing is likely expected behavior.

Are you a member of CheckMates?

Re: Question about bandwidth usage