Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

S7PAC - Super Seven Performance Assessment Commands

RickHoppe
Advisor

Did you watch the excellent TechTalk 'Security Gateway Performance Optimization with Timothy Hall'?

Link to the video: https://community.checkpoint.com/videos/7987

Link to the slides: https://community.checkpoint.com//docs/DOC-3169

 

The presentation ended with: "As Check Point administrators, you should always quickly run the “Super Seven” commands whenever you access a firewall to check performance"

 

So I've created a simple script that executes all super seven perfor

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(1)
22 Replies

JozkoMrkvicka
Mentor
Mentor

Regarding RX/TX errors, output of the command "netstat -ni" can be modified to show only interfaces if RX/TX errors > 0 .

The same logic for SecureXL.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


RickHoppe
Advisor

That should be possible indeed. Unfortunately I'm not a scripting guru so I did not add intelligence to the script. If you have tips how to achieve this with the output of netstat -ni that will be really appreciated.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Ofir_Shikolski
Employee
Employee

Amazing one.

one question - why not using cpview? it contains all steps and even more Smiley Happy

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Thanks.


While the CPView Utility can show you a lot of information while you browse through the various menus, this script merely focusses on the interesting stuff for SecureXL and CoreXL in just one “click” and especially when you need to check the performance of the firewall.

I’d recommend to use the various scripts out there like ccchealthcheck  and hopefully max  soon too.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ofir_Shikolski
Employee
Employee

try to add it to command5:

detect_rx_drops() {
(renice -20 $BASHPID > /dev/null 2>&1
for DEV in `ifconfig | grep -ie "^eth" | tr ":" " " | awk '{ print $1 }' | sed -e 's/^[ \t]*//' | sed '/^$/d'`
do
R1=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
sleep 0.5
R2=`netstat -ni |grep -w "$DEV"| grep -v "lo" |awk '{ print $6 }' | tail -1 | grep -v "RX-DRP" | sed -e 's/^[ \t]*//' | sed '/^$/d'`
RXPPS=`expr $R2

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


RickHoppe
Advisor

Thanks! I will integrate it in the next version.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


RickHoppe
Advisor

Version 0.3 released and updated with RX-DRP check. Thanks again!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ofir_Shikolski
Employee
Employee

Thanks Smiley Happy 

Do you think that it also be good to add these 2 commands only for R80.20?

R80.20 - new interesting commands 

# fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance

#  fw ctl multik print_heavy_conn   > shows the table with heavy connections

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Currently thinking about it how to integrate those new commands in a script that was originally based on a presentation with 7 commands :-).

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Susana_Perez-He
Explorer

Thanks Rick, Tim, all for this thread, it's being very helpful for me right now! 😊

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


RickHoppe
Advisor

s7pac has been updated to version 0.4 with references to the third editon of Max Power 2020: Check Point Firewall Performance Optimization when running this script on R80.30. 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Andreas_Zentsch
Contributor
Contributor

Hi Rick, there is an error in your script. The dropped packets under ifconfig or netstat -ni are increasing because the linux received pakets which can not be used liek spanning tree or other broadcasts. Thats why they are bein dropped. If you want to see buffer issues you can only use the command ethtool -S. If that states 0 everything is ok. Please check also this article: https://access.redhat.com/solutions/504293 for further details. 

So this result in your script is wrong: interfac

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Hi Andreas, what exactly do you mean? Do you believe the calculation is wrong in my script or the use of the command netstat -ni? One of the performance goals is to have a RX-RDP rate <0.1% on all interfaces. The goal is not 0.

The netstat -ni command is one of the Super Seven Performance Assessment Commands as described by  @Timothy_Hall in various presentations and his books. My script refer to his books where you can find more information about the commands and results that are g

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Timothy_Hall
Champion
Champion

Hi Rick,

What I believe Andreas means is that not all RX-DRPs are frames discarded due to a lack of ring buffer space.  This changed substantially in Gaia 3.10 when the NIC drivers were updated.  In the past an RX-DRP was almost always a "rx_missed_errors" (or possibly rx_fifo_errors rx_no_buffer_count) as shown by ethtool -S, which indicates a ring buffer slot was not available and the frame was lost.  However in Gaia 3.10 if a frame arrives with an EtherType that has no "registered r

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Hi Tim,

Thanks for the explanation. I will add the rx_missed_errors/rx_fifo_errors/rx_no_buffer_count counters to the script and they will be shown for each interface regardless of whether RX-DRP percentage is >0.1% or not. The user will also be informed now that this is only calculated for each interface over the past 0.5 seconds. So it will still calculate using netstat -ni but additionaly shows these counters too for further investigation.

Thanks  @Andreas_Zentsch for the tip.

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Version 0.5 has now been released containing the rx_missed_errors/rx_fifo_errors/rx_no_buffer_count counters from ethtool -S.

 
;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Andreas_Zentsch
Contributor
Contributor

Hi Rick,

sorry but there are still problems with your script.

Your script requests the variables: RXDRP1, RXDRP2 and RXOK. Then you still do the calculation: if [ "$RXDRP2" -gt "$RXDRP1" ]. Which is not correct as mentioned above. This needs to be removed completly for current versions. 

Instead you only need to caclulate with "ethtool -S". But this works only for the interface not for VLANs. So you need to fix the loop as follow first:

detect_rx_drops() {
(renice -20 $BASHPID > /d

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

RickHoppe
Advisor

Hi Andreas,

This script was originally based on just seven commands. Of course, there are many more useful commands and I do appreciate your suggestions to add extra commands. But that is really beyond the scope of s7pac. My intention with s7pac was to run those seven commands and refer to specific parts of the books Tim wrote, so you can continue investigation from there.

This could be a starting point for a new script but there is also Check Point's own healthcheck script. That on

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Andreas_Zentsch
Contributor
Contributor

Hi Rick,

alright, thank you for your reply. I dont know the health script you are refering too. Do you know the name? 

Thank you,

Andreas

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Timothy_Hall
Champion
Champion


Andreas_Zentsch
Contributor
Contributor

Thank you, much better explanation as i did. 🙂 Thanks for that. I tried your approach and started a tcpdump and you are right the drops dissapeared. Too bad we can not find out which packets have been dropped since this would make it easier for people to see that they might have been a layer 2 problem on the network when their counter is simply too high. 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

the_rock
Legend
Legend

Truly fantastic presentation and post, wow! Thanks very much to everyone.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos