Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SarmChanatip
Participant

Allocating a CPU Core for Heavy Logging

Hi Experts!

 

I am having an issue, as shown in the screenshot below, where the "FWD" daemon frequently causes CPU spikes. 

2022-12-03_225009.jpg

 

The command "fw ctl affinility" indicates that only CPU 47 is dedicated to the fwd daemon when executed. 

mpdaemon lpd rad rtmd wsdnsd in.asessiond cprid vpnd core_uploader usrchkd in.acapd in.ahclientd cprid cpd
CPU 47:fwd

The gateway version is running on R81.

My question is, can I assign two or more CPU cores to the fwd daemon?

 

I really appreciate all the comments.

 

Regards,

Sarm

 

 
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

This is what the MDPS feature does (among other things).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

R81.10 should have better log performance also.

0 Kudos
SarmChanatip
Participant

Hi PhoyBoy

Thanks for the comment. 

I do not want to distinguish the routing of mgmt/data, I actually would like to know if two or more CPU cores are able to be assigned to fwd process, I found the below document but did not see any mention of affine the fwd daemon with two or more CPU cores.

 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topic...

0 Kudos
Tomer_Noy
Employee
Employee

Currently, fwd log processing does not leverage multiple cores, so there is no benefit to allocate more than 1 core to it.

I agree that R81.10 with latest JHF might help. Also, it's worth checking your log rate on the gateway to see if it's indeed very high to cause high CPU load on fwd (it could be other things running on fwd as well). If the log rate is very high, it's worth checking for a very "noisy" rule, such as logging all DNS requests and you might want to change the policy to avoid logging those (if it's acceptable to your regulation).

A "sneak peak" into R82: we're in very advanced stages of a project called "fwd scaleout" which will allow running multiple fwd log workers to handle much higher log rates. 

SarmChanatip
Participant

Hi Tomer_Noy,

Thank you for replying.

You meant that fwd log processing cannot currently use multi-cores or allocate more than 1 core to it, right?
even though we run on R81.10 or R81.20, correct?

How can you tell if the log rate is extremely high? We have fine-tuned the unwanted rule logging in relation to the noisy rule.

Regards,

Sarm

 

0 Kudos
Timothy_Hall
Champion
Champion

It sounds like you could allocate more than one core to fwd, but it wouldn't do any good and would be in essence wasting a core.  See this sk to investigate log rates:

sk120341: How to monitor the Log Receive Rate on Management Server / Log Server R80 and above

 

IPS/AV/ABOT Immersion & Max Capture: Know your Packets
Self-Guided Video Series available at www.maxpowerfirewalls.com
0 Kudos