I don’t want to enable User mode just for the sake of it. My intention is to follow the recommendation, especially since the CPU occasionally reaches 100%.

Currently, the connection stats show: Accelerated conns/Total conns: 226/59,929 (0%). I’m not sure if enabling User mode would improve this!

Hi @Moudar 

Yo are facing with performance issues. all CPUs reach the 100%? Or sometimes. What does the spike detector in cpview say?

You need to call the “Super Seven” Commands for help.

#fwaccel stat
#fwaccel stats -s
#grep -c ^processor /proc/cpuinfo
#fw ctl affinity -l -r
#netstat -ni
#fw ctl multik stat
#cpstat os -f multi_cpu -o 1

Esepecially the first one. My idea is that the acceleration is not working properly.

What do you see under Accept Templates - > Security disables template offloads from rule #XX

Akos

In my personal opinion, with 8 cores on the appliance, moving to USFW mode will not give you any advantages. The only reason to switch would be about TLS Inspection. You cannot do TLS 1.3 and QUIC without USFW on

Note USFW and UPPAK are not the same things, the later is SecureXL terminology not CoreXL and applies to Quantum Force appliances.

THX, I changed the UPPAK to USFW. 

When I run the command fwaccel templates -R i get this:

fwaccel templates -R

Matched connections not allowed to use templates:
% Prevention : 0.482%

Reason                                  Count      Reason Prevented From Matched %

Non-Syn/Empty First Packet              |478496    |0.374     %
Src/dst IP Blacklisted                  |137822    |0.108     %
--------------------

Connections failed to create templates:
% Fail to Create : 39.533%

Reason                                  Count      Reason Fail To Create %

Multicast Conn                          |558836    |0.246     %
NON TCP/UDP PROTO                       |3701462   |1.628     %
Conn Not Accelerated                    |7439049   |3.271     %
NAT Disallowed Conn                     |77340198  |34.010    %
DHCP Check Feature Isn't Supported Or Disabled|36        |0.000     %
General Error                           |545518    |0.240     %
Malicious Destination IP Detected       |66431     |0.029     %
Prevented By Policy Rules               |249288    |0.110     %

What could be causing NAT to block or disallow connections?

What does #fwaccel stat say?

that information is covered at the beginning of the post. Please take a look there!

Indeed, sorry. 

As I see you opened a thread with almost the same topic.

https://community.checkpoint.com/t5/Security-Gateways/nat-disallows/m-p/228235#M43999

Before you tried to understand it. Some housekeeping steps may could help 🙂

• if you do a failover the issue persists?
  • I know the policy is the same but have a try
• how much is the uptime? 
  
  • it should be 60-90 days
• this behaviour was earlier too? Before take 84?

However what about the TAC? 

akos

I’m aware of my old posts😃, but the question here is specifically about User mode versus Kernel mode. I have a feeling that transitioning from Kernel mode to User mode might be a potential solution. but maybe not

As _Val_ told that, this would not be the solution, but up to you. If the performance getting worse you could revert.

And how much is the trougput overall on the GW member?

Akos

Did you run that command on the standby member of a cluster or the active?  That looks like the standby.  If not I would assume that means that NAT templates are not forming for some reason and forcing a full NAT rulebase lookup in the slowpath, even though it looks like NAT templates are fully enabled.  R&D will probably have to comment ( @PhoneBoy ), also see here:

(nat disallows)

This is from the active gateway, which has been active for 16 days.

According to @CheckMatesAI, the reasons won't NAT Template include the following:

1. NAT Templates are Disabled: If NAT templates are not enabled, NATed traffic cannot be templated. Refer to sk71200 for more details.

2. VPN Traffic: VPN traffic cannot be templated.

3. Complex Connections: Connections involving complex protocols such as FTP, H323, SQL, etc., cannot be templated.

4. Non-TCP/Non-UDP/ICMP Traffic: Traffic that is not TCP, UDP, or ICMP cannot be templated.

5. Specific Rules in the Rule Base:

   • Rules with service 'Any' (resolved from R75.40).
   • Rules with a service that has a 'handler'. When the chosen service has a protocol type defined, instead of 'None', it might have a handler configured on it. This setting can be changed only in SmartDashboard R7X and lower. For R80.XX, changes can only be done by cloning the service.

6. Network Quota: When the SmartDefense/IPS protection "Network Quota" is enabled, SecureXL Accept Templates/NAT Templates/Drop Templates are automatically disabled. Refer to sk31630 for more details.

7. Overlapping NAT: Overlapping NAT does not support any form of acceleration on any platform, including SecureXL or IPSO Flows. Refer to sk44091 for more details.

8. Point-to-Point Interfaces: SecureXL does not support Point-to-Point interfaces (PPP, PPTP, PPPoE). If a PPP-interface is detected, SecureXL disables itself on that interface. Refer to sk79880 for more details.

9. Global DHCP Services: Using global DHCP services in the policy disables SecureXL Accept Templates. Use local 'dhcp' related services in the domain's rulebase to avoid this behavior. Refer to sk162544 for more details.

That said, we probably already covered all that, so I also asked @CheckMatesAI  how to debug NAT templates.
It suggested the following commands:

fwaccel dbg resetall
fwaccel dbg -m general + nat
fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + conn packet nat xlate xltrc
fw ctl kdebug -T -f > /var/log/kernel_debug.txt

To turn off:

fw ctl debug 0
fwaccel dbg resetall

Hopefully that will help track it down.