This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-10-25 11:27 PM
Jump to solution

Cluster Full sync taking very long time R80.40 T161

Just wondering if anyone else has any thoughts on the subject..

We have a cluster of 28000 series running R80.40 T161 with IPS, APCL, URLF, AB, AV and HTTPS interception turned ON.

Yesterday we were forced to reboot standby member during day and observed that full sync took nearly half an hour which seemed quite excessive

Oct 25 09:55:42 2022 fw1 fwk: CLUS-120120-1: Fullsync started
Oct 25 10:20:21 2022 fw1 fwk: CLUS-120122-1: Fullsync completed successfully

Performance figures at that point:

  • total throughput ~15Gbps
  • internet ~4Gbps
  • HTTPS inspected ~2Gbps
  • Threat prevention applied to external traffic only
  • 600,000 concurrent connections
  • 10,000 new connections per second

It seemed that sync protocol was not able to keep up with new connection rate - we just saw from connections table size on the standby that it was growing very very slowly. An no obvious errors reported from cphaprob syncstat

It's a fairly new cluster and we are still in the "tuning" phase (new boxes and new functionality). So we disabled sync for DNS connections and delayed HTTP/S connection sync to 30secs. Which should help of course.

I just wanted to hear if anyone else is pushing high end appliances close to these numbers and have seen anything like that?

Has anyone noticed "performance" improvements after upgrading to R81.10 on gateways? I know management gets "faster" but gateways?

I realize that we are getting close to box MAX:

 

image.png

 

 

0 Kudos
1 Solution

Accepted Solutions
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-12-19 03:07 AM
In response to the_rock
Jump to solution

it's fixed in T1543 😄 

View solution in original post

(1)
10 Replies
_Val_
Admin
Admin
‎2022-10-26 02:51 AM
Jump to solution

600K connections is A LOT. I would look into an option to set up delayed sync for at least some of the trafffic.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-10-26 04:10 AM
In response to _Val_
Jump to solution

If it was a FW blade only, it would not be that much. Especially when you look at the datasheet of 28000 🙂

 

image.png

_Val_
Admin
Admin
‎2022-10-26 11:58 AM
In response to Kaspars_Zibarts
Jump to solution

Full sync sends over all kernel tables for 600K connections. It is quite a chunk of data. 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-10-26 12:47 PM
In response to Kaspars_Zibarts
Jump to solution

I agree, thats way too much time. Personally, I would open TAC case to investigate more.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Alexander_Wilke
Advisor
‎2022-12-16 06:44 AM
Jump to solution

~400.000 concuirrent connections, 

~6.000 new conns per sec

162000 appliance

r80.40 take 156

only Firewall Blade

 

Nov 2 09:51:34 2022 xxxxx fwk: CLUS-120120-1: Fullsync started
Nov 2 09:52:04 2022 xxxxx fwk: CLUS-120122-1: Fullsync completed successfully

 

You have many blades and perhaps much more to sync than a firewall only GW.
however it should not take so long.

check MTU size on both sync interfaces to match.

open a ticket.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-12-16 07:16 AM
Jump to solution

Sounds like an unhealthy or overloaded sync network, for both members can you post the output of cphaprob syncstat, along with fw ctl pstat in case the firewalls are experiencing other memory issues.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-12-16 07:44 AM
In response to Timothy_Hall
Jump to solution

Sorry, Elvis has left the building.. I'm not longer with the company and can't get any logs. But I'm 101% sure that sync network was intact. It's a black fiber between DCs approx 1km apart running mearly 100Mbps from 1Gbps available from memory

the_rock
MVP Diamond
MVP Diamond
‎2022-12-16 08:32 AM
In response to Kaspars_Zibarts
Jump to solution

But come on, now that you work for CP, thats more pressure to fix the issue ; - )

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-12-19 03:07 AM
In response to the_rock
Jump to solution

it's fixed in T1543 😄 

(1)
the_rock
MVP Diamond
MVP Diamond
‎2022-12-19 03:08 AM
In response to Kaspars_Zibarts
Jump to solution

🤣🤣🤣

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events