This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Legend Legend
Legend
‎2023-06-19 07:09 AM
Jump to solution

Extend fw ctl multik print_heavy_conn beyond 24 hours?

By default the command fw ctl multik print_heavy_conn will show all current and past elephant/heavy flows that were detected on the security gateway in the last 24 hours.  Questions:

1) Is there any way to tweak the 24 hours to some longer value?

2) Any way to keep some kind of historical log file of these elephant flows, even if it is just some kind of simple text file log on the gateway?

Thanks!

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
1 Solution

Accepted Solutions
AmitShmuel
Employee
Employee
‎2023-06-19 11:08 AM
Jump to solution

Hi,

Starting R81 JHF T42 and R80.40 JHF T150, the CPU Spike Detective tool will run the print_heavy_conn command upon detecting a FW worker causing a CPU spike.

The output will be saved in /var/log/spike_detective/data_spike_thread_<Thread_ID>_<Date>_<Time>/heavy_conns_<Instance_ID>.log

It will also save the top connections by running the top_conns tool.

See sk166454.

Thanks,
Amit

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-19 10:33 AM
Jump to solution

@Chen_Muchtar any idea?

0 Kudos
AmitShmuel
Employee
Employee
‎2023-06-19 11:08 AM
Jump to solution

Hi,

Starting R81 JHF T42 and R80.40 JHF T150, the CPU Spike Detective tool will run the print_heavy_conn command upon detecting a FW worker causing a CPU spike.

The output will be saved in /var/log/spike_detective/data_spike_thread_<Thread_ID>_<Date>_<Time>/heavy_conns_<Instance_ID>.log

It will also save the top connections by running the top_conns tool.

See sk166454.

Thanks,
Amit

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-06-19 12:17 PM
In response to AmitShmuel
Jump to solution

Recently in my Gateway Performance Optimization class someone asked me why the spike detective doesn't log what connections were present at the time of spike, as it just logging that a worker USFW instance process got spiked was not particularly helpful.  Best answer I could give at the time was to check for spikes daily and run a print_heavy_conn within 24 hours of a logged spike.  This change will help a lot, thanks!

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events