This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Prabulingam_N1
Advisor
‎2020-01-16 04:09 AM

Finding Bandwidth consuming for particular Host

Jump to solution

Dear All,

 

Just wanted to check if any workaround to check the Bandwidth consumed/consuming for particular host machine.

Customer's Internet Bandwidth was choked due to "few hosts to some destination IP" consuming high.

From SmartMonitor we can see only Source or Destination which is consuming.

But we need to check for the "Which Source against Which Destination" more bandwidth consumed/consuming.

 

Just like in Cisco command: --ip flow top-talkers

CISCO-ASA#sh ip flow top-talkers

SrcIf     SrcIPaddress         DstIf        DstIPaddress         Pr       SrcP      DstP         Bytes
Gi0/1    172.215.114.126    Gi0/0      202.100.109.236     06       0050      BBEB         19M
Gi0/1    123.175.213.143    Gi0/0      202.100.109.236     06       0050      3891           16M

In above we could see 2 Sources against 2 Destinations with "Bytes" consumed.

By any chance can we see something like this in CheckPoint??

 

Regards, Prabulingam.N

0 Kudos
Reply
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2020-01-19 01:41 PM

Jump to solution

Hi @Prabulingam_N1 

In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).

All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. 

What typically produces heavy connections:

  • System backups
  • Database backups
  • VMWare sync.

Evaluation of heavy connections (epehant flows)

A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.

Heavy connection flow system definition on Check Point gateways:

  • Specific instance CPU is over 60%
  • Suspected connection lasts more than 10s
  • Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%  

Enable the monitoring of heavy connections.

To enable the monitoring of heavy connections that consume high CPU resources:

# fw ctl multik prioq 1

# reboot

Found heavy connection on the gateway with „print_heavy connections“

On the system itself, heavy connection data is accessible using the command: 

# fw ctl multik print_heavy_conn

pq5.jpg

ound heavy connection on the gateway with cpview

# cpview                CPU > Top-Connection > InstancesX

pq3.png

More read here:

R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)

View solution in original post

Reply
12 Replies
mdjmcnally
Advisor
‎2020-01-16 04:39 AM

Jump to solution

Use CPView on the Gateway

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Can pull details such as Top Connections which will show by Bandwidth the largest connections.

 

 

 

Reply
Prabulingam_N1
Advisor
‎2020-01-18 03:53 AM
In response to mdjmcnally

Jump to solution

Dear mdjmcnally,

But Top Connections are not always proportional to the Bandwidth.

Hence with CPView will be tough to get required info.

I hope any of CheckMates who faced this query from customer can give suggestions.

 

Regards, Prabulingam.N

0 Kudos
Reply
Nick_Doropoulos
Advisor
‎2020-01-19 04:08 AM
In response to Prabulingam_N1

Jump to solution

Hello,

I would highly recommend Craig Dods' Top Talkers script that can be found here:

http://expert-mode.blogspot.com/2013/05/checkpoint-top-talkers-script-display.html

It should achieve what you are looking for but do let us know if that is not the case.

I hope this helps.

Reply
Prabulingam_N1
Advisor
‎2020-01-19 08:56 PM
In response to Nick_Doropoulos

Jump to solution

Hello Nick.

 

Thanks for this script. Let me try and find if any we can see regarding the Bandwidth.

 

Regards, Prabulingam.N

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion
‎2020-01-19 01:41 PM

Jump to solution

Hi @Prabulingam_N1 

In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).

All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. 

What typically produces heavy connections:

  • System backups
  • Database backups
  • VMWare sync.

Evaluation of heavy connections (epehant flows)

A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes.

Heavy connection flow system definition on Check Point gateways:

  • Specific instance CPU is over 60%
  • Suspected connection lasts more than 10s
  • Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%  

Enable the monitoring of heavy connections.

To enable the monitoring of heavy connections that consume high CPU resources:

# fw ctl multik prioq 1

# reboot

Found heavy connection on the gateway with „print_heavy connections“

On the system itself, heavy connection data is accessible using the command: 

# fw ctl multik print_heavy_conn

pq5.jpg

ound heavy connection on the gateway with cpview

# cpview                CPU > Top-Connection > InstancesX

pq3.png

More read here:

R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)

View solution in original post

Reply
PhoneBoy
Admin
Admin
‎2020-01-19 08:50 PM
In response to HeikoAnkenbrand

Jump to solution
We have a presentation at CPX about Elephant Flows in the CheckMates track.
We'll post it after the Vienna event 🙂
Reply
Prabulingam_N1
Advisor
‎2020-01-19 08:59 PM
In response to PhoneBoy

Jump to solution

Great then , I will await for that..

 

Regards, Prabulingam.N

0 Kudos
Reply
C_M
Contributor
‎2020-01-21 08:17 AM
In response to PhoneBoy

Jump to solution

Is there an SK or something that we could use now instead of waiting for a CPX event?

0 Kudos
Reply
Prabulingam_N1
Advisor
‎2020-01-19 08:58 PM
In response to HeikoAnkenbrand

Jump to solution

Hello Heiko,

 

Thanks much for detailed information and I will try this.

But still this also lists in form of CPU% & Connections only, no info related to "how much Bytes consumed".

 

I will also try Nick's script as well.

 

Regards, Prabulingam.N

0 Kudos
Reply
mdjmcnally
Advisor
‎2020-01-19 11:51 PM
In response to Prabulingam_N1

Jump to solution

Top connections by throughput (Network -> Top-Connections)

This isn't done by CPU consumed but by Throughput.

Don't confuse with 

Top connections by CPU (I/S -> CPU -> Top-Connections)

Which will show by CPU

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-01-21 01:21 PM
In response to Prabulingam_N1

Jump to solution
If you want bytes consumed, once you've figured out what connection it is, you can always go look in SmartView (logs) and see this information.
That assumes it's either matching on an App Control rule or you've explicitly enabled Accounting on that rule.
Reply
C_M
Contributor
‎2020-01-21 08:20 AM
In response to HeikoAnkenbrand

Jump to solution

So the "accepted solution" is only per cpu, right? seems like there should be a way to see the top connections/talkers overall, rather than per cpu.

Reply