Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChungNguyen
Participant

GW causes high CPU on all cores

Jump to solution

Hi everyone, I have noticed that uploading some kind of files from the inside network and  VPN to the local network using share file smb causes cpu appliance to reach 50 ~ 60% during the file transfer.

I can try disable IPS, AV, AntiBot but it doen't work

Thank for help

 

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion

Hi @ChungNguyen   

It is normal for a user mode firewall (before there was only a kernel mode firewall without this process) that the process fwk1_dev_0 has a high CPU load and also over 100%. My guess as to the purpose of the fwk1_dev_0 is that it acts as the liaison between the multiple fwk firewall worker processes (fw instance thread that takes care for the packet processing) and the single fwmod kernel driver instance and the process for high priority cluster thread.

                          max_CoreXL_number          max_CoreXL_number
fwk1_dev_0 =  ∑ fwk0_x                     +          ∑ fwk0_dev_x               + fwk0_kissd       +         fwk0_hp
                          x=0                                          x=0

More read here: R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall 

Here is what I would do:

1) Enable AES NI in the BIOS on open server  (It should be enabled on a CP appliances).
     More here: R8x - Performance Tuning Tip - AES-NI, R8x - Performance Tuning Tip - BIOS

2) Use the following VPN encryption algorithms AES-128 or  AES-256. It is directly supported by AES NI from the processor.   
    The SHA256 or SHA 384 settings are not important because they are only used for a short time when negotiating the VPN (vpnd daemon).

3) If you have an elephant flow, it becomes difficult. In this case, I would check that priority queuing is enabled so that the
    remaining connections are distributed more fairly.
    More read here R8x - Performance Tuning Tip - Elephant Flows (Heavy Connections).

4) With R80.30 you should also check whether a 2.6 kernel or a 3.10 kernel is installed. The 3.10 kernel works much more efficiently.

View solution in original post

(1)
19 Replies
_Val_
Admin
Admin

What kind of VPN? Remote Access, Site to Site? IPSec, SSL?

0 Kudos
ChungNguyen
Participant

I use VPN Remote Access, IPsec and SSL, 

 

0 Kudos
Chris_Atkinson
Employee
Employee

Which appliance model and software version?

0 Kudos
ChungNguyen
Participant

I use Check Point Appliance 5600 and software servison R80.30 hotfix 241, 

0 Kudos
_Val_
Admin
Admin

Just for your information. 

We usually refer SMB to Spark gateways, not Enterprise GWs as in your case. As a result, the post was classified to the wrong category. I have changed the title and moved it to the correct space now.

0 Kudos
Chris_Atkinson
Employee
Employee

If your clients are using Visitor mode R80.40 JHF and above has some enhancements in this regard, refer: sk168297 

0 Kudos
the_rock
Champion
Champion

If you run top, free -m, ps -auxw commands...does it show any specific process consuming high CPU when performing those operations?

Andy

0 Kudos
ChungNguyen
Participant

I try cli top but i see fwk1_dev_0 high CPU, top_H_1012022.pngTOP_1012022.png

free_2012022.png

0 Kudos
Chris_Atkinson
Employee
Employee

Which encryption algorithms are used, are you using those that are AES-NI friendly?

Please refer: sk98950 - Slow traffic speed (high latency) when transferring files over VPN tunnel with 3DES encryp...

0 Kudos
ChungNguyen
Participant

I'm sory, I not sure if it's this?

Encrytion_Phase1_checkpoint.pngEncrytion_Phase2_checkpoint.png

0 Kudos
the_rock
Champion
Champion

I literally had 1 customer ask me if they should change those in 15 years...no one ever touches them, if ever...

You may want to consider upgrade to R80.40 based on below article:

https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-User-Mode-Firewall-v...

ChungNguyen
Participant

Thank for support, 

I will consider it.

0 Kudos
the_rock
Champion
Champion

No worries. If you dont wish to upgrade, thats fine, but please read that link...its super helpful and I believe it would benefit you in this situation by running those commands.

Andy

0 Kudos
Chris_Atkinson
Employee
Employee

With respect I disagree, 3DES / DES should be avoided for security and performance reasons.

Further to the SK posted above, refer also: sk73980 - Relative speeds of algorithms for IPSec and SSL

 

the_rock
Champion
Champion

For security yes, but as far as performance, I had never experienced it myself or with any customers, ever. Just my own experience. Besides, that screenshot @ChungNguyen posted is for supported enc methods in global properties, does not necessarily mean he is using des or 3des in the vpn community at all. But I do agree with you, I would certainly avoid des/3des. for sure.

0 Kudos
Timothy_Hall
Champion
Champion

Agree with Chris here disable 3DES and DES immediately in favor of AES-128 or AES-256, it will definitely improve performance and may do so drastically if the AES-NI feature set is present on the firewall's processor architecture.

"Max Capture: Know Your Packets" Self-Guided Video Series
available at http://www.maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @ChungNguyen   

It is normal for a user mode firewall (before there was only a kernel mode firewall without this process) that the process fwk1_dev_0 has a high CPU load and also over 100%. My guess as to the purpose of the fwk1_dev_0 is that it acts as the liaison between the multiple fwk firewall worker processes (fw instance thread that takes care for the packet processing) and the single fwmod kernel driver instance and the process for high priority cluster thread.

                          max_CoreXL_number          max_CoreXL_number
fwk1_dev_0 =  ∑ fwk0_x                     +          ∑ fwk0_dev_x               + fwk0_kissd       +         fwk0_hp
                          x=0                                          x=0

More read here: R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall 

Here is what I would do:

1) Enable AES NI in the BIOS on open server  (It should be enabled on a CP appliances).
     More here: R8x - Performance Tuning Tip - AES-NI, R8x - Performance Tuning Tip - BIOS

2) Use the following VPN encryption algorithms AES-128 or  AES-256. It is directly supported by AES NI from the processor.   
    The SHA256 or SHA 384 settings are not important because they are only used for a short time when negotiating the VPN (vpnd daemon).

3) If you have an elephant flow, it becomes difficult. In this case, I would check that priority queuing is enabled so that the
    remaining connections are distributed more fairly.
    More read here R8x - Performance Tuning Tip - Elephant Flows (Heavy Connections).

4) With R80.30 you should also check whether a 2.6 kernel or a 3.10 kernel is installed. The 3.10 kernel works much more efficiently.

(1)
ChungNguyen
Participant

Hi @HeikoAnkenbrand 

I have worked with 3 TACs but they say my system works without problems, due to current hardware requirements it does not meet the requirements, and now need to upgrade hardware.

But I will try your tip.

Thanks for support

0 Kudos
genisis__
Advisor

Is this a large file transfer?  If so, it maybe an elephant flow issue, which generally locks up a core.

0 Kudos