This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
Mentor
Mentor
‎2020-06-16 03:54 AM
Jump to solution

High CPU use on SND cores and Aggressive Aging

How do you understand sk167358 ? Does it say that one SGs with majority of traffic accelerated through SecureXL, Aggressive Aging may actually impact performance in negative way because of constant timeout calculations ?

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-06-16 11:34 AM
In response to Kaspars_Zibarts
Jump to solution

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

2 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2020-06-16 10:46 AM
Jump to solution

I'm not able to comment on SK but in real life we saw some really odd problems whilst AA was on. For example we had some RDP running over HTTPS and that simply stopped working and as soon as AA was resolved, it started working again

HeikoAnkenbrand
Champion Champion
Champion
‎2020-06-16 11:34 AM
In response to Kaspars_Zibarts
Jump to solution

 

sk35990:

Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.

sk167358:

High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.

We can choose between CPU and connection tabel dead😀.

I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher.  I this cases I usually turn it off.

It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top