This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-02-16 04:15 AM
Jump to solution

Most traffic taking PXL (medium) path, resulting in high CPU

OK, I'm giving up as I can't understand why would most traffic be pushed via medium path in one of our perimeter GWs.

Setup: GW running R80.40 T139, blades enabled: fw urlf appi ips identityServer.

The only TP blade we have is IPS. Yet running ips off command makes no difference at all. Whilst fw amw unload restores expected state with most traffic being accelerated.

This does not really make sense as AMW unload should only affect TP blades except IPS. But they are not even enabled!

Here are two screenshots: before and after AMW unload:

image.png

image.png 

 

 

When I look at actual connections - it's pretty much everything, even internal network to DNS is being sent to PXL.

I tried adding explicit TP policy to exclude all internal networks:

image.png

 

But still no joy.

What am I missing?? 🙂 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-16 06:35 AM
Jump to solution

Throughput acceleration (pkts) is unaffected by the state of AMW, for you it is the Accept templating rate that is being impacted (conns) as well as causing some traffic to go Medium Path.  Keep in mind that connections can migrate between different paths and be counted more than once, which is why Accelerated pkts/PXL/CPAS/F2F add up to more than 100%.  Let's focus on the templating rate.

ips off only affects new connections, so you can't expect the acceleration percentage to dramatically change immediately.  Try actually unchecking the IPS blade (and ensuring all other TP blades are unchecked) then reinstall the Threat Prevention policy, then reinstall the Access Control policy in a separate operation.  Wait about 30 minutes for most existing connections to decay, how does it look then? 

Usually Anti-bot is responsible for dramatically reducing connection templating rates (I even call this blade the "slayer" of templates in one of my books) and I'm wondering if there are still some Anti-bot hooks involved even when only IPS is enabled.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-16 06:35 AM
Jump to solution

Throughput acceleration (pkts) is unaffected by the state of AMW, for you it is the Accept templating rate that is being impacted (conns) as well as causing some traffic to go Medium Path.  Keep in mind that connections can migrate between different paths and be counted more than once, which is why Accelerated pkts/PXL/CPAS/F2F add up to more than 100%.  Let's focus on the templating rate.

ips off only affects new connections, so you can't expect the acceleration percentage to dramatically change immediately.  Try actually unchecking the IPS blade (and ensuring all other TP blades are unchecked) then reinstall the Threat Prevention policy, then reinstall the Access Control policy in a separate operation.  Wait about 30 minutes for most existing connections to decay, how does it look then? 

Usually Anti-bot is responsible for dramatically reducing connection templating rates (I even call this blade the "slayer" of templates in one of my books) and I'm wondering if there are still some Anti-bot hooks involved even when only IPS is enabled.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-02-16 07:36 AM
In response to Timothy_Hall
Jump to solution

i actually run ips off -n which deletes templates, my understanding was that it would help to see effects faster. But lets try with IPS unchecked!

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-02-16 09:51 AM
In response to Timothy_Hall
Jump to solution

Great! Inactivating IPS indeed fixed it too! Ok, job in hand to tweak IPS and maybe get more cores to this VS! Thanks heaps @Timothy_Hall  

Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-17 05:09 AM
In response to Kaspars_Zibarts
Jump to solution

Yeah it is surprising how often IPS is the culprit in cases like this, but 90% of effective troubleshooting is knowing the right place to look...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-02-17 06:11 AM
In response to Timothy_Hall
Jump to solution

Indeed!

image.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events