This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henrik_J
Contributor
‎2025-04-25 04:06 AM

Performance Questions Quantum 9300 - SNMP Fast Accel & UDP: Check Point.

Hello all!

We migrated to a 9300 some time ago.

Unfortunately we have seen quite some performance issues compared to our old firewall.

I know RAD & UPPAK has general issues, but RAD has received a workaround (autodebug).
We also switched to KPPAK for (maybe) more performance, but overall much better stability.

We are continously checking CPVIEW for performance issues.

Today we saw that the firewall was overally loaded at 50 % with about 1.3 Gbit of throughput (which is quite extreme if you ask me).

I then noticed that in their ordered application layer, the clean up rule, was defined with source any and destination any.
Changed this to destination Internet, this alleviated a lot of load on the FW, and from my understanding, is also best practice.
Did this since I saw a lot of application control was applied to internal traffic, maybe needlessly.

So atm the firewall is loaded 28-50 % depending on spikes & load.

I do have two questions.

We have a few SNMP Servers that send out MASSIVE quantities of SNMP queries, which we can see under CPVIEW -> CPU -> Top Connections.

They can reach as high as 10% + performance hit when they start.
I have tried adding these sessions to fw ctl fast_accel, but I don't seem to get a match at all.
Maybe I need to reset the connections or fail-over to the other FW?
I suspect that it keeps all the SNMP sessions as active, which it then applies the "old" way of doing it, with the Appl Control & URLF and without fast_accel.

Any input here?

Also, when checking CPVIEW -> CPU -> Top Connections, I can see UDP: Check Point being at 3 - 8 % Total CPU Consumption consistently.
Checking another firewall, it's barely at 0,01 % (barely shows up in top connections).
What can be done about this? Is this normal / expected?

I do believe 8 % of the total firewall performance going to UDP: Check Point sounds excessive though.

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-04-25 04:32 AM

What appliance model was used before and which snmp object is referenced in the policy out of interest?

Please also share the version/JHF info for our context.

 

CCSM R77/R80/ELITE
0 Kudos
Henrik_J
Contributor
‎2025-04-25 04:37 AM
In response to Chris_Atkinson

They had a 23500 before.
I know it's a huge difference in CPU Core count, but the 23500 was barely used (10-15 % ish max).
I assume they got it super discounted.

The datasheets besides the Core Count is very similar except the Threat Prevention where it's 11 -> 9 Gbps.
The 9300 is stronger in everything else if you are to believe in datasheet though.

But we basically went from 10-15 % consumption to 50 %+, so something doesn't add up here at all.
I know you cannot compare datasheet & datasheet "normally", especially if it's between vendors.
But here it's the same vendor.

They are using the built-in service which has the Protocol handler defined.
Namely snmp-read.

Maybe we could change that to a replacement service udp_161 ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events