Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pantsu
Contributor

checkpoint web filtering works too slow

hello 

I have Url filtering with proxy,
it'has been working very slow for 2 day , (web sites are  opening very slowly) and CPU in Checkpoint has  increased,
I discover this error logs , followed down , should  it cause of this problem .


[ERROR]: uc_log_suppression_set_entry: Failed storing log data in log suppression table!



 

0 Kudos
15 Replies
G_W_Albrecht
Legend Legend
Legend

For this error message, sk162639 suggests the following:

Contact Check Point Support for assistance with this issue.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

What is the hardware of your gateway?
Are you using a separate management server or is this a standalone install?
0 Kudos
Pantsu
Contributor

hardware -5600
i have both,  Management server and gateway

now i have very big problem , URL filtering doesn't work at all , and network is too slow

when i type this command  (cpview) See it  in screenshot, CPU's are always 100 % , but network  traffic is very small , about 70 MB .  I cannot find which  process loads CPU's   
CPview command

 

Checkpoin_CPU.PNG

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Need to see output of top command to determine if CPU load is kernel-based or process-based, and if it is process-based top will show which processes are consuming CPU.

However being in standalone mode with 16GB of RAM and only 4 cores, it will be difficult to get good performance.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Pantsu
Contributor

I don't have big traffic . 

Please see screenshot . TOP shows me only this information

20200224_184022.jpg

0 Kudos
Pantsu
Contributor

Now this screenshot is taken  in the  morning hours and it is not loaded yet, but in 10 o,clock it was 100 % and TOP  was same   

0 Kudos
Timothy_Hall
Legend Legend
Legend

I need to see the entire screen of the top output, but it looks like you have HTTPS Inspection enabled due to the presence of the wstlsd process.  Probably not advisable to use that feature on a 5600 configured in standalone mode.  Also please provide output of enabled_blades command, my guess is you have most of the blades enabled.

Also are you sure this box is managed standalone and not with a separate SMS/MDS?  I don't think the typical management processes are showing up in your top output.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Pantsu
Contributor

It was working normally 2 days ago. Nothing happened , i just made install policy and after that it began increasing CPU .  These are active blade . Now it is not work hours. 

 

enable blade.PNG

 

 

20200224_192732.jpg

0 Kudos
PhoneBoy
Admin
Admin

What version of code is this you're running?
Highly recommend getting the TAC involved here to help you sort this out.
0 Kudos
Pantsu
Contributor

hello.

i have enabled http/https proxy , see it in screenshot.


Could this function be the reason for processor load? And is it possible to see, how many process uses this particular function?
Support said us that  for testing, i should  disable this function , install new  proxy server in other machine  (linux) , move only this function to this server, (NOT Url filtering, Url filtering should stay in checkpoint ) and then test . 
    For this situation All trafic come to this proxy server and then go internet via checkpoint (Url filtering ) .   

proxy123.PNG

 version is R80.30

0 Kudos
Timothy_Hall
Legend Legend
Legend

I agree with TAC here, you should never enable the firewall as a HTTP/HTTPS Proxy like that as it will invoke Active Streaming in the CPASXL path in R80.20+.  This is a legacy feature that should not be necessary in today's world, and was singled out for some pretty harsh words in the third edition of my book:

 

Click to Expand

 

Do not enable the firewall as a HTTP/HTTPS Proxy Server. On the firewall object is
a screen called “HTTP/HTTPS Proxy Server” that will permit the firewall to be used as a
web proxy server for web browsers. This feature is disabled by default, do not enable it!
An easy way to see if this feature is enabled is by running command ps -efw |
grep wsdnsd. If the wsdnsd daemon is running HTTP/HTTPS proxying is enabled,
and can case some various performance-impacting issues such as:

sk93929: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic g....


Any traffic proxied by the firewall in this way will be handled by active streaming in
the CPASXL path. If you have this option enabled it may have been turned on
mistakenly, or under the guise that the firewall configured in this way would act as a
“caching” proxy server, and reduce the utilization of an overloaded Internet connection
by providing cached responses to popular websites. WRONG. This feature does not
perform any caching of web content whatsoever, and will suck large amounts of traffic
into the CPASXL path. See the following for more information:

sk92482: Performance impact from enabling HTTP/HTTPS Proxy functionality.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Nikolai_Borhart
Contributor

Hello Timothy,

 

I just looked at some firewall (R80.20 and R80.30) using the wsdnsd process.

And although I have not activated HTTP / HTTPS proxy on any firewall, the process is still active.

If I can trust the output of CPWD_admin _list. 🙂


What else could have activated this process?

 

PS: Your book ist awsome!

0 Kudos
Timothy_Hall
Legend Legend
Legend

As long as you are sure the firewall is not defined as a proxy I wouldn't worry about it, wsdnsd is probably just doing DNS lookups for something else such as Dynamic Objects.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Nikolai_Borhart
Contributor

I check this in my lab.

The wsdnsd process is activated as soon as you use an updateble object in the policy.

Maybe the sk97638 need a update.

Timothy_Hall
Legend Legend
Legend

Makes sense, thanks for the followup.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events