Re: checkpoint web filtering works too slow

Pantsu · ‎2020-02-20

hello

I have Url filtering with proxy,
it'has been working very slow for 2 day , (web sites are opening very slowly) and CPU in Checkpoint has increased,
I discover this error logs , followed down , should it cause of this problem .

[ERROR]: uc_log_suppression_set_entry: Failed storing log data in log suppression table!

G_W_Albrecht · ‎2020-02-20

For this error message, sk162639 suggests the following:

Contact Check Point Support for assistance with this issue.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2020-02-20

What is the hardware of your gateway?
Are you using a separate management server or is this a standalone install?

Pantsu · ‎2020-02-24

hardware -5600
i have both, Management server and gateway

now i have very big problem , URL filtering doesn't work at all , and network is too slow

when i type this command (cpview) See it in screenshot, CPU's are always 100 % , but network traffic is very small , about 70 MB . I cannot find which process loads CPU's
CPview command

Timothy_Hall · ‎2020-02-24

Need to see output of top command to determine if CPU load is kernel-based or process-based, and if it is process-based top will show which processes are consuming CPU.

However being in standalone mode with 16GB of RAM and only 4 cores, it will be difficult to get good performance.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Pantsu · ‎2020-02-24

I don't have big traffic .

Please see screenshot . TOP shows me only this information

Pantsu · ‎2020-02-24

Now this screenshot is taken in the morning hours and it is not loaded yet, but in 10 o,clock it was 100 % and TOP was same

Timothy_Hall · ‎2020-02-24

I need to see the entire screen of the top output, but it looks like you have HTTPS Inspection enabled due to the presence of the wstlsd process. Probably not advisable to use that feature on a 5600 configured in standalone mode. Also please provide output of enabled_blades command, my guess is you have most of the blades enabled.

Also are you sure this box is managed standalone and not with a separate SMS/MDS? I don't think the typical management processes are showing up in your top output.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Pantsu · ‎2020-02-24

It was working normally 2 days ago. Nothing happened , i just made install policy and after that it began increasing CPU . These are active blade . Now it is not work hours.

PhoneBoy · ‎2020-02-24

What version of code is this you're running?
Highly recommend getting the TAC involved here to help you sort this out.

Pantsu · ‎2020-03-17

hello.

i have enabled http/https proxy , see it in screenshot.

Could this function be the reason for processor load? And is it possible to see, how many process uses this particular function?
Support said us that for testing, i should disable this function , install new proxy server in other machine (linux) , move only this function to this server, (NOT Url filtering, Url filtering should stay in checkpoint ) and then test .
For this situation All trafic come to this proxy server and then go internet via checkpoint (Url filtering ) .

version is R80.30

Timothy_Hall · ‎2020-03-20

I agree with TAC here, you should never enable the firewall as a HTTP/HTTPS Proxy like that as it will invoke Active Streaming in the CPASXL path in R80.20+. This is a legacy feature that should not be necessary in today's world, and was singled out for some pretty harsh words in the third edition of my book:

Click to Expand

Do not enable the firewall as a HTTP/HTTPS Proxy Server. On the firewall object is
a screen called “HTTP/HTTPS Proxy Server” that will permit the firewall to be used as a
web proxy server for web browsers. This feature is disabled by default, do not enable it!
An easy way to see if this feature is enabled is by running command ps -efw |
grep wsdnsd. If the wsdnsd daemon is running HTTP/HTTPS proxying is enabled,
and can case some various performance-impacting issues such as:

sk93929: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic g....

Any traffic proxied by the firewall in this way will be handled by active streaming in
the CPASXL path. If you have this option enabled it may have been turned on
mistakenly, or under the guise that the firewall configured in this way would act as a
“caching” proxy server, and reduce the utilization of an overloaded Internet connection
by providing cached responses to popular websites. WRONG. This feature does not
perform any caching of web content whatsoever, and will suck large amounts of traffic
into the CPASXL path. See the following for more information:

sk92482: Performance impact from enabling HTTP/HTTPS Proxy functionality.

Do not enable the firewall as a HTTP/HTTPS Proxy Server. On the firewall object isa screen called “HTTP/HTTPS Proxy Server” that will permit the firewall to be used as aweb proxy server for web browsers. This feature is disabled by default, do not enable it!An easy way to see if this feature is enabled is by running command ps -efw |grep wsdnsd. If the wsdnsd daemon is running HTTP/HTTPS proxying is enabled,and can case some various performance-impacting issues such as: sk93929: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic goes through a VPN tunnel. Any traffic proxied by the firewall in this way will be handled by active streaming inthe CPASXL path. If you have this option enabled it may have been turned onmistakenly, or under the guise that the firewall configured in this way would act as a“caching” proxy server, and reduce the utilization of an overloaded Internet connectionby providing cached responses to popular websites. WRONG. This feature does notperform any caching of web content whatsoever, and will suck large amounts of trafficinto the CPASXL path. See the following for more information: sk92482: Performance impact from enabling HTTP/HTTPS Proxy functionality.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Nikolai_Borhart · ‎2020-03-20

Hello Timothy,

I just looked at some firewall (R80.20 and R80.30) using the wsdnsd process.

And although I have not activated HTTP / HTTPS proxy on any firewall, the process is still active.

If I can trust the output of CPWD_admin _list. 🙂

What else could have activated this process?

PS: Your book ist awsome!

Timothy_Hall · ‎2020-03-20

As long as you are sure the firewall is not defined as a proxy I wouldn't worry about it, wsdnsd is probably just doing DNS lookups for something else such as Dynamic Objects.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Nikolai_Borhart · ‎2020-03-20

I check this in my lab.

The wsdnsd process is activated as soon as you use an updateble object in the policy.

Maybe the sk97638 need a update.

Timothy_Hall · ‎2020-03-20

Makes sense, thanks for the followup.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Are you a member of CheckMates?

checkpoint web filtering works too slow