- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: checkpoint web filtering works too slow
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
checkpoint web filtering works too slow
hello
I have Url filtering with proxy,
it'has been working very slow for 2 day , (web sites are opening very slowly) and CPU in Checkpoint has increased,
I discover this error logs , followed down , should it cause of this problem .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this error message, sk162639 suggests the following:
Contact Check Point Support for assistance with this issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using a separate management server or is this a standalone install?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hardware -5600
i have both, Management server and gateway
now i have very big problem , URL filtering doesn't work at all , and network is too slow
when i type this command (cpview) See it in screenshot, CPU's are always 100 % , but network traffic is very small , about 70 MB . I cannot find which process loads CPU's
CPview command
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to see output of top command to determine if CPU load is kernel-based or process-based, and if it is process-based top will show which processes are consuming CPU.
However being in standalone mode with 16GB of RAM and only 4 cores, it will be difficult to get good performance.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have big traffic .
Please see screenshot . TOP shows me only this information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now this screenshot is taken in the morning hours and it is not loaded yet, but in 10 o,clock it was 100 % and TOP was same
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to see the entire screen of the top output, but it looks like you have HTTPS Inspection enabled due to the presence of the wstlsd process. Probably not advisable to use that feature on a 5600 configured in standalone mode. Also please provide output of enabled_blades command, my guess is you have most of the blades enabled.
Also are you sure this box is managed standalone and not with a separate SMS/MDS? I don't think the typical management processes are showing up in your top output.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was working normally 2 days ago. Nothing happened , i just made install policy and after that it began increasing CPU . These are active blade . Now it is not work hours.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Highly recommend getting the TAC involved here to help you sort this out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello.
i have enabled http/https proxy , see it in screenshot.
Could this function be the reason for processor load? And is it possible to see, how many process uses this particular function?
Support said us that for testing, i should disable this function , install new proxy server in other machine (linux) , move only this function to this server, (NOT Url filtering, Url filtering should stay in checkpoint ) and then test .
For this situation All trafic come to this proxy server and then go internet via checkpoint (Url filtering ) .
version is R80.30
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with TAC here, you should never enable the firewall as a HTTP/HTTPS Proxy like that as it will invoke Active Streaming in the CPASXL path in R80.20+. This is a legacy feature that should not be necessary in today's world, and was singled out for some pretty harsh words in the third edition of my book:
Do not enable the firewall as a HTTP/HTTPS Proxy Server. On the firewall object is
a screen called “HTTP/HTTPS Proxy Server” that will permit the firewall to be used as a
web proxy server for web browsers. This feature is disabled by default, do not enable it!
An easy way to see if this feature is enabled is by running command ps -efw |
grep wsdnsd. If the wsdnsd daemon is running HTTP/HTTPS proxying is enabled,
and can case some various performance-impacting issues such as:
Any traffic proxied by the firewall in this way will be handled by active streaming in
the CPASXL path. If you have this option enabled it may have been turned on
mistakenly, or under the guise that the firewall configured in this way would act as a
“caching” proxy server, and reduce the utilization of an overloaded Internet connection
by providing cached responses to popular websites. WRONG. This feature does not
perform any caching of web content whatsoever, and will suck large amounts of traffic
into the CPASXL path. See the following for more information:
sk92482: Performance impact from enabling HTTP/HTTPS Proxy functionality.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Timothy,
I just looked at some firewall (R80.20 and R80.30) using the wsdnsd process.
And although I have not activated HTTP / HTTPS proxy on any firewall, the process is still active.
If I can trust the output of CPWD_admin _list. 🙂
What else could have activated this process?
PS: Your book ist awsome!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as you are sure the firewall is not defined as a proxy I wouldn't worry about it, wsdnsd is probably just doing DNS lookups for something else such as Dynamic Objects.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I check this in my lab.
The wsdnsd process is activated as soon as you use an updateble object in the policy.
Maybe the sk97638 need a update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense, thanks for the followup.
March 27th with sessions for both the EMEA and Americas time zones
