- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
hello
I have Url filtering with proxy,
it'has been working very slow for 2 day , (web sites are opening very slowly) and CPU in Checkpoint has increased,
I discover this error logs , followed down , should it cause of this problem .
For this error message, sk162639 suggests the following:
Contact Check Point Support for assistance with this issue.
hardware -5600
i have both, Management server and gateway
now i have very big problem , URL filtering doesn't work at all , and network is too slow
when i type this command (cpview) See it in screenshot, CPU's are always 100 % , but network traffic is very small , about 70 MB . I cannot find which process loads CPU's
CPview command
Need to see output of top command to determine if CPU load is kernel-based or process-based, and if it is process-based top will show which processes are consuming CPU.
However being in standalone mode with 16GB of RAM and only 4 cores, it will be difficult to get good performance.
I don't have big traffic .
Please see screenshot . TOP shows me only this information
Now this screenshot is taken in the morning hours and it is not loaded yet, but in 10 o,clock it was 100 % and TOP was same
I need to see the entire screen of the top output, but it looks like you have HTTPS Inspection enabled due to the presence of the wstlsd process. Probably not advisable to use that feature on a 5600 configured in standalone mode. Also please provide output of enabled_blades command, my guess is you have most of the blades enabled.
Also are you sure this box is managed standalone and not with a separate SMS/MDS? I don't think the typical management processes are showing up in your top output.
It was working normally 2 days ago. Nothing happened , i just made install policy and after that it began increasing CPU . These are active blade . Now it is not work hours.
hello.
i have enabled http/https proxy , see it in screenshot.
Could this function be the reason for processor load? And is it possible to see, how many process uses this particular function?
Support said us that for testing, i should disable this function , install new proxy server in other machine (linux) , move only this function to this server, (NOT Url filtering, Url filtering should stay in checkpoint ) and then test .
For this situation All trafic come to this proxy server and then go internet via checkpoint (Url filtering ) .
version is R80.30
I agree with TAC here, you should never enable the firewall as a HTTP/HTTPS Proxy like that as it will invoke Active Streaming in the CPASXL path in R80.20+. This is a legacy feature that should not be necessary in today's world, and was singled out for some pretty harsh words in the third edition of my book:
Do not enable the firewall as a HTTP/HTTPS Proxy Server. On the firewall object is
a screen called “HTTP/HTTPS Proxy Server” that will permit the firewall to be used as a
web proxy server for web browsers. This feature is disabled by default, do not enable it!
An easy way to see if this feature is enabled is by running command ps -efw |
grep wsdnsd. If the wsdnsd daemon is running HTTP/HTTPS proxying is enabled,
and can case some various performance-impacting issues such as:
Any traffic proxied by the firewall in this way will be handled by active streaming in
the CPASXL path. If you have this option enabled it may have been turned on
mistakenly, or under the guise that the firewall configured in this way would act as a
“caching” proxy server, and reduce the utilization of an overloaded Internet connection
by providing cached responses to popular websites. WRONG. This feature does not
perform any caching of web content whatsoever, and will suck large amounts of traffic
into the CPASXL path. See the following for more information:
sk92482: Performance impact from enabling HTTP/HTTPS Proxy functionality.
Hello Timothy,
I just looked at some firewall (R80.20 and R80.30) using the wsdnsd process.
And although I have not activated HTTP / HTTPS proxy on any firewall, the process is still active.
If I can trust the output of CPWD_admin _list. 🙂
What else could have activated this process?
PS: Your book ist awsome!
As long as you are sure the firewall is not defined as a proxy I wouldn't worry about it, wsdnsd is probably just doing DNS lookups for something else such as Dynamic Objects.
I check this in my lab.
The wsdnsd process is activated as soon as you use an updateble object in the policy.
Maybe the sk97638 need a update.
Makes sense, thanks for the followup.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY