This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steffen_Matouse
Participant
‎2024-04-25 02:44 AM

looking for detailed information to cpview

sometimes the my FW has high CPU usage and it seams caused by special traffic.

If I load the CPViewCB in  DB Viewer of Diagostic View I see in the timeframe high Host Streaming_Overall_Connection

Have someone a short explanation what Host Streaming mean in this case ?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-04-25 07:17 AM

Any idea what traffic is being matched?
I suspect it's something that makes heavy use of Medium and/or Slow path.

0 Kudos
Steffen_Matouse
Participant
‎2024-04-26 06:47 AM
In response to PhoneBoy

currenly not. Is  host streaming an indicator for special traffic or for special path in FW ?

Timothy_Hall
Legend Legend
Legend
‎2024-04-26 07:46 AM

That is probably Medium Path streaming in passive and active mode.  It is not unusual for most CPU to be consumed here on a modern gateway with the typical blades enabled.  Please provide the outputs of the enabled_blades and fwaccel stats -s for further analysis.  If you have a cluster, make sure these commands are run on the active member.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Steffen_Matouse
Participant
‎2024-04-29 05:19 AM
In response to Timothy_Hall

enabled blades

fw vpn urlf av appi ips identityServer anti_bot ThreatEmulation qos mon Scrub

fwaccel stats -s
----------------------
Accelerated conns/Total conns : 0/2211 (0%)
LightSpeed conns/Total conns : 0/2211 (0%)
Accelerated pkts/Total pkts : 84797454270/95272799005 (89%)
LightSpeed pkts/Total pkts : 0/95272799005 (0%)
F2Fed pkts/Total pkts : 10475344735/95272799005 (10%)
F2V pkts/Total pkts : 18299159379/95272799005 (19%)
CPASXL pkts/Total pkts : 375428925/95272799005 (0%)
PSLXL pkts/Total pkts : 80604241319/95272799005 (84%)
CPAS pipeline pkts/Total pkts : 0/95272799005 (0%)
PSL pipeline pkts/Total pkts : 0/95272799005 (0%)
CPAS inline pkts/Total pkts : 0/95272799005 (0%)
PSL inline pkts/Total pkts : 0/95272799005 (0%)
QOS inbound pkts/Total pkts : 22484053775/95272799005 (23%)
QOS outbound pkts/Total pkts : 26954068758/95272799005 (28%)
Corrected pkts/Total pkts : 0/95272799005 (0%)

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-04-29 05:45 AM
In response to Steffen_Matouse

First off you have no SecureXL templating happening (Accelerated conns), which means higher CPU overhead for a fresh rulebase lookup every time for new connections.  Most likely cause is having any blade other than Firewall enabled in your top/parent layer of your policy (sk180633: Security Gateway accelerates 99% of traffic through the PSLXL) and/or specifying applications/content in that top/first layer, or use of services with Protocol Signature set.  Please provide outputs of fwaccel stat and fwaccel templates -R.

Looks like you are utilizing the QoS blade as well which will increase overhead (but not nearly as badly as in R80.10 and earlier), keep in mind if all you want to do is shared rule-based bandwidth limits, this can be accomplished directly in the Action field of your APCL/URLF without needing the QoS blade.  The QoS blade will be needed if you want to do per-connection limits, shared or per-connection guarantees, Weighted Fair Queueing, LLQ, ToS/DiffServ preferences etc.

Other than that you just have a lot of features enabled and a busy firewall.  One other thing that can spike the CPU is elephant flows, try running fw ctl multik print_heavy_conn to see all elephant flows in the last 24 hours.  The Spike Detective (sk166454: CPU Spike Detective) can also be helpful for tracking down excessive CPU usage.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events