Hi, My Security Gateway CPU is spiking randomly. I want to configure a script to collect output of some pre-defined commands like EEM in Cisco. But I'm not getting the script for CheckPoint. Any help much appreciated
Checkpoint is based on redhat Linux. you can create python or bash scripts to collect the information.
Thanks for replying. I want to set up a script which will execute a command "fw tab -t connections -u > /var/log/Connections_Table.txt" when my gateway CPU goes above 90%. Could you please help me with script and steps?
fw tab -t connections -u > /var/log/Connections_Table.txt"
You'd have to write a script that:
1. Monitors CPU (remember: there is more than one core)
2. When CPU reaches your desired threshhold, run the appropriate commands
Meanwhile, you might try using cpview, which can tell you a lot about what's going on.
Its happening randomly, that's why I thought of configuring script. But, I don't know how to do. If you have any document or document related to scripting, please share. It will be helpful.
cpview has a history mode that will likely be helpful.
It won't require scripting.
See also: Best Practices - Security Gateway Performance
Cpview will record the information, I believe every 1 mint. I have seen it before the cpu spikes in sub seconds and cpview will not catch it. we had to use top with lower timer to catch it.
It's not fullproof, true, but it's a good starting point that doesn't involve writing scripts.
Houssameddine Zeghlache in regards to the granularity of cpview history mode being 1 minute, I looked into it more closely when researching my book and the per-minute historical numbers reported by cpview are the average of two samples taken 30 seconds apart. So a spike of some kind that occurs but is not still happening during one of the samples taken every 30 seconds will not show up at all in cpview's history mode, and this was noted in my book. Sar takes more of a running average over its sampling intervals and is some cases is preferred over cpview depending on what you want to inspect. Here is the table from the second edition of my book where these preferences are summarized, these are just my opinion of course:
--Second Edition of my "Max Power" Firewall BookNow Available at http://www.maxpowerfirewalls.com
Hi Tim, In my case CPU is spiking intermittently and by the time I login it will became normal. I know one thing, the CPU is spiking when the no. of connection is increasing suddenly from 40k to 80k.
I'm stuck here, I want to find out what are these connections which is causing CPU spike. Could you please help me out?
Tim, forgot to say one more thing, firewall policy logs are disabled for all policy except clean up rule.
OK since logging is only for cleanup it is probably not fwd and its associated logging functions spiking the CPU.
First order of business for a spiking CPU is determine what kind of execution is eating the most cycles during the problematic period. sar can get you going in the right direction here, run sar in historical mode like this (assume that the day number it happened was 7 in this example, for today just omit the "-f (filename)" argument):
sar -f /var/log/sa/sa07 -P ALL
This will show where specifically the CPU percentage-wise for each type of execution, namely:
%user - process execution, generally this should be fairly low on a gateway unless features that cause process space trips such as HTTPS Inspection are turned on
%nice - irrelevant on a gateway, important on a R80+ SMS though
%system - kernel execution, roll up of the sy/si/hi/st shown in top
%iowait - waiting for I/O, should be very low (<5%) on a gateway unless policy is currently being installed, if higher than that during your spikes the firewall is almost certainly low on memory, post output of free -m
%idle - hopefully self-explanatory
Please report where most of the CPU cycles are going during the spikes and we can go from there. If it is spiking in %system as shown by sar, you're going to either have to catch the problem live while running top, or run top in batch mode so we can see which one of sy/si/hi is the culprit.
-- Second Edition of my "Max Power" Firewall Book Now Available at http://www.maxpowerfirewalls.com
you might start playing with it in lab by checking some scripts like this one an adjust for your needs
I have an old, outdated script from years ago
Usage: Before running the script please setup top so it always show all CPU's;
#topPress 1Press shift + wPress EnterExit topVerify that it shows all CPU's by entering top again Now we can run the script;
#dos2unix monitor.sh#chmod +x monitor.sh
#nohup ./monitor.sh &
The script will now run in the background and will take specific outputs related to performance every 30 seconds.They will be written into /var/log/output.txt
To kill the script;#ps aux | grep monitor.sh#lkill -9 [pid of monitor.sh]
You can change the time value to your needs.
#!/bin/bash##clearecho "To stop the script press CTRL+C"echo "Starting to probe the system . . "echo ======================================================================== >> /var/log/output.txtecho "=== The beginning of the probing process ===" >> /var/log/output.txtdate >> /var/log/output.txtecho ======================================================================== >> /var/log/output.txtsleep 5 while end_loop=0 # while this condition is TRUE - do echo "New run, collecting....." echo "To stop the script press CTRL+C" echo " " echo ============================================================= >> /var/log/output.txt date >> /var/log/output.txt echo ============================================================= >> /var/log/output.txt echo " " >> /var/log/output.txt echo " " >> /var/log/output.txt echo cat /proc/meminfo : >> /var/log/output.txt echo "------------" >> /var/log/output.txt cat /proc/meminfo >> /var/log/output.txt echo " " >> /var/log/output.txt echo cpstat os -f multi_cpu : >> /var/log/output.txt echo "------------" >> /var/log/output.txt cpstat os -f multi_cpu >> /var/log/output.txt echo " " >> /var/log/output.txt echo top -n1 -b : >> /var/log/output.txt echo "------------" >> /var/log/output.txt top -n1 -b >> /var/log/output.txt echo " " >> /var/log/output.txt echo ps -auxf : >> /var/log/output.txt echo "------------" >> /var/log/output.txt ps -auxf >> /var/log/output.txt echo " " >> /var/log/output.txt clear echo " " echo "GOING to SLEEP for 5 seconds, run complete" echo " " echo " " echo "Please press CTL + C in order to break the script" sleep 30 done
But best would be to ask CP TAC for the CPU spike monitor script "spike_monitor_cpk.sh" by Ariel L. Dor .
Retrieving data ...