Create a Post
Showing results for 
Search instead for 
Did you mean: 

High CPU load on wsman TCP/5985 traffic

Once a month there is a strange behavior of CPU load.

We have configured to send events from sources to the WEC event collector on port 5985.

Usually the CPU load is normal.
But on a certain day through cpview we see that all the load is due to wsman traffic on port 5985. CPU load is 90-100% and firewall becomes even unavailable.

We tried to allow all traffic from our subnet to the WEC using fast accel, but it doesn't work.

The problem is solved only by blocking this traffic. Then we gradually allow traffic up to the WEC so that the event queue goes up to it. We allow only part of the subnet to pass traffic, then when the load is reduced we allow the next part of the subnet and so on until all subnets are in the allowed rules again.

Can you tell me what the problem might be? Can it be related to CheckPoint?

0 Kudos
1 Reply

Sounds like you are dealing with an occasional elephant flow (or flows) on this port.  What does fw ctl multik print_heavy_conn show if run within 24 hours of one of these events?  What is your code and HFA level?

If the fast_accel did not improve the situation it almost certainly means that traffic is F2F/slowpath which is immune to fast_accel definitions.  You'll have to determine why that traffic is F2F before you can improve the situation.  Once you provide your code level I'll provide further steps.

Gateway Performance Optimization R81.20 Course
now available at
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events