Solved: Single SND on 8 core

Trevor_Bruss · ‎2022-02-15

We have a single site Maestro setup with two 6500 units in a security group. I feel like CPU usage has risen after migrating to R81.10. We've seen some of outages to traffic during some of the CUL moments which we're working with TAC on, but we're uncertain if the higher usage and spikes are the reason.

Given the 8 cores are currently split 2/6, I monitored the two SND cores on each unit and they run 10-15% on average, could I feasibly configure the group to use 7 cores on each member for firewall processing leaving a single CPU for SND? Given these just connect up to the Orchestrator fabric, I didn't know if that would hurt us in any way. Maybe I'm oversimplifying by thinking the CPU usage with one core would just average a but higher.

I realize ultimately I need to see if there is anything we need to do to optimize the performance to lower CPU. I'll leave that for when I have more time to leave results of our super 7.

HeikoAnkenbrand · ‎2022-02-16

You can do this with Maestro just like with a normal firewall!
With 1/7 you will reduce the throughput on the downlinks.

I wouldn't do this unless the CoreXL instances are all running at 90%-100% core utilisation.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand · ‎2022-02-16

You can do this with Maestro just like with a normal firewall!
With 1/7 you will reduce the throughput on the downlinks.

I wouldn't do this unless the CoreXL instances are all running at 90%-100% core utilisation.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Timothy_Hall · ‎2022-02-16

Agree with Heiko here, I don't think going from a 2/6 split to a 1/7 split will make a huge difference in your scenario. It might, but you need to understand where the spikes are coming from first before trying to tune things. Please provide the output of enabled_blades on your 6500 as well as the Super Seven outputs:

https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

If you are on R81.10 Dynamic Split should be enabled by default anyway, although perhaps that feature is not supported when used with Maestro.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

Trevor_Bruss · ‎2022-02-16

These are the enabled blades:

fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot

I've also included a recent Super7 from each member of the security group.

One thing I did implement yesterday was the penalty box feature. Also, according to sk164155, Maestro units do not support Dynamic Split.

Timothy_Hall · ‎2022-02-17

Looks like you could move to a 1/7 split and the single SND will be able to keep up with the load. Everything looks like it is running pretty well based on the blades you have enabled, the zero templating rate (conns in fwaccel stats -s) is caused by Anti-bot and you can't really do anything about it.

One thing that is slightly high is your percentage of F2F traffic in the mid 20's. Ideally that should be 10% or lower, this F2F percentage could be caused by a large number of drops invoking excessive rulebase lookups which the penalty box should help with. Run the command fw ctl multik gconn and compare it with fwaccel conns (which does not show F2F connections), are there any common attributes of connections that are being handled F2F?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon