As mentioned earlier, high CPU usage is generally expected on a local Threat Emulation (TE) appliance. However there were a few tips in my book to help avoid bottlenecks when performing local emulation, namely:
1) Enable Intel Virtualization Technology (VT) processor extensions if supported, see sk92374: Intel Virtualization Technology (VT) support compliance on Check Point appliances and sk92375: Enabling Intel Virtualization Technology (VT) in BIOS on Check Point appliances
2) By default if the CPU cores allocated for emulation are more than 90% busy, no more emulation VMs will start until the CPU load drops below that value, thus potentially causing a large backlog of emulation requests.
3) Enabling SMT can definitely help, but only if there is sufficient free RAM available, see the next item...
4) By default the emulation VM processes may not consume more than 70% of the system’s RAM. If there is not enough RAM available, startup of new emulation sessions will be delayed. A runaway memory leak in an unrelated process on the emulation system can potentially delay or bring emulation to a complete halt; keep up to date with the latest GA Jumbo HFAs on the TE appliance.
5) Do NOT check the “Disable static analysis” checkbox in the Threat Emulation settings of the matching TP profile. Doing so will cause every single file encountered to be sent for emulation (even if it has been emulated previously), and should only be enabled in a lab environment or under the guidance of Check Point TAC.
6) Make sure the Protected Scope in the matching Threat Prevention (TP) rule invoking the TP profile for TE is defined as specifically as possible, and is not overly generous to avoid unnecessary amounts of emulation. Note that it is possible to further clarify the Protected Scope in the TP profile itself under the Threat Emulation settings.
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com