CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: CPU usage & policy optimisation

  1. #1
    Join Date
    2013-07-15
    Posts
    5
    Rep Power
    0

    Default CPU usage & policy optimisation

    Hello

    I recently registered but have been a long time follower of the cpug stuff, it's been pretty helpfull during past years. So thanks everyone for helping me climing the ladder of professional success without taking too much risk/damage :)

    Now,I have a question that still has to find it's answers (I ve been checking but didn't find a lot of great results). I'm currently working on 2 IP 697, Ipso 6.2, R75.46.
    2 appliances running parralel, with the same amount of traffic load balanced on them. Pure firewalling, no hazardous blades enabled on those :)

    The throughput and session numbers are well below the max numbers, even during peak time, but the cpu's usage are climbing to 50 or 60% quite frequently.
    I ve started auditing the policy package with Tufin, and as 1st results, I ve managed to identify that on a 1400 policies rule set, 4 rules represent almost half of the traffic. Thing is, those rules are located at the end of the package. Like between rules 1100-1300.

    I am planning on moving those way up in the rule-set, but I ve been asked to check if it's possible to estimate the gain of cpu usage that will follow. I ve tried to find a way to sort this data out, but seems it depends on too much factors to get a proper result.

    Has anyone faced this kind of request? Is there a way to estimate the cpu usage that a huge/non optimized rule package can generate?

    Thanks again for everything, and sorry if my english sounds a bit lazy.

  2. #2
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    16

    Default Re: CPU usage & policy optimisation

    Quote Originally Posted by Go3th View Post
    Has anyone faced this kind of request? Is there a way to estimate the cpu usage that a huge/non optimized rule package can generate?
    We've heard for a long time that moving heavy hitting rules to the top of the rulebase helps, as recent as this year w/ R75.46 by people who deal with it day in and day out so there must be some truth behind it. When we did it however I can't say as if we saw a dramatic improvement.

    I think your case may be slightly different. If you're not using SecureXL then all of your traffic is taking the "slow path", so I definitely think you'd see a decrease in CPU usage if you moved the rules up higher simply based on the number of rules. If you need to quantify it, you'd have to factor your current packets per second / bits per second / concurrent connections while taking into account whether or not its vpn based traffic as there is additional overhead associated with that.
    Its all in the documentation.

  3. #3
    Join Date
    2013-07-15
    Posts
    5
    Rep Power
    0

    Default Re: CPU usage & policy optimisation

    Thank for your answer. Secure XL has been activated. I'm gonna make a try and see how much can be gained by moving those rules way up.

    Regards

  4. #4
    Join Date
    2010-04-09
    Posts
    41
    Rep Power
    0

    Default Re: CPU usage & policy optimisation

    Secure XL has been activated.
    - also might be useful to run the following command "fwaccel stat" as this will show how far down the rulebase SecureXL is active, you'll get a line saying "Accept Templates, disabled from rule #xxx". You could then amend the rule base accordingly to maximise the acceleration.

    Hope this helps.

Similar Threads

  1. FW Monitor CPU Usage
    By igormaxfv in forum fw monitor, tcpdump and Wireshark
    Replies: 1
    Last Post: 2013-03-01, 19:34
  2. Getting information about high fw_worker CPU usage
    By micmon in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2012-05-08, 04:42
  3. PS -AUX shows low CPU, but CP Smartview Monitor shows extremely high CPU usage
    By cdooer in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 14
    Last Post: 2011-06-14, 04:17
  4. High cpu usage under IPSO 6.2
    By Léo74 in forum Installing And Upgrading
    Replies: 2
    Last Post: 2011-05-10, 05:00
  5. too many cpu usage by fwssd (in.ahttpd 80)
    By dominux in forum Sun Solaris
    Replies: 1
    Last Post: 2007-05-03, 13:07

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •