CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Page 4 of 4 FirstFirst 1234
Results 61 to 69 of 69

Thread: very slow intervaln communication via checkpoint

  1. #61
    Join Date
    2017-04-21
    Posts
    15
    Rep Power
    0

    Default Re: very slow intervaln communication via checkpoint

    Hi,

    Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?

    Thanks

  2. #62
    Join Date
    2017-04-21
    Posts
    15
    Rep Power
    0

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by juniorra22 View Post
    Hi,

    Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?

    Thanks

    Can anyone help?

    Thanks

  3. #63
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,022
    Rep Power
    12

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by juniorra22 View Post
    Can anyone help?

    Thanks
    What is the slow protocol being used to transfer files? FTP? CIFS? SCP? Are all these transfer protocols equally slow between your networks?

    Please post output of the following commands from the active firewall:

    enabled_blades
    netstat -ni
    fwaccel stats -s
    fwaccel stat
    fw ctl affinity -l -r
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  4. #64
    Join Date
    2017-04-21
    Posts
    15
    Rep Power
    0

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by ShadowPeak.com View Post
    What is the slow protocol being used to transfer files? FTP? CIFS? SCP? Are all these transfer protocols equally slow between your networks?

    Please post output of the following commands from the active firewall:

    enabled_blades
    netstat -ni
    fwaccel stats -s
    fwaccel stat
    fw ctl affinity -l -r

    Hi all transfer protocols are slow.

    enabled_blades
    fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot


    netstat -ni
    Kernel Interface table
    Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
    bond0 1500 0 98536334 0 0 0 60093599 0 0 0 BMmRU
    bond0.20 1500 0 85702327 0 0 0 51717823 0 0 0 BMmRU
    eth3 1500 0 65119422 0 0 0 20030910 0 0 0 BMsRU
    eth4 1500 0 24718597 0 0 0 20030895 0 0 0 BMsRU
    eth5 1500 0 8698335 0 0 0 20031832 0 0 0 BMsRU
    eth6 1500 0 65239794 0 0 0 102124220 0 0 0 BMRU
    eth7 1500 0 17147022 0 16 0 19565550 0 0 0 BMRU
    eth9 1500 0 2212202 0 0 0 5549160 0 0 0 BMRU
    lo 16436 0 335599 0 0 0 335599 0 0 0 LRU

    fwaccel stats -s
    No statistics given


    fwaccel stat
    Accelerator Status : no license for SecureXL

    Accelerator Features : Accounting, NAT, Cryptography, HasClock,
    Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, WireMode,
    DropTemplates, NatTemplates, Streaming,
    AntiSpoofing, Nac, ViolationStats, AsychronicNotif,
    ERDOS, NAT64, GTPAcceleration, SCTPAcceleration
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256

    fw ctl affinity -l -r
    CPU 0: eth0 eth1 eth9 eth10 eth2 eth3
    fw_1 fw_3 fw_5 fw_7
    CPU 1: fw_0 fw_2 fw_4 fw_6
    CPU 2:
    CPU 3:
    CPU 4:
    CPU 5:
    CPU 6:
    CPU 7:
    CPU 8:
    CPU 9:
    CPU 10:
    CPU 11:
    All: mpdaemon wsdnsd pdpd in.geod stormd rad vpnd in.acapd usrchkd in.msd fwd pepd cprid cpd
    The current license permits the use of CPUs 0, 1 only.

  5. #65
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,022
    Rep Power
    12

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by juniorra22 View Post
    Hi all transfer protocols are slow.

    enabled_blades
    fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot


    netstat -ni
    Kernel Interface table
    Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
    bond0 1500 0 98536334 0 0 0 60093599 0 0 0 BMmRU
    bond0.20 1500 0 85702327 0 0 0 51717823 0 0 0 BMmRU
    eth3 1500 0 65119422 0 0 0 20030910 0 0 0 BMsRU
    eth4 1500 0 24718597 0 0 0 20030895 0 0 0 BMsRU
    eth5 1500 0 8698335 0 0 0 20031832 0 0 0 BMsRU
    eth6 1500 0 65239794 0 0 0 102124220 0 0 0 BMRU
    eth7 1500 0 17147022 0 16 0 19565550 0 0 0 BMRU
    eth9 1500 0 2212202 0 0 0 5549160 0 0 0 BMRU
    lo 16436 0 335599 0 0 0 335599 0 0 0 LRU

    fwaccel stats -s
    No statistics given


    fwaccel stat
    Accelerator Status : no license for SecureXL

    Accelerator Features : Accounting, NAT, Cryptography, HasClock,
    Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, WireMode,
    DropTemplates, NatTemplates, Streaming,
    AntiSpoofing, Nac, ViolationStats, AsychronicNotif,
    ERDOS, NAT64, GTPAcceleration, SCTPAcceleration
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256

    fw ctl affinity -l -r
    CPU 0: eth0 eth1 eth9 eth10 eth2 eth3
    fw_1 fw_3 fw_5 fw_7
    CPU 1: fw_0 fw_2 fw_4 fw_6
    CPU 2:
    CPU 3:
    CPU 4:
    CPU 5:
    CPU 6:
    CPU 7:
    CPU 8:
    CPU 9:
    CPU 10:
    CPU 11:
    All: mpdaemon wsdnsd pdpd in.geod stormd rad vpnd in.acapd usrchkd in.msd fwd pepd cprid cpd
    The current license permits the use of CPUs 0, 1 only.
    Oh boy, where do I begin...

    1) Your firewall's performance is heavily restricted by the license you are using. Please provide the output of "cplic print" but be sure to excise the certificate keys (they start with CK-) before posting it.

    2) You have no license for SecureXL so there is zero acceleration occurring. Not sure how the heck your firewall license does not include SecureXL, the output of cplic print requested above should shed some light.

    3) You have 12 cores (please provide output of /sbin/cpuinfo so we can see if hyperthreading is enabled which is a no-no and means you are only using one physical core out of 6), but can only use two of them due to license restrictions. Unfortunately CoreXL was initially configured when you were running under the Trial License, so 8 firewall workers were allocated which are all thrashing against each other for cores 0 and 1. We will need to look at your licensing first, but an eventual recommendation will almost certainly be to reduce the number of firewall workers from 8 to 2 via cpconfig.

    4) What version of code are you using? Please provide output of "fw ver" and "installed_jumbo_take" commands.

    So to summarize, please provide output of the following commands:

    cplic print
    /sbin/cpuinfo
    fw ver
    installed_jumbo_take
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  6. #66
    Join Date
    2017-04-21
    Posts
    15
    Rep Power
    0

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by ShadowPeak.com View Post
    Oh boy, where do I begin...

    1) Your firewall's performance is heavily restricted by the license you are using. Please provide the output of "cplic print" but be sure to excise the certificate keys (they start with CK-) before posting it.

    2) You have no license for SecureXL so there is zero acceleration occurring. Not sure how the heck your firewall license does not include SecureXL, the output of cplic print requested above should shed some light.

    3) You have 12 cores (please provide output of /sbin/cpuinfo so we can see if hyperthreading is enabled which is a no-no and means you are only using one physical core out of 6), but can only use two of them due to license restrictions. Unfortunately CoreXL was initially configured when you were running under the Trial License, so 8 firewall workers were allocated which are all thrashing against each other for cores 0 and 1. We will need to look at your licensing first, but an eventual recommendation will almost certainly be to reduce the number of firewall workers from 8 to 2 via cpconfig.

    4) What version of code are you using? Please provide output of "fw ver" and "installed_jumbo_take" commands.

    So to summarize, please provide output of the following commands:

    cplic print
    /sbin/cpuinfo
    fw ver
    installed_jumbo_take
    Issue resolved by move to a new switch port. Old port was bad. Switch will be replace.

  7. #67
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,022
    Rep Power
    12

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by juniorra22 View Post
    Issue resolved by move to a new switch port. Old port was bad. Switch will be replace.
    Well I assume you saw errors racking up on the switchport itself because there were basically none on the firewall's interfaces.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  8. #68
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,325
    Rep Power
    8

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by ShadowPeak.com View Post
    Well I assume you saw errors racking up on the switchport itself because there were basically none on the firewall's interfaces.
    yeah, i don't see how a switch is going to help fix those license issues.

  9. #69
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,022
    Rep Power
    12

    Default Re: very slow intervaln communication via checkpoint

    Quote Originally Posted by jflemingeds View Post
    yeah, i don't see how a switch is going to help fix those license issues.
    Yep, after resolving the switch issue another bottleneck will present itself and rather soon I would guess...
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Page 4 of 4 FirstFirst 1234

Similar Threads

  1. Replies: 5
    Last Post: 2014-06-27, 14:13
  2. ICA and SIC communication
    By Palanivel in forum Intermediate
    Replies: 3
    Last Post: 2013-09-10, 22:41
  3. IP addresses using to communication
    By ppawlo in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2010-06-10, 10:26
  4. SIC communication fail
    By d31jan in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2008-08-03, 15:16
  5. PPTP Communication
    By roadrunner in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2005-08-14, 12:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •