Hi,
Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?
Thanks
CPUG: The Check Point User Group | |
Resources for the Check Point Community, by the Check Point Community.
| |
Tim Hall has done it again! He has just released the 2nd edition of "Max Power". | |
|
Hi,
Seeing same behavior transferring files that traverse over firewall is under 20MB/s on a 10G fiber link. I have also looked at APCL/URLF Inspection policy and all destination objects are internet. Anything else I can look at?
Thanks
What is the slow protocol being used to transfer files? FTP? CIFS? SCP? Are all these transfer protocols equally slow between your networks?
Please post output of the following commands from the active firewall:
enabled_blades
netstat -ni
fwaccel stats -s
fwaccel stat
fw ctl affinity -l -r
Hi all transfer protocols are slow.
enabled_blades
fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot
netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
bond0 1500 0 98536334 0 0 0 60093599 0 0 0 BMmRU
bond0.20 1500 0 85702327 0 0 0 51717823 0 0 0 BMmRU
eth3 1500 0 65119422 0 0 0 20030910 0 0 0 BMsRU
eth4 1500 0 24718597 0 0 0 20030895 0 0 0 BMsRU
eth5 1500 0 8698335 0 0 0 20031832 0 0 0 BMsRU
eth6 1500 0 65239794 0 0 0 102124220 0 0 0 BMRU
eth7 1500 0 17147022 0 16 0 19565550 0 0 0 BMRU
eth9 1500 0 2212202 0 0 0 5549160 0 0 0 BMRU
lo 16436 0 335599 0 0 0 335599 0 0 0 LRU
fwaccel stats -s
No statistics given
fwaccel stat
Accelerator Status : no license for SecureXL
Accelerator Features : Accounting, NAT, Cryptography, HasClock,
Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, WireMode,
DropTemplates, NatTemplates, Streaming,
AntiSpoofing, Nac, ViolationStats, AsychronicNotif,
ERDOS, NAT64, GTPAcceleration, SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
fw ctl affinity -l -r
CPU 0: eth0 eth1 eth9 eth10 eth2 eth3
fw_1 fw_3 fw_5 fw_7
CPU 1: fw_0 fw_2 fw_4 fw_6
CPU 2:
CPU 3:
CPU 4:
CPU 5:
CPU 6:
CPU 7:
CPU 8:
CPU 9:
CPU 10:
CPU 11:
All: mpdaemon wsdnsd pdpd in.geod stormd rad vpnd in.acapd usrchkd in.msd fwd pepd cprid cpd
The current license permits the use of CPUs 0, 1 only.
Oh boy, where do I begin...
1) Your firewall's performance is heavily restricted by the license you are using. Please provide the output of "cplic print" but be sure to excise the certificate keys (they start with CK-) before posting it.
2) You have no license for SecureXL so there is zero acceleration occurring. Not sure how the heck your firewall license does not include SecureXL, the output of cplic print requested above should shed some light.
3) You have 12 cores (please provide output of /sbin/cpuinfo so we can see if hyperthreading is enabled which is a no-no and means you are only using one physical core out of 6), but can only use two of them due to license restrictions. Unfortunately CoreXL was initially configured when you were running under the Trial License, so 8 firewall workers were allocated which are all thrashing against each other for cores 0 and 1. We will need to look at your licensing first, but an eventual recommendation will almost certainly be to reduce the number of firewall workers from 8 to 2 via cpconfig.
4) What version of code are you using? Please provide output of "fw ver" and "installed_jumbo_take" commands.
So to summarize, please provide output of the following commands:
cplic print
/sbin/cpuinfo
fw ver
installed_jumbo_take
Bookmarks