CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: High cpu, what is the cause?

  1. #1
    Join Date
    2018-02-23
    Posts
    1
    Rep Power
    0

    Default High cpu, what is the cause?

    Hello, I have 2x4600 in cluster active/passive mode. The previous administrator has retired and I'm facing now some problems. I have several blades enabled:

    fw vpn cvpn urlf av appi ips SSL_INSPECT anti_bot

    but I can't understand which is causing me problems. The real problem is high cpu spikes, that slow down all traffic passing from one vlan to another and to internet.
    I see that also one single computer making a huge file transfer (i.e. a mac doing time machine backup from one vlan to another) raise the cpu up to 80%... then I saw a single computer downloading Windows Updates making a lot of http connections and cpu goes up to 50-60%.
    I see also this:

    [Expert@cp1-1:0]# fwaccel stats -s
    Accelerated conns/Total conns : 67/3211 (2%)
    Accelerated pkts/Total pkts : 61321/9557737 (0%)
    F2Fed pkts/Total pkts : 626817/9557737 (6%)
    PXL pkts/Total pkts : 8869599/9557737 (92%)
    QXL pkts/Total pkts : 0/9557737 (0%)

    and I can't understand if it could be related. I think there is some kind of traffic burst that passes through a lot of blades and the cpu goes high, but I don't know what traffic is and how to discover that, I searched on smarttracker and smartlog but found nothing, I only could see what I said before about file transfers.
    I read a lot of resources online, there are a lot of things to check but nothing that clearly shows the problem, what can I do?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,217
    Rep Power
    13

    Default Re: High cpu, what is the cause?

    Quote Originally Posted by maurice View Post
    Hello, I have 2x4600 in cluster active/passive mode. The previous administrator has retired and I'm facing now some problems. I have several blades enabled:

    fw vpn cvpn urlf av appi ips SSL_INSPECT anti_bot

    but I can't understand which is causing me problems. The real problem is high cpu spikes, that slow down all traffic passing from one vlan to another and to internet.
    I see that also one single computer making a huge file transfer (i.e. a mac doing time machine backup from one vlan to another) raise the cpu up to 80%... then I saw a single computer downloading Windows Updates making a lot of http connections and cpu goes up to 50-60%.
    I see also this:

    [Expert@cp1-1:0]# fwaccel stats -s
    Accelerated conns/Total conns : 67/3211 (2%)
    Accelerated pkts/Total pkts : 61321/9557737 (0%)
    F2Fed pkts/Total pkts : 626817/9557737 (6%)
    PXL pkts/Total pkts : 8869599/9557737 (92%)
    QXL pkts/Total pkts : 0/9557737 (0%)

    and I can't understand if it could be related. I think there is some kind of traffic burst that passes through a lot of blades and the cpu goes high, but I don't know what traffic is and how to discover that, I searched on smarttracker and smartlog but found nothing, I only could see what I said before about file transfers.
    I read a lot of resources online, there are a lot of things to check but nothing that clearly shows the problem, what can I do?
    What version of firewall code are you running and what Jumbo HFA?

    The fastest way to find "elephant flows" that are pounding the CPU is to run cpview on the active firewall and select Network...Top Connections or CPU...Top Connections. These screens will show you in real time the top connections eating network bandwidth and CPU, respectively. Note that you can invoke cpview in historical mode with -t and go back up to 30 days to look at the state of the firewall during a known problem period.

    Looks like most of your traffic is Medium Path/PXL so you are getting a typical level of acceleration from SecureXL given the blades you have enabled.

    The most likely culprit for high CPU is LAN-to-LAN or LAN-to-DMZ traffic getting inappropriately inspected by APCL/URLF or perhaps even Threat Prevention (IPS/AV/ABOT in your case). Make sure your firewall topology is completely and correctly defined on the firewall object, and DO NOT use "Any" in the Destination column of any APCL/URLF or Threat Prevention rule.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Use of wildcards cause high CPU?
    By crosspopz in forum Application Control Blade
    Replies: 1
    Last Post: 2014-04-25, 17:47
  2. High CPU
    By manuadoor in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 9
    Last Post: 2010-03-23, 12:04
  3. Cpu high every 90 seconds
    By rreis@abola.pt in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2009-02-24, 17:55
  4. High Availability ? yes or no
    By switzer in forum Management High Availability
    Replies: 7
    Last Post: 2008-04-09, 11:08
  5. High CPU
    By brierw in forum Miscellaneous
    Replies: 1
    Last Post: 2006-11-23, 15:46

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •