CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 25 of 25

Thread: Checkpoint 5400 100% CPU usage

  1. #21
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: Checkpoint 5400 100% CPU usage

    Quote Originally Posted by cciesec2006 View Post
    Let say that step #1 and step #2 are done like you suggested and still has high CPU, what is the next step?
    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
    Last edited by ShadowPeak.com; 2018-04-03 at 11:49.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  2. #22
    Join Date
    2006-09-26
    Posts
    3,172
    Rep Power
    16

    Default Re: Checkpoint 5400 100% CPU usage

    Quote Originally Posted by ShadowPeak.com View Post
    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
    Or perhaps the traffic could not get accelerated by Checkpoint firewalls. There are quite a few that Checkpoint knows about.

  3. #23
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    272
    Rep Power
    12

    Default Re: Checkpoint 5400 100% CPU usage

    If tweaking IPS doesn't help, there's always actually looking at the traffic to figure out what is going on. If it looks like iSCSI, but you know you don't use iSCSI in your environment, that's weird and should be investigated as an issue of correctness. It's possible it's some junk which should just be dropped, not forwarded and inspected.

    The challenge there is identifying the connections which are the "heavy hitters" causing the most impact. cpview should be able to help, particularly with dynamic dispatch enabled. CPU.Top-Protocols and CPU.Top-Connections should both have interesting information. Advanced.CPU-Profiler.Components and Advanced.CPU-Profiler.PM-Stats can tell you what is going on, but they require relatively deep knowledge to interpret.
    Zimmie

  4. #24
    Join Date
    2018-02-26
    Posts
    12
    Rep Power
    0

    Default Re: Checkpoint 5400 100% CPU usage

    Quote Originally Posted by Bob_Zimmerman View Post
    If tweaking IPS doesn't help, there's always actually looking at the traffic to figure out what is going on. If it looks like iSCSI, but you know you don't use iSCSI in your environment, that's weird and should be investigated as an issue of correctness. It's possible it's some junk which should just be dropped, not forwarded and inspected.

    The challenge there is identifying the connections which are the "heavy hitters" causing the most impact. cpview should be able to help, particularly with dynamic dispatch enabled. CPU.Top-Protocols and CPU.Top-Connections should both have interesting information. Advanced.CPU-Profiler.Components and Advanced.CPU-Profiler.PM-Stats can tell you what is going on, but they require relatively deep knowledge to interpret.
    the iSCSI traffic definately shouldn't be there, it's from an SQL box to a backup device, the latter of which should have an interface in the same subnet so the traffic doesn't need to cross the firewall to reach it's destination.

    The fact that it was there helped me/us diagnose config issues on the firewall and improve its setup, the iSCSI traffic no longer has to cross networks to get to its destination :)

  5. #25
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    272
    Rep Power
    12

    Default Re: Checkpoint 5400 100% CPU usage

    Quote Originally Posted by RichardPriest View Post
    the iSCSI traffic definately shouldn't be there, it's from an SQL box to a backup device, the latter of which should have an interface in the same subnet so the traffic doesn't need to cross the firewall to reach it's destination.

    The fact that it was there helped me/us diagnose config issues on the firewall and improve its setup, the iSCSI traffic no longer has to cross networks to get to its destination :)
    I prefer to leave systems as close to their default configurations as possible, particularly in any areas you rarely touch. Yes, your firewalls are now able to pass more traffic with better distribution of load. If one fails and you have to replace it, you now have more things to remember to do to the new node before failover can be trusted.

    To be clear, I'm not saying either situation is better or worse, just different. As long as you have proper deployment documentation, it shouldn't be a problem.
    Zimmie

Page 2 of 2 FirstFirst 12

Similar Threads

  1. FW Monitor CPU Usage
    By igormaxfv in forum fw monitor, tcpdump and Wireshark
    Replies: 1
    Last Post: 2013-03-01, 19:34
  2. 100% CPU usage in SPLAT - NGX R65
    By akchakravarthi09 in forum Check Point SecurePlatform (SPLAT)
    Replies: 8
    Last Post: 2010-06-11, 06:09
  3. CLI usage
    By westy2222 in forum Miscellaneous
    Replies: 2
    Last Post: 2010-05-24, 15:12
  4. Memory Usage in Checkpoint
    By anakalem in forum Miscellaneous
    Replies: 0
    Last Post: 2008-04-08, 21:52
  5. FW1 and proxy usage
    By shoenix in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2008-03-27, 07:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •