s7-commandset

[Expert@xxxx-xxxx01:0]# /usr/bin/s7pac

+-----------------------------------------------------------------------------+

| Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) |

+-----------------------------------------------------------------------------+

| Inspecting your environment: OK |

| This is a firewall....(continuing) |

| |

| Referred pagenumbers are to be found in the following book: |

| Max Power: Check Point Firewall Performance Optimization - Second Edition |

| |

| Available at http://www.maxpowerfirewalls.com/ |

| |

+-----------------------------------------------------------------------------+

| Command #1: fwaccel stat |

| |

| Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) |

| Status must be enabled (R80.20 and higher) |

| Accept Templates must be enabled |

| Message "disabled" from (low rule number) = bad |

| |

| Chapter 9: SecureXL throughput acceleration |

| Page 278 |

+-----------------------------------------------------------------------------+

| Output: |

+---------------------------------------------------------------------------------+

+---------------------------------------------------------------------------------+

|0 |SND |enabled |eth1,eth5,eth2,eth6,eth3,|

+---------------------------------------------------------------------------------+

Accept Templates : enabled

Drop Templates : enabled

NAT Templates : enabled

+-----------------------------------------------------------------------------+

| Command #2: fwaccel stats -s |

| |

| Check for : Accelerated conns/Totals conns: >25% good, >50% great |

| Accelerated pkts/Total pkts : >50% great |

| PXL pkts/Total pkts : >50% OK |

| F2Fed pkts/Total pkts : <30% good, <10% great |

| |

| Chapter 9: SecureXL throughput acceleration |

| Page 287, Packet/Throughput Acceleration: The Three Kernel Paths |

+-----------------------------------------------------------------------------+

| Output: |

Accelerated conns/Total conns : 363/8499 (4%)

Accelerated pkts/Total pkts : 22696695604/24074057711 (94%)

F2Fed pkts/Total pkts : 1377362107/24074057711 (5%)

F2V pkts/Total pkts : 155153998/24074057711 (0%)

CPASXL pkts/Total pkts : 0/24074057711 (0%)

PSLXL pkts/Total pkts : 18763934482/24074057711 (77%)

CPAS pipeline pkts/Total pkts : 0/24074057711 (0%)

PSL pipeline pkts/Total pkts : 0/24074057711 (0%)

CPAS inline pkts/Total pkts : 0/24074057711 (0%)

PSL inline pkts/Total pkts : 0/24074057711 (0%)

QOS inbound pkts/Total pkts : 0/24074057711 (0%)

QOS outbound pkts/Total pkts : 0/24074057711 (0%)

Corrected pkts/Total pkts : 0/24074057711 (0%)

+-----------------------------------------------------------------------------+

| Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo |

| |

| Check for : If number of cores is roughly double what you are excpecting, |

| hyperthreading may be enabled |

| |

| Chapter 7: CoreXL Tuning |

| Page 239 |

+-----------------------------------------------------------------------------+

| Output: |

HyperThreading=disabled

+-----------------------------------------------------------------------------+

| Command #4: fw ctl affinity -l -r |

| |

| Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) |

| Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x |

| R77.30: Support processes executed on ALL CPU's |

| R80.xx: Support processes only executed on Firewall Worker Cores|

| |

| Chapter 7: CoreXL Tuning |

| Page 221 |

+-----------------------------------------------------------------------------+

| Output: |

CPU 0: fw_1

CPU 1: Mgmt

fw_0

All: in.acapd vpnd scanengine_b mta_monitor pdpd fwd pepd rad mpdaemon usrchkd rtmd in.emaild.mta lpd cprid cprid cpd

Interface eth1: has multi queue enabled

Interface eth5: has multi queue enabled

Interface eth2: has multi queue enabled

Interface eth6: has multi queue enabled

Interface eth3: has multi queue enabled

Interface eth4: has multi queue enabled

Interface eth8: has multi queue enabled

Interface Sync: has multi queue enabled

+-----------------------------------------------------------------------------+

| Command #5: netstat -ni |

| |

| Check for : RX/TX errors |

| RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 |

| TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch |

| |

| Chapter 2: Layers 1&2 Performance Optimization |

| Page 28-35 |

| |

| Chapter 7: CoreXL Tuning |

| Page 204 |

| Page 206 (Network Buffering Misses) |

+-----------------------------------------------------------------------------+

| Output: |

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

Mgmt 1500 0 297680967 0 1012 0 174353920 0 0 0 BMRU

Mgmt:1 1500 0 - no statistics available - BMRU

Sync 1500 0 173344645 0 0 56 202050236 0 0 0 BMRU

bond1 1500 0 4051099103 0 0 81164 5753027719 0 0 0 BMmRU

bond1.16 1500 0 29847582 0 141149 0 27788762 0 0 0 BMRU

bond1.17 1500 0 255072556 0 3919 0 366612749 0 0 0 BMRU

bond1.18 1500 0 33787 0 0 0 69718 0 0 0 BMRU

bond1.19 1500 0 151385 0 22 0 483396 0 0 0 BMRU

bond1.20 1500 0 1227015525 0 7699 0 2119839867 0 0 0 BMRU

bond1.21 1500 0 64308568 0 4514 0 70164289 0 0 0 BMRU

bond1.26 1500 0 1663365202 0 141973 0 2169828112 0 0 0 BMRU

bond1.27 1500 0 681068041 0 10519 0 878766393 0 0 0 BMRU

bond1.32 1500 0 130007667 0 0 0 119520674 0 0 0 BMRU

eth1 1500 0 12192655691 0 369937 82332 7913357792 0 0 0 BMRU

eth2 1500 0 1784242800 0 20493 0 1768082288 0 0 0 BMRU

eth3 1500 0 448559905 0 0 725 511530251 0 0 0 BMRU

eth4 1500 0 2113576887 0 0 52405 3700014294 0 0 0 BMsRU

eth5 1500 0 1937522309 0 0 28759 2053013564 0 0 0 BMsRU

eth6 1500 0 79872426 0 208558 0 83098163 0 0 0 BMRU

eth8 1500 0 5888502162 0 0 146814 7836176360 0 0 0 BMRU

lo 65536 0 67111302 0 0 0 67111302 0 0 0 LMdRU

interface eth1: There were no RX drops in the past 0.5 seconds

interface eth1 rx_missed_errors : 0

interface eth1 rx_fifo_errors : 82332

interface eth1 rx_no_buffer_count: 0

interface eth2: There were no RX drops in the past 0.5 seconds

interface eth2 rx_missed_errors : 0

interface eth2 rx_fifo_errors : 0

interface eth2 rx_no_buffer_count: 0

interface eth3: There were no RX drops in the past 0.5 seconds

interface eth3 rx_missed_errors : 0

interface eth3 rx_fifo_errors : 725

interface eth3 rx_no_buffer_count: 0

interface eth4: There were no RX drops in the past 0.5 seconds

interface eth4 rx_missed_errors : 0

interface eth4 rx_fifo_errors : 52405

interface eth4 rx_no_buffer_count: 0

interface eth5: There were no RX drops in the past 0.5 seconds

interface eth5 rx_missed_errors : 0

interface eth5 rx_fifo_errors : 28759

interface eth5 rx_no_buffer_count: 0

interface eth6: There were no RX drops in the past 0.5 seconds

interface eth6 rx_missed_errors : 0

interface eth6 rx_fifo_errors : 0

interface eth6 rx_no_buffer_count: 0

interface eth8: There were no RX drops in the past 0.5 seconds

interface eth8 rx_missed_errors : 0

interface eth8 rx_fifo_errors : 146814

interface eth8 rx_no_buffer_count: 0

+-----------------------------------------------------------------------------+

| Command #6: fw ctl multik stat |

| |

| Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? |

| Large imbalance of connections on a single or multiple Workers |

| |

| Chapter 7: CoreXL Tuning |

| Page 241 |

| |

| Chapter 8: CoreXL VPN Optimization |

| Page 256 |

+-----------------------------------------------------------------------------+

| Output: |

ID | Active | CPU | Connections | Peak

----------------------------------------------

0 | Yes | 1 | 4684 | 25064

1 | Yes | 0 | 4406 | 24789

+-----------------------------------------------------------------------------+

| Command #7: cpstat os -f multi_cpu -o 1 -c 5 |

| |

| Check for : High SND/IRQ Core Utilization |

| High Firewall Worker Core Utilization |

| |

| Chapter 6: CoreXL & Multi-Queue |

| Page 173 |

+-----------------------------------------------------------------------------+

| Output: |

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 4| 28| 68| 32| ?| 32639|

| 2| 4| 26| 70| 30| ?| 32639|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 4| 28| 68| 32| ?| 32639|

| 2| 4| 26| 70| 30| ?| 32639|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 3| 27| 71| 29| ?| 63791|

| 2| 3| 22| 74| 26| ?| 63792|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 3| 27| 71| 29| ?| 63791|

| 2| 3| 22| 74| 26| ?| 63792|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 4| 39| 57| 43| ?| 66749|

| 2| 5| 25| 71| 29| ?| 66751|

---------------------------------------------------------------------------------

+-----------------------------------------------------------------------------+

| Thanks for using s7pac |

+-----------------------------------------------------------------------------+

[Expert@chkpt-gr01:0]# fwaccel stat

+---------------------------------------------------------------------------------+

+---------------------------------------------------------------------------------+

|0 |SND |enabled |eth1,eth5,eth2,eth6,eth3,|

+---------------------------------------------------------------------------------+

Accept Templates : enabled

Drop Templates : enabled

NAT Templates : enabled

[Expert@chkpt-gr01:0]# /usr/bin/s7pac

+-----------------------------------------------------------------------------+

| Super Seven Performance Assessment Commands v0.5 (Thanks to Timothy Hall) |

+-----------------------------------------------------------------------------+

| Inspecting your environment: OK |

| This is a firewall....(continuing) |

| |

| Referred pagenumbers are to be found in the following book: |

| Max Power: Check Point Firewall Performance Optimization - Second Edition |

| |

| Available at http://www.maxpowerfirewalls.com/ |

| |

+-----------------------------------------------------------------------------+

| Command #1: fwaccel stat |

| |

| Check for : Accelerator Status must be enabled (R77.xx/R80.10 versions) |

| Status must be enabled (R80.20 and higher) |

| Accept Templates must be enabled |

| Message "disabled" from (low rule number) = bad |

| |

| Chapter 9: SecureXL throughput acceleration |

| Page 278 |

+-----------------------------------------------------------------------------+

| Output: |

+---------------------------------------------------------------------------------+

+---------------------------------------------------------------------------------+

|0 |SND |enabled |eth1,eth5,eth2,eth6,eth3,|

+---------------------------------------------------------------------------------+

Accept Templates : enabled

Drop Templates : enabled

NAT Templates : enabled

+-----------------------------------------------------------------------------+

| Command #2: fwaccel stats -s |

| |

| Check for : Accelerated conns/Totals conns: >25% good, >50% great |

| Accelerated pkts/Total pkts : >50% great |

| PXL pkts/Total pkts : >50% OK |

| F2Fed pkts/Total pkts : <30% good, <10% great |

| |

| Chapter 9: SecureXL throughput acceleration |

| Page 287, Packet/Throughput Acceleration: The Three Kernel Paths |

+-----------------------------------------------------------------------------+

| Output: |

Accelerated conns/Total conns : 363/7635 (4%)

Accelerated pkts/Total pkts : 22701109318/24078629783 (94%)

F2Fed pkts/Total pkts : 1377520465/24078629783 (5%)

F2V pkts/Total pkts : 155172677/24078629783 (0%)

CPASXL pkts/Total pkts : 0/24078629783 (0%)

PSLXL pkts/Total pkts : 18768010105/24078629783 (77%)

CPAS pipeline pkts/Total pkts : 0/24078629783 (0%)

PSL pipeline pkts/Total pkts : 0/24078629783 (0%)

CPAS inline pkts/Total pkts : 0/24078629783 (0%)

PSL inline pkts/Total pkts : 0/24078629783 (0%)

QOS inbound pkts/Total pkts : 0/24078629783 (0%)

QOS outbound pkts/Total pkts : 0/24078629783 (0%)

Corrected pkts/Total pkts : 0/24078629783 (0%)

+-----------------------------------------------------------------------------+

| Command #3: grep -c ^processor /proc/cpuinfo && /sbin/cpuinfo |

| |

| Check for : If number of cores is roughly double what you are excpecting, |

| hyperthreading may be enabled |

| |

| Chapter 7: CoreXL Tuning |

| Page 239 |

+-----------------------------------------------------------------------------+

| Output: |

HyperThreading=disabled

+-----------------------------------------------------------------------------+

| Command #4: fw ctl affinity -l -r |

| |

| Check for : SND/IRQ/Dispatcher Cores, # of CPU's allocated to interface(s) |

| Firewall Workers/INSPECT Cores, # of CPU's allocated to fw_x |

| R77.30: Support processes executed on ALL CPU's |

| R80.xx: Support processes only executed on Firewall Worker Cores|

| |

| Chapter 7: CoreXL Tuning |

| Page 221 |

+-----------------------------------------------------------------------------+

| Output: |

CPU 0: fw_1

CPU 1: Mgmt

fw_0

All: in.acapd vpnd scanengine_b mta_monitor pdpd fwd pepd rad mpdaemon usrchkd rtmd in.emaild.mta lpd cprid cprid cpd

Interface eth1: has multi queue enabled

Interface eth5: has multi queue enabled

Interface eth2: has multi queue enabled

Interface eth6: has multi queue enabled

Interface eth3: has multi queue enabled

Interface eth4: has multi queue enabled

Interface eth8: has multi queue enabled

Interface Sync: has multi queue enabled

+-----------------------------------------------------------------------------+

| Command #5: netstat -ni |

| |

| Check for : RX/TX errors |

| RX-DRP % should be <0.1% calculated by (RX-DRP/RX-OK)*100 |

| TX-ERR might indicate Fast Ethernet/100Mbps Duplex Mismatch |

| |

| Chapter 2: Layers 1&2 Performance Optimization |

| Page 28-35 |

| |

| Chapter 7: CoreXL Tuning |

| Page 204 |

| Page 206 (Network Buffering Misses) |

+-----------------------------------------------------------------------------+

| Output: |

Kernel Interface table

Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

Mgmt 1500 0 297712542 0 1012 0 174373861 0 0 0 BMRU

Mgmt:1 1500 0 - no statistics available - BMRU

Sync 1500 0 173350141 0 0 56 202066204 0 0 0 BMRU

bond1 1500 0 4051805067 0 0 81164 5754442213 0 0 0 BMmRU

bond1.16 1500 0 29848392 0 141158 0 27789441 0 0 0 BMRU

bond1.17 1500 0 255131528 0 3919 0 366695788 0 0 0 BMRU

bond1.18 1500 0 33787 0 0 0 69721 0 0 0 BMRU

bond1.19 1500 0 151392 0 22 0 483400 0 0 0 BMRU

bond1.20 1500 0 1227290389 0 7699 0 2120692113 0 0 0 BMRU

bond1.21 1500 0 64314853 0 4514 0 70172849 0 0 0 BMRU

bond1.26 1500 0 1663612105 0 141995 0 2170154526 0 0 0 BMRU

bond1.27 1500 0 681169867 0 10519 0 878894403 0 0 0 BMRU

bond1.32 1500 0 130023939 0 0 0 119536192 0 0 0 BMRU

eth1 1500 0 12194953481 0 369959 82332 7914969962 0 0 0 BMRU

eth2 1500 0 1784535699 0 20493 0 1768362966 0 0 0 BMRU

eth3 1500 0 448609418 0 0 725 511637330 0 0 0 BMRU

eth4 1500 0 2113938432 0 0 52405 3701059821 0 0 0 BMsRU

eth5 1500 0 1937866702 0 0 28759 2053382511 0 0 0 BMsRU

eth6 1500 0 79885085 0 208558 0 83109817 0 0 0 BMRU

eth8 1500 0 5889716015 0 0 146814 7837279279 0 0 0 BMRU

lo 65536 0 67120682 0 0 0 67120682 0 0 0 LMdRU

interface eth1: There were no RX drops in the past 0.5 seconds

interface eth1 rx_missed_errors : 0

interface eth1 rx_fifo_errors : 82332

interface eth1 rx_no_buffer_count: 0

interface eth2: There were no RX drops in the past 0.5 seconds

interface eth2 rx_missed_errors : 0

interface eth2 rx_fifo_errors : 0

interface eth2 rx_no_buffer_count: 0

interface eth3: There were no RX drops in the past 0.5 seconds

interface eth3 rx_missed_errors : 0

interface eth3 rx_fifo_errors : 725

interface eth3 rx_no_buffer_count: 0

interface eth4: There were no RX drops in the past 0.5 seconds

interface eth4 rx_missed_errors : 0

interface eth4 rx_fifo_errors : 52405

interface eth4 rx_no_buffer_count: 0

interface eth5: There were no RX drops in the past 0.5 seconds

interface eth5 rx_missed_errors : 0

interface eth5 rx_fifo_errors : 28759

interface eth5 rx_no_buffer_count: 0

interface eth6: There were no RX drops in the past 0.5 seconds

interface eth6 rx_missed_errors : 0

interface eth6 rx_fifo_errors : 0

interface eth6 rx_no_buffer_count: 0

interface eth8: There were no RX drops in the past 0.5 seconds

interface eth8 rx_missed_errors : 0

interface eth8 rx_fifo_errors : 146814

interface eth8 rx_no_buffer_count: 0

+-----------------------------------------------------------------------------+

| Command #6: fw ctl multik stat |

| |

| Check for : Large # of conns on Worker 0 - IPSec VPN/VoIP? |

| Large imbalance of connections on a single or multiple Workers |

| |

| Chapter 7: CoreXL Tuning |

| Page 241 |

| |

| Chapter 8: CoreXL VPN Optimization |

| Page 256 |

+-----------------------------------------------------------------------------+

| Output: |

ID | Active | CPU | Connections | Peak

----------------------------------------------

0 | Yes | 1 | 4316 | 25064

1 | Yes | 0 | 4002 | 24789

+-----------------------------------------------------------------------------+

| Command #7: cpstat os -f multi_cpu -o 1 -c 5 |

| |

| Check for : High SND/IRQ Core Utilization |

| High Firewall Worker Core Utilization |

| |

| Chapter 6: CoreXL & Multi-Queue |

| Page 173 |

+-----------------------------------------------------------------------------+

| Output: |

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 17| 39| 44| 56| ?| 35027|

| 2| 15| 42| 43| 57| ?| 36374|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 17| 39| 44| 56| ?| 35027|

| 2| 15| 42| 43| 57| ?| 36374|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 7| 25| 68| 32| ?| 58565|

| 2| 9| 28| 63| 37| ?| 58569|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 7| 25| 68| 32| ?| 58565|

| 2| 9| 28| 63| 37| ?| 58569|

---------------------------------------------------------------------------------

Processors load

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

| 1| 18| 41| 42| 58| ?| 59998|

| 2| 30| 37| 34| 66| ?| 29997|

---------------------------------------------------------------------------------

+-----------------------------------------------------------------------------+

| Thanks for using s7pac |

+-----------------------------------------------------------------------------+