Performance Hogs (asg_perf_hogs)
You can run tests to check for software components that decrease (hog) performance.
Syntax
Description
You can run:
-
The "
asg_perf_hogs
" command in the Expert mode -
The "
show smo verifiers report name Performance_hogs
" command in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.
|
Notes:
|
Syntax
|
Example
Configuration
Configure the "asg_perf_hogs
" behavior in the $SMODIR/conf/performance_hogs.conf
file.
[tests]
[correction_table_entries]
[long_running_procs]
[routing_cache_entries]
[swap_saturation]
[neighbour_table_overflow]
[soft_lockups]
[standby_chassis_load]
[peak_connections]
[disabled_templates]
|
The [tests] Section
In the [tests] section of the $SMODIR/conf/performance_hogs.conf
file you enable and disable tests to run.
Note - Not all the tests can be configured.
To enable or disable a test:
In the "[tests]
" section, set the applicable value for the applicable test:
-
To enable the test:
<Test Name>=1
-
To disable the test:
<Test Name>=0
To configure a test:
Step |
Instructions |
---|---|
1 |
Find the configuration section for the test in the If it does not exist, add the section with this format:
|
2 |
Change or add the parameters for the test. See the tables below for allowed parameters. |
Below are the descriptions of some of the tests in the "[tests]
" section in the $SMODIR/conf/performance_hogs.conf
file.
The "long_running_procs
" test confirms that certain processes do not run longer than the configured time.
Note - This test runs in contexts of all Virtual Systems.
Parameters:
Parameter |
Description |
||
---|---|---|---|
|
Longest time in seconds a process should run Default: 60 seconds. Minimum recommended value: 30 seconds. |
||
|
List of processes to check: You must enclose each process in double quotes. You must enter a space before another test. Default:
Example:
|
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [FAILED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found potential CPU hogging processes: ----------------------------------------------------------------- Blade PID ELAPSED TIME CMD [1_01] 1484 03:48 00:00:00 tcpdump -nnni eth1-01 Found the following issues: ----------------------------------------------------------------- [ All] The process 'tcpdump' is running for more than 60 seconds |
The "accel_off
" test confirms that SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. is working.
Notes:
-
This test has no configuration options.
-
The test runs in the context of the current Virtual System only.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [FAILED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] SecureXL acceleration is disabled!
|
The "fw1_debug_flags
" test confirms that Firewall debug flags that are not enabled by default, stay in the disabled position.
Notes:
-
This test has no configuration options.
-
This test runs in contexts of all Virtual Systems.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [FAILED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] FW1 debug flags are set:; Module: fw; ; Flags: error warning packet |
The "local_logging
" test confirms that logs are written to a Log Server Dedicated Check Point server that runs Check Point software to store and process logs. and not locally.
Notes:
-
This test has no configuration options.
-
This test runs in the context of the current Virtual System only.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [FAILED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] Local logging is active: No connection with log server! |
The "routing_cache_entries
" test confirms that the IPv4 route cache capacity is not above a certain threshold.
Threshold is the percent capacity of the IPv4 route cache that should not be exceeded:
-
Default: 90%.
-
Recommended range: 75 - 95%.
Note - This test runs in the context of the current Virtual System only.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [FAILED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] Routing cache is 93% full (983731 out of 1048576 entries). |
The "swap_saturation
" test confirms that swap file usage is not above the threshold.
Threshold is the percent use of the swap file allowed.
Recommended range: 75 - 99.
Note - This test runs regardless of the Virtual System context.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [FAILED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] Swap saturation is 90%. Total swap space: 1044216 bytes, used: 950000 bytes. |
The "neighbour_table_overflow
" test confirms that the ARP cache did not overflow.
Timeout is the number of seconds the specifies for how long to look in the /var/log/messages
file for ARP cache overloaded messages.
Recommended range: 300 - 86400.
Notes:
-
To learn how to adjust the ARP cache, see sk43772.
-
This test runs regardless of the Virtual System context.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [PASSED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [FAILED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] Neighbour table overflow occurred during the last 3600 seconds. Please see solution SK43772 for information how to configure arp cache size. |
The "soft_lockups
" test confirms there are no kernel soft lockups during the timeout period.
Timeout is the number of seconds to look back in the /var/log/messages
file for kernel soft lockup messages:
-
Default: 3600 seconds.
-
Recommended range: 300 - 86400 seconds.
Note - This test runs regardless of the Virtual System context.
----------------------------------------------------------------- | Status | Test performed | ----------------------------------------------------------------- | [PASSED] | Disabled Accept Templates | | [PASSED] | Disabled NAT Templates | | [PASSED] | FW1 debug flags | | [FAILED] | Kernel soft lockups | | [PASSED] | Local logging | | [PASSED] | Long running processes | | [PASSED] | Neighbour table overflow | | [PASSED] | Routing cache entries | | [PASSED] | SecureXL status | | [PASSED] | Swap saturation | | [PASSED] | routed trace options | ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [1_01] Soft lockup occurred during the last 3600 seconds. |