Here's what CHKP support need in order to diagnose heavy cpu%. The collection of these details and cpview can help in diagnostics of high cpu utilizations
https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topics-PTG/CPU-Spike-Detective.htm
and if you are running pre R80.40 you might have to enable it manually;
Deploy files:
| File | GW placement | Comment |
| spike_detective | $FWDIR/bin | Execution permissions: chmod +x $FWDIR/bin/spike_detective |
| spike_detective_conf.xml | $FWDIR/conf | |
Activate:
[Expert@Firewall]# cpwd_admin start -name "SPIKE_DETECTIVE" -path "$FWDIR/bin/spike_detective" -command "spike_detective"
Check status by running 'cpwd_admin list' and validating status is 1
[Expert@Firewall-dynamite-side-T55-main-take-10:0]# cpwd_admin list | grep SPIKE_DETECTIVE
SPIKE_DETECTIVE 7780 E 1 [09:52:08] 25/11/2020 N spike_detective
Deactivate (if needed):
[Expert@Firewall]# cpwd_admin stop -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpwd_admin del -name "SPIKE_DETECTIVE"
If we wish the tool's run will 'survive' reboot we can instead run the following commands
[Expert@Firewall]# cpd_sched_config add 'spike_detective' -c "cpwd_admin start -name SPIKE_DETECTIVE -path $FWDIR/bin/spike_detective -command spike_detective" -s -r -e 604800
[Expert@Firewall]# cpd_sched_config activate 'spike_detective'
[Expert@Firewall]# cpwd_admin stop -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpwd_admin del -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpd_sched_config deactivate 'spike_detective'
[Expert@Firewall]# cpd_sched_config delete 'spike_detective'
How is a spike detected?
A CPU core will be consider as 'spiked' if it holds all of the following conditions:
- Utilization over 80% (configurable)
- Utilization is at least 1.5 times higher than the system average (configurable)
- This ensures that a broadly highly utilized system (for example: during performance testing) will not detect all cores as spiked
A thread/process will be consider as 'spiked' if it holds all of the following conditions:
- Running on a spiked CPU
- Utilization over 70% (configurable)
- Utilization is at least 1.5 times higher than the system average (configurable)
What happens when a spike is detected?
Upon detecting a spike the daemon:
Reports the spike to
- /var/log/spike_detective/spike_detective.log
- cpview, cpview_services
We want to make sure the Variable for the below parameters is set to True
| profiler_config | "top_conns_enable" | Enable collecting top connections data during fw worker spike | BOOLEAN | true (Enabled) |
| profiler_config | "heavy_conns_enable" | Enable collecting heavy connections data during fw worker spike | BOOLEAN | true (Enabled) |
| cleaner_config | "cleaner_enabled" | Enable/Disable periodic cleanup of old spikes directories | BOOLEAN | true (Enabled) |
Its located in the below conf file
Configurable Variables
The CPU Spike Monitor is configured via the file '$FWDIR/conf/spike_detective_conf.xml'
Configuration example:
<?xml version="1.0" encoding="UTF-8"?>
<config_file>
<profiler_config>
<stat name="perf_enable" type="BOOLEAN" value="false"/>
</profiler_config>
</config_file>
It should be True but we want to make sure so it captures what we are needing
How to change the configuration values?
- Stop the tool
[Expert@Firewall]# cpwd_admin stop -name "SPIKE_DETECTIVE"
- Change required values in $FWDIR/conf/spike_detective_conf.xml
- Restart the tool
[Expert@Firewall]# cpwd_admin start -name "SPIKE_DETECTIVE" -path "$FWDIR/bin/spike_detective" -command "spike_detective"
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
