Table of Contents:
-
Introduction
-
Firewall Priority Queues in R80.x / R81.x
-
Configuration on Security Gateway
-
Manual Configuration
-
Monitoring
-
Limitations
-
Related solutions
-
Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism
-
Evaluation of Heavy Connections
-
Detect and Handle Heavy Connections
(I) Introduction
Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type (for example, local SSH or connection to Security Management Server server).
To help mitigate the above issue, Firewall Priority Queues feature was introduced in R77.30 Security Gateway.
(II) Firewall Priority Queues in R77.30 / R80.x / R81.x
Note: starting from R80.40, the Firewall Priority Queues are enabled by default.
The Priority Queues (PrioQ) mechanism is intended to prioritize part of the traffic, when we need to drop packets because the Security Gateway is stressed (CPU is fully utilized).
Security Gateway R80.x / R81.x handle both aforementioned cases in the following ways:
- Prioritizing control connections over data connections.
- Each connection of the same priority will get an equal share of CPU resources.
Security Gateway R80.x / R81.x "protects" the CPU cores, on which the Firewall is running.
It is important to notice the differences between Firewall Priority Queues (PrioQ) and the QoS Software Blade.
Both prioritize traffic. Note the following differences:
| |
Firewall Priority Queues (PrioQ) |
QoS Software Blade |
| What is mitigated? |
CPU load |
Network downstream load |
When it is active
on Security Gateway? |
Only in extreme
conditions (CPU is overloaded) |
Always (from the moment the blade
is enabled and policy installed) |
| Is the configuration predefined or does it depend on policy? |
Predefined |
Policy driven |
-
Explanation about Control Connections
Security Gateways assigns a higher priority to control connections than to other connections. By default, these services are considered by Security Gateway as control connections:
- Check Point CPMI
- Policy installation/fetch (CPD daemon)
- Check Point Remote Installation (CPRID daemon)
- SSH
- DHCP
- OSPF
- BGP
- VRRP
Not all control services get the same priority. Security Gateways prioritize some control services over the other control services.
-
Explanation about Priority Queues
By default, there are 8 priority queues (up to 16 by manual configuration).
Queue
Priority
(0=highest) |
Queue
Name |
Type of connections |
Can
connections
migrate? |
Limited
Queue
Length
(default=512) |
| 0 |
Routing |
DHCP, VRRP, OSPF, BGP, IGMP, PIM, ... |
No |
Yes |
| 1 |
Control |
GUI / SSH / ports 18xxx / Mgmt services (see sk52421) |
Yes |
Yes |
| 2 |
Cluster sync |
Local / Full sync |
No |
Yes |
| 3 |
High priority |
User defined |
Yes |
Yes |
| 4 |
Light Data Queue |
Light connections |
Yes |
Yes |
| 5 |
Default Data Queue |
Medium weight connection, or New connection |
Yes |
Yes |
| 6 |
Log notification |
Log and Drop notifications |
No |
Yes |
| 7 |
Heavy Data Queue |
Heavy connections |
Yes |
Yes |
The priority queues are active when the Security Gateway consumes 100% of CPU. When a packet of a new connection arrives, the connection is classified in order to know to which queue it is supposed to go. For example, packets of a new data connection will go to the default data queue.
The Firewall priority Queues are enabled in the active priority mode: Initially, each connection is assigned to a queue by the connection type: Routing, Control, Data, etc. Nevertheless, for some connection types, the connection might migrate to a different queue. We know what is the load of each connection all the time, so the connections can migrate between the queues, and by doing so get lower/higher priority with respect to other connections.
For example, a data connection begins its life in the Default Data Queue (Queue #5) and if this connection becomes heavier, it will migrate to a lower priority queue (Heavy Data Queue - Queue #7). Same is true vice versa. If a connection becomes lighter, it will migrate to a higher priority queue (e.g., Light Data Queue - Queue #4).
To decide whether a connection should migrate or not, the Firewall keeps the load of the average connection all the time. For each connection (by its type), the Firewall knows to how many queues the connection was assigned and what is the CPU load caused by this connection. Based on that information, the Firewall matches weight to a queue, so that the average connection will belong to the median queue (out of all possible queues for the connection type) and each queue has an equal share of weights.
Since R80.20, in VSX mode, the Firewall Priority Queues are enabled in the static priority mode. This means that after a connection is classified to a specific queue, it cannot migrate to a different queue (classification is according to the connection type, not the load of the connection). Since Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177), in VSX/USFW mode, dynamic Priority Queues are supported but are off by default.
(III) Configuration on Security Gateway
For instructions on how to install and disable the Firewall Priority Queues, refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.
(IV) Manual Configuration
To perform manual configuration, use $FWDIR/conf/prioq.conf
prioq.conf is a customized classification file.
Entry format: {Type, Interface, IP, src_port_num, dst_port_num, protocol}
| Field |
Options |
Explanation |
| Type |
CONTROL / ROUTE |
To which queue the rule refers. |
| interface |
any / external / internal / <interface_name> |
On which interface the rule will be. |
| IP |
any / local_src / local_dst |
Which kind of connections. |
| Source Port Number |
0 (any) / port_number |
Source Port Number. |
| Destination Port Number |
0 (any) / port_number |
Destination Port Number. |
| Protocol Number |
protocol_num |
Protocol Number. |
Example of default prioq file:
You can also add BFD:
#BFD (singlehop)
{ROUTE,any,any,0,3784,17}
#BFD (multihop)
{ROUTE,any,any,0,4784,17}
(V) Monitoring
Administrator can monitor the Firewall Priority Queues in the following ways.
Note: Firewall Priority Queues on Security Gateway must already be enabled. Refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.
Note: In VSX mode, Priority Queue statistics are not available in CPView.
-
Use the sk101878 - CPView Utility.
-
Go to Advanced -> PrioQ -> Overview
Provides general PrioQ information (cross instances)
Example:
| Security Gateway R77.30 |
Security Gateway R80.10 |
 |
 |
-
Go to Advanced -> PrioQ -> Instances
Provides general information about the priority queues and information per instance including the priority queues of the specific instance.
Note: When CPU cores are not fully utilized, all values on this screen will be 0 (zero).
Example:
| Security Gateway R77.30 |
Security Gateway R80.10 |
 |
 |
-
Use SmartLog (supported only for Dynamic PrioQ).
A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that such connection was detected and its priority is decreased.
Example:
(VI) Limitations
Refer to the Configuration Limitations section.
(VIII) Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism
Configuration on Security Gateway R80.10 and higher
Important Notes:
-
In R80.10, Firewall Priority Queues are disabled by default.
-
In R80.20, Firewall Priority Queues are disabled by default, and the Evaluation of Heavy Connections mechanism is enabled by default (Evaluator-only mode)
-
Starting in R80.10, configuration of Firewall Priority Queues and CoreXL Dynamic Dispatcher were separated and are no longer related to each other.
-
Before enabling these features, refer to "Limitations" section.
-
In R80.10 and higher, these three modes are the only officially supported modes (other modes are not supported, and therefore are not mentioned):
| Mode Number |
Mode Name |
Explanation |
| 0 |
Off |
Default.
Firewall Priority Queues and Evaluation of Heavy Connections are completely disabled. |
| 1 |
Evaluator-only
(Connections
Statistics) |
Firewall Priority Queues feature is disabled, but monitoring of Heavy Connections
(that consume the most CPU resources) is enabled in CPView Utility. |
| 2 |
On |
Firewall Priority Queues feature is fully enabled. |
Instructions:
-
To check the current mode on Security Gateway:
[Expert@HostName]# fw ctl multik prioq
Example output:
[Expert@R80_10_SA:0]# fw ctl multik prioq
Current mode is Off
Available modes:
0. Off
1. Evaluator-only
2. On
Choose the desired mode number: (or 3 to Quit)
-
To fully enable the Firewall Priority Queues on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
-
Run in Expert mode:
[Expert@HostName]# fw ctl multik prioq
Example output:
[Expert@R80_10_SA:0]# fw ctl multik prioq
Current mode is Off
Available modes:
0. Off
1. Evaluator-only
2. On
Choose the desired mode number: (or 3 to Quit)
2
New mode is: On
Please reboot the system
[Expert@R80_10_SA:0]#
-
Choose the mode number 2 "On".
-
Reboot (in cluster, this might cause fail-over).
-
To enable the monitoring of Heavy Connections (that consume more than 10% of the CPU resources) in CPView Utility on Security Gateway:
Note: Beginning in Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177) and on all GA versions starting R81, this mode is supported when the Security Gateway is configured in VSX/USFW mode. In a cluster environment, this procedure does not have to be performed on all members of the cluster because it enables monitoring only
-
Run in Expert mode:
[Expert@HostName]# fw ctl multik prioq
-
Choose the mode number 1 "Evaluator-only".
-
Reboot (in cluster, this might cause fail-over).
-
To completely disable the Firewall Priority Queues on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
-
Run in Expert mode:
[Expert@HostName]# fw ctl multik prioq
-
Choose the mode number 0 "Off".
-
Reboot (in cluster, this might cause fail-over).
Configuration Limitations
-
The Firewall Priority Queues cannot be enabled in the following scenarios:
- In R80.20/R80.30/R80.40 VSX/USFW mode::
- "Evaluator-only" mode is not supported. (VSX and USFW mode are, however, supported since Jumbo Hotfix Accumulator for R80.40 Take 78 (PRJ-13177))
- The Evaluator of Heavy Connections mechanism is not supported.
- Firewall Priority Queues is supported in static priority mode only (see "Explanation about Priority Queues" section).
- SAM acceleration card is installed on the appliance
- Carrier Grade NAT (CGN) is configured
- Security Gateway is configured in Monitor Mode (per sk101670)
- 6in4 tunnel (SIT interface) is configured
- Some lines in the $FWDIR/boot/modules/fwkern.conf file are commented out (refer to sk106309).
-
When SecureXL and a CoreXL FW instance are running on the same CPU core, Priority Queues and Top Connections may not function as expected.
Such a configuration is the default on the 2200 appliance and on the 4600 appliance.
To resolve this, disable the synchronous dequeue feature in CoreXL by permanently setting the value of kernel parameter fwmultik_sync_processing_enabled to 0 (zero).
Note: The fwmultik_sync_processing_enabled parameter is not supported with User Space Firewall (USFW).
(IX) Evaluation of Heavy Connections
Introduction
This feature allows the administrator to monitor the Heavy Connections (that consume the most CPU resources) without interrupting the normal operation of the Firewall.
After enabling this feature (refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism), the relevant information is available in CPView Utility.
For detecting Elephant connection, refer to the Detect and Handle Heavy Connections.
Note: This feature is not supported in VSX/USFW mode for R77.30/R80.10/R80.20/R80.30/R80.40. However, VSX and USFW mode are supported since Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177), and on all GA versions starting R81.
Configuration on Security Gateway
For installation and disablement of the Evaluation of Heavy Connections mechanism, refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.
Monitoring
Administrator can monitor the Evaluation of Heavy Connections in the following ways:
Monitoring Heavy Connections
-
Set the mode of the Firewall Priority Queues on Security Gateway to enabled:
Version of
Security Gateway |
Command |
| R80.x |
[Expert@HostName]# fw ctl multik prioq
Select mode 1 "Evaluator-only". |
| R77.30 |
[Expert@HostName]# fw ctl multik set_mode 9 |
-
Reboot (in cluster, this might cause fail-over).
-
Run the sk101878 - CPView Utility:
[Expert@HostName]# cpview
-
Go to CPU -> Top-Connections.
This screen displays top 10-30 (configurable) connections that consume the most CPU resources.
Example:
| Security Gateway R77.30 |
Security Gateway R80.10 |
 |
 |
Use SmartLog
Note: This log is supported only for Dynamic PrioQ.
A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that was detected and its priority is decreased.
Example:
Limitations
Refer to Configuration Limitations section.
(X) Detect and Handle Heavy Connections
To see how to detect and handle heavy connections, refer to: sk164215 - How to Detect and Handle Heavy Connections.
