Example of default prioq file: You can also add BFD:
|
Security Gateway R77.30 | Security Gateway R80.10 |
![]() |
![]() |
Go to Advanced -> PrioQ -> Instances
Provides general information about the priority queues and information per instance including the priority queues of the specific instance.
Note: When CPU cores are not fully utilized, all values on this screen will be 0 (zero).
Example:
Security Gateway R77.30 | Security Gateway R80.10 |
![]() |
![]() |
Use SmartLog (supported only for Dynamic PrioQ).
A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that such connection was detected and its priority is decreased.
Example:

Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism
Configuration on Security Gateway R80.10 and higher
Important Notes:
-
In R80.10, Firewall Priority Queues are disabled by default.
-
In R80.20, Firewall Priority Queues are disabled by default, and the Evaluation of Heavy Connections mechanism is enabled by default (Evaluator-only mode)
-
Starting in R80.10, configuration of Firewall Priority Queues and CoreXL Dynamic Dispatcher were separated and are no longer related to each other.
-
Before enabling these features, refer to "Limitations" section.
-
In R80.10 and higher, these three modes are the only officially supported modes (other modes are not supported, and therefore are not mentioned):
Mode Number Mode Name Explanation 0 Off Default.
Firewall Priority Queues and Evaluation of Heavy Connections are completely disabled.1 Evaluator-only
(Connections
Statistics)Firewall Priority Queues feature is disabled, but monitoring of Heavy Connections
(that consume the most CPU resources) is enabled in CPView Utility.2 On Firewall Priority Queues feature is fully enabled.
Instructions:
-
To check the current mode on Security Gateway:
[Expert@HostName]# fw ctl multik prioq
Example output:[Expert@R80_10_SA:0]# fw ctl multik prioq Current mode is Off Available modes: 0. Off 1. Evaluator-only 2. On Choose the desired mode number: (or 3 to Quit)
-
To fully enable the Firewall Priority Queues on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
-
Run in Expert mode:
[Expert@HostName]# fw ctl multik prioq
Example output:[Expert@R80_10_SA:0]# fw ctl multik prioq Current mode is Off Available modes: 0. Off 1. Evaluator-only 2. On Choose the desired mode number: (or 3 to Quit) 2 New mode is: On Please reboot the system [Expert@R80_10_SA:0]#
-
Choose the mode number 2 "On".
-
Reboot (in cluster, this might cause fail-over).
-
-
To enable the monitoring of Heavy Connections (that consume more than 10% of the CPU resources) in CPView Utility on Security Gateway:
Note: Beginning in Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177) and on all GA versions starting R81, this mode is supported when the Security Gateway is configured in VSX/USFW mode. In a cluster environment, this procedure does not have to be performed on all members of the cluster because it enables monitoring only
-
Run in Expert mode: [Expert@HostName]# fw ctl multik prioq
-
Choose the mode number 1 "Evaluator-only".
-
Reboot (in cluster, this might cause fail-over).
-
-
To completely disable the Firewall Priority Queues on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
-
Run in Expert mode: [Expert@HostName]# fw ctl multik prioq
-
Choose the mode number 0 "Off".
-
Reboot (in cluster, this might cause fail-over).
-
Configuration Limitations
-
The Firewall Priority Queues cannot be enabled in the following scenarios:
- In R80.20/R80.30/R80.40 VSX/USFW mode:
- "Evaluator-only" mode is not supported. (VSX and USFW mode are, however, supported since Jumbo Hotfix Accumulator for R80.40 Take 78 (PRJ-13177))
- The Evaluator of Heavy Connections mechanism is not supported.
- Firewall Priority Queues is supported in static priority mode only (see "Explanation about Priority Queues" section).
- SAM acceleration card is installed on the appliance
- Carrier Grade NAT (CGN) is configured
- Security Gateway is configured in Monitor Mode (per sk101670)
- 6in4 tunnel (SIT interface) is configured
- Some lines in the $FWDIR/boot/modules/fwkern.conf file are commented out (refer to sk106309).
- In R80.20/R80.30/R80.40 VSX/USFW mode:
-
When SecureXL and a CoreXL FW instance are running on the same CPU core, Priority Queues and Top Connections may not function as expected.
Such a configuration is the default on the 2200 appliance and on the 4600 appliance.
To resolve this, disable the synchronous dequeue feature in CoreXL by permanently setting the value of kernel parameter fwmultik_sync_processing_enabled to 0 (zero).
Note: The fwmultik_sync_processing_enabled parameter is not supported with User Space Firewall (USFW).-
To check the current value of this kernel parameter:
[Expert@HostName]# fw ctl get int fwmultik_sync_processing_enabled -
To set the desired value for this kernel parameter permanently (per sk26202):
-
Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
[Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf -
Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:
[Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf -
Add the following line (spaces are not allowed):
fwmultik_sync_processing_enabled=0 -
Save the changes and exit from Vi editor.
-
Check the contents of the $FWDIR/boot/modules/fwkern.conf file:
[Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf -
Reboot the Security Gateway.
-
-
Evaluation of Heavy Connections
Introduction
This feature allows the administrator to monitor the Heavy Connections (that consume the most CPU resources) without interrupting the normal operation of the Firewall.
After enabling this feature (refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism), the relevant information is available in CPView Utility.
For detecting Elephant connection, refer to the Detect and Handle Heavy Connections.
Note: This feature is not supported in VSX/USFW mode for R77.30/R80.10/R80.20/R80.30/R80.40. However, VSX and USFW mode are supported since Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177), and on all GA versions starting R81.
Configuration on Security Gateway
For installation and disablement of the Evaluation of Heavy Connections mechanism, refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.
Monitoring
Administrator can monitor the Evaluation of Heavy Connections in the following ways:
Monitoring Heavy Connections
-
Set the mode of the Firewall Priority Queues on Security Gateway to enabled:
Version of
Security GatewayCommand R80.x [Expert@HostName]# fw ctl multik prioq
Select mode 1 "Evaluator-only".R77.30 [Expert@HostName]# fw ctl multik set_mode 9 -
Reboot (in cluster, this might cause fail-over).
-
Run the sk101878 - CPView Utility: [Expert@HostName]# cpview
-
Go to CPU -> Top-Connections.
This screen displays top 10-30 (configurable) connections that consume the most CPU resources.
Example:
Security Gateway R77.30 Security Gateway R80.10
Use SmartLog
Note: This log is supported only for Dynamic PrioQ.
A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that was detected and its priority is decreased.
Example:
Detect and Handle Heavy Connections
To see how to detect and handle heavy connections, refer to: sk164215 - How to Detect and Handle Heavy Connections.
Give us Feedback | |