Support Center > Search Results > SecureKnowledge Details
Firewall Priority Queues in R77.30 / R80.10 and above
Solution

Table of Contents:

  1. Introduction
  2. Firewall Priority Queues and Evaluation of Heavy Connections
    1. Firewall Priority Queues
    2. Evaluation of Heavy Connections
  3. Configuration on Security Gateway R77.30
  4. Configuration on Security Gateway R80.10 and above
  5. Manual Configuration
  6. Monitoring
    1. Priority Queues
    2. Evaluation of Heavy Connections
  7. Limitations
  8. Related solutions

 

(I) Introduction

Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type (for example, local SSH or connection to Security Management Server server).

To help mitigate the above issue, Firewall Priority Queues feature was introduced in R77.30 Security Gateway.

 

(II) Firewall Priority Queues and Evaluation of Heavy Connections

Note: The Firewall Priority Queues and Evaluation of Heavy Connections are disabled by default.

  • (II-A) Firewall Priority Queues

    Priority Queues (PrioQ) mechanism is intended to prioritize part of the traffic when we need to drop packets because the Security Gateway is stressed (CPU is fully utilized).

    In Security Gateway R77.20 and lower versions, when the CPU became fully utilized, part of the traffic was dropped regardless of the traffic type. As a result, control connections (described below) were dropped, which had serious negative impact (e.g., no SSH connectivity). In addition, several "heavy" connections could cause high CPU load on Security Gateway and cause issues for all other connections.

    Security Gateway R77.30 / R80.10 and above handles both aforementioned cases in the following ways:

    • Prioritizing control connections over data connections.
    • Each connection of the same priority will get equal share of CPU resources.

    Security Gateway R77.30 / R80.10 and above is "protecting" the CPU cores, on which Firewall is running.

    It is important to notice the differences between Firewall Priority Queues (PrioQ) and QoS Software Blade.
    Both are prioritizing traffic. However, with the following differences:

      Firewall Priority Queues (PrioQ)
    in R77.30 / R80.10 and above    		 QoS Software Blade
    What is mitigated? CPU load Network downstream load
    When it is active
    on Security Gateway?    		 Only in extreme
    conditions (CPU is overload)    		 Always (from the moment the blade
    is enabled and policy installed)
    Is the configuration
    predefined or
    depends on policy?    		 Predefined Policy driven

     

    • Explanation about Control Connections

      Firewall R77.30 / R80.10 and above assigns higher priority to control connections than to other connections.

      By default, the following services are considered by Firewall R77.30 / R80.10 and above as control connections:

      • Check Point CPMI
      • Policy installation/fetch (CPD daemon)
      • Check Point Remote Installation (CPRID daemon)
      • SSH
      • DHCP
      • OSPF
      • BGP
      • VRRP

      Not all control services get the same priority. Firewall R77.30 / R80.10 and above prioritizes some control services over the other control services.

    • Explanation about Priority Queues

      By default, there are 8 priority queues (up to 16 by manual configuration).

      Queue
      Priority
      (0=highest)      		 Queue
      Name      		 Type of connections Can
      connections
      migrate?      		 Limited
      Queue
      Length
      (default=512)
      0 Routing DHCP, VRRP, OSPF, BGP, IGMP, PIM, ... No Yes
      1 Control GUI / SSH / ports 18xxx / Mgmt services (see sk52421) Yes Yes
      2 Cluster sync Local / Full sync No Yes
      3 High priority User defined Yes Yes
      4 Light Data Queue Light connections Yes Yes
      5 Default Data Queue Medium weight connection, or New connection Yes Yes
      6 Log notif Log and Drop notifications No Yes
      7 Heavy Data Queue Heavy connections Yes Yes

      The priority queues are active when the Firewall consumes 100% of CPU. When a packet of a new connection arrives, the connection is classified in order to know to which queue it is supposed to go. For example, packets of a new data connection will go to the default data queue.

      Initially, each connection is assigned to a queue by the connection type: Routing, Control, Data, etc. Nevertheless, for some connection types, the connection might migrate to a different queue. We know what is the load of each connection all the time, so the connections can migrate between the queues, and by doing so get lower/higher priority with respect to other connections.

      For example, a data connection begins its life in the Default Data Queue (Queue #5) and if this connection become heavier, it will migrate to a lower priority queue (Heavy Data Queue - Queue #7). Same goes in vice versa, if a connection become lighter, it will migrate to a higher priority queue (e.g., Light Data Queue - Queue #4).

      To decide whether a connection should migrate or not, Firewall keeps all the time the load of average connection. For each connection (by its type), Firewall knows to how many possible queues the connection was assigned and what is the CPU load caused by this connection. Based on that information, Firewall matches any weight to a queue, so that the average connection will belong to the median queue (out of all possible queues for the connection type) and each queue has an equal share of weights.


  • (II-B) Evaluation of Heavy Connections

    This feature allows the administrator to monitor the Heavy Connections (that consume the most CPU resources) without interrupting the normal operation of Firewall.

    After enabling this feature (refer to "Configuration" section), the relevant information is available in CPView Utility (refer to "Monitoring - Evaluation of Heavy Connections" section).

 

(III) Configuration on Security Gateway R77.30

Firewall Priority Queues are disabled by default.

Important Notes:

  • Before enabling these features, refer to "Limitations" section.

  • In R77.30, these two modes are the only officially supported modes (other modes are not supported, and therefore are not mentioned):

    Mode Number Mode Name Explanation
    0 Off Default.
    Firewall Priority Queues and Evaluation of Heavy Connections are completely disabled.
    9 On Firewall Priority Queues feature and connection statistics feature (in cpview) is fully enabled.
    Note: This mode also fully enables the CoreXL Dynamic Dispatcher (refer to sk105261).

Instructions:

  • To check the current mode on Security Gateway:

    [Expert@HostName]# fw ctl multik get_mode

  • To fully enable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik set_mode 9

    2. Reboot (in cluster, this might cause fail-over).

  • To completely disable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik set_mode 0

    2. Reboot (in cluster, this might cause fail-over).

 

(IV) Configuration on Security Gateway R80.10 and above

Firewall Priority Queues are disabled by default.

Important Notes:

  • Starting in R80.10, configuration of Firewall Priority Queues and CoreXL Dynamic Dispatcher were separated and are no longer related to each other.

  • Before enabling these features, refer to "Limitations" section.

  • In R80.10 and above, these three modes are the only officially supported modes (other modes are not supported, and therefore are not mentioned):

    Mode Number Mode Name Explanation
    0 Off Default.
    Firewall Priority Queues and Evaluation of Heavy Connections are completely disabled.
    1 Eviluator-only
    (Connections
    Statistics)    		 Firewall Priority Queues feature is disabled, but monitoring of Heavy Connections
    (that consume the most CPU resources) is enabled in CPView Utility.
    2 On Firewall Priority Queues feature is fully enabled.

Instructions:

  • To check the current mode on Security Gateway:

    [Expert@HostName]# fw ctl multik prioq

    Example output: 
    [Expert@R80_10_SA:0]# fw ctl multik prioq
Current mode is Off

Available modes:
0.      Off
1.      Eviluator-only
2.      On

Choose the desired mode number: (or 3 to Quit)

  • To fully enable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq

      Example output: 
      [Expert@R80_10_SA:0]# fw ctl multik prioq
Current mode is Off

Available modes:
0.      Off
1.      Eviluator-only
2.      On

Choose the desired mode number: (or 3 to Quit)
2
New mode is: On
Please reboot the system
[Expert@R80_10_SA:0]#

    2. Choose the mode number 2 "On".

    3. Reboot (in cluster, this might cause fail-over).

  • To enable the monitoring of Heavy Connections (that consume more than 10% of the CPU resources) in CPView Utility on Security Gateway:

    Notes: This mode is not supported when Security Gateway is configured in VSX mode. In cluster environment, this procedure does not have to be performed on all members of the cluster because it enables monitoring only.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq

    2. Choose the mode number 1 "Eviluator-only".

    3. Reboot (in cluster, this might cause fail-over).

  • To completely disable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq

    2. Choose the mode number 0 "Off".

    3. Reboot (in cluster, this might cause fail-over).

 

(V) Manual Configuration

To perform manual configuration, use $FWDIR/conf/prioq.conf

 prioq.conf is a customized classification file.

Entry format: {Type, Interface, IP, src_port_num, dst_port_num, protocol}

Field
 Options Explanation
Type CONTROL / ROUTE  To which queue the rule refers.
interface
 any / external / internal / <interface_name>  On which interface the rule will be.
IP  any / local_src / local_dst  Which kind of connections.
 Source Port Number 0 (any) / port_number  Source Port Number.
 Destination Port Number 0 (any) / port_number  Destination Port Number. 
Protocol Number  protocol_num  Protocol Number.

Example of default prioq file:


You can also add BFD:
#BFD (singlehop)
{ROUTE,any,any,0,3784,17}
#BFD (multihop)
{ROUTE,any,any,0,4784,17}

(VI) Monitoring

Administrator can monitor the Firewall Priority Queues and Evaluation of Heavy Connections in the following ways.

  • Example of default prioq file:

    (VI-A) Monitoring - Firewall Priority Queues

    Administrator can monitor the Firewall Priority Queues in the following ways:

    Note: Firewall Priority Queues on Security Gateway must already be enabled with fw ctl multik set_mode 9 command and Security Gateway must already be rebooted.

    1. Use the sk101878 - CPView Utility.

      • Go to Advanced -> PrioQ -> Overview

        Provides general PrioQ information (cross instances)

        Example:

        Security Gateway R77.30 Security Gateway R80.10

      • Go to Advanced -> PrioQ -> Instances

        Provides general information about the priority queues and information per instance including the priority queues of the specific instance.

        Note: When CPU cores are not fully utilized, all values on this screen will be 0 (zero).

        Example:

        Security Gateway R77.30 Security Gateway R80.10

      • Go to CPU -> Top-Connections

        Displays top 10-30 (configurable) connections that consume the most CPU resources (Heavy Connections).

        Example:

        Security Gateway R77.30 Security Gateway R80.10

    2. Use SmartLog (supported only for Dynamic PrioQ).

      A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that such connection was detected and its priority is decreased.

      Example:

  • (VI-B) Monitoring - Evaluation of Heavy Connections

    Note: This mode is not supported on Security Gateway R80.10 in VSX mode.

    Administrator can monitor the Evaluation of Heavy Connections in the following way:

    1. Set the mode of the Firewall Priority Queues on Security Gateway to enabled:

      Version of
      Security Gateway      		 Command
      R80.10

      [Expert@HostName]# fw ctl multik prioq

      Select mode 1 "Eviluator-only".
      R77.30 [Expert@HostName]# fw ctl multik set_mode 9

    2. Reboot (in cluster, this might cause fail-over).

    3. Run the sk101878 - CPView Utility:

      [Expert@HostName]# cpview

    4. Go to CPU -> Top-Connections.

      This screen displays top 10-30 (configurable) connections that consume the most CPU resources.

      Example:

      Security Gateway R77.30 Security Gateway R80.10

 

(VII) Limitations

  1. The Firewall Priority Queues can not be enabled in the following scenarios:

    • On Security Gateway R77.30 in VSX mode - Firewall Priority Queues are not supported at all (on any of the VSs, including VS0)
    • On Security Gateway R80.10 in VSX mode - only the "Evaluator-only" mode is not supported
    • SAM acceleration card is installed on the appliance
    • Carrier Grade NAT (CGN) is configured
    • Security Gateway is configured in Monitor Mode (per sk101670)
    • 6in4 tunnel (SIT interface) is configured
    • Some lines in the $FWDIR/boot/modules/fwkern.conf file are commented out (refer to sk106309).

  2. When SecureXL and a CoreXL FW instance are running on same CPU core, Priority Queues and Top Connections may not function as expected.

    Such configuration is the default on 2200 appliance and on 4600 appliance.

    To resolve this, disable the synchronous dequeue feature in CoreXL by permanently setting the value of kernel parameter fwmultik_sync_processing_enabled to 0 (zero).

    • To check the current value of this kernel parameter:

      [Expert@HostName]# fw ctl get int fwmultik_sync_processing_enabled

    • To set the desired value for this kernel parameter permanently (per sk26202):

      1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

        [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf

      2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

        [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf

      3. Add the following line (spaces are not allowed):

        fwmultik_sync_processing_enabled=0

      4. Save the changes and exit from Vi editor.

      5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

        [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf

      6. Reboot the Security Gateway.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment