Support Center > Search Results > SecureKnowledge Details
Firewall Priority Queues in R80.x / R81.x Technical Level
Solution

Table of Contents:

  1. Introduction
  2. Firewall Priority Queues in R80.x / R81.x
  3. Configuration on Security Gateway
  4. Manual Configuration
  5. Monitoring
  6. Limitations
  7. Related solutions
  8. Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism
  9. Evaluation of Heavy Connections
  10. Detect and Handle Heavy Connections

 

(I) Introduction

Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type (for example, local SSH or connection to Security Management Server server).

To help mitigate the above issue, Firewall Priority Queues feature was introduced in R77.30 Security Gateway.

(II) Firewall Priority Queues in R77.30 / R80.x / R81.x

Note: starting from R80.40, the Firewall Priority Queues are enabled by default. 

The Priority Queues (PrioQ) mechanism is intended to prioritize part of the traffic, when we need to drop packets because the Security Gateway is stressed (CPU is fully utilized).

Security Gateway R80.x / R81.x handle both aforementioned cases in the following ways:

  • Prioritizing control connections over data connections.
  • Each connection of the same priority will get an equal share of CPU resources.

Security Gateway R80.x / R81.x "protects" the CPU cores, on which the Firewall is running.

It is important to notice the differences between Firewall Priority Queues (PrioQ) and the QoS Software Blade.
Both prioritize traffic. Note the following differences:

  Firewall Priority Queues (PrioQ) QoS Software Blade
What is mitigated? CPU load Network downstream load
When it is active
on Security Gateway?
Only in extreme
conditions (CPU is overloaded)
Always (from the moment the blade
is enabled and policy installed)
Is the configuration predefined or does it depend on policy? Predefined Policy driven
  • Explanation about Control Connections

    Security Gateways assigns a higher priority to control connections than to other connections. By default, these services are considered by Security Gateway as control connections:

    • Check Point CPMI
    • Policy installation/fetch (CPD daemon)
    • Check Point Remote Installation (CPRID daemon)
    • SSH
    • DHCP
    • OSPF
    • BGP
    • VRRP

    Not all control services get the same priority. Security Gateways prioritize some control services over the other control services.

  • Explanation about Priority Queues

    By default, there are 8 priority queues (up to 16 by manual configuration).

    Queue
    Priority
    (0=highest)
    Queue
    Name
    Type of connections Can
    connections
    migrate?
    Limited
    Queue
    Length
    (default=512)
    0 Routing DHCP, VRRP, OSPF, BGP, IGMP, PIM, ... No Yes
    1 Control GUI / SSH / ports 18xxx / Mgmt services (see sk52421) Yes Yes
    2 Cluster sync Local / Full sync No Yes
    3 High priority User defined Yes Yes
    4 Light Data Queue Light connections Yes Yes
    5 Default Data Queue Medium weight connection, or New connection Yes Yes
    6 Log notification Log and Drop notifications No Yes
    7 Heavy Data Queue Heavy connections Yes Yes

    The priority queues are active when the Security Gateway consumes 100% of CPU. When a packet of a new connection arrives, the connection is classified in order to know to which queue it is supposed to go. For example, packets of a new data connection will go to the default data queue.

    The Firewall priority Queues are enabled in the active priority mode: Initially, each connection is assigned to a queue by the connection type: Routing, Control, Data, etc. Nevertheless, for some connection types, the connection might migrate to a different queue. We know what is the load of each connection all the time, so the connections can migrate between the queues, and by doing so get lower/higher priority with respect to other connections.

    For example, a data connection begins its life in the Default Data Queue (Queue #5) and if this connection becomes heavier, it will migrate to a lower priority queue (Heavy Data Queue - Queue #7). Same is true vice versa. If a connection becomes lighter, it will migrate to a higher priority queue (e.g., Light Data Queue - Queue #4).

    To decide whether a connection should migrate or not, the Firewall keeps the load of the average connection all the time. For each connection (by its type), the Firewall knows to how many queues the connection was assigned and what is the CPU load caused by this connection. Based on that information, the Firewall matches weight to a queue, so that the average connection will belong to the median queue (out of all possible queues for the connection type) and each queue has an equal share of weights.

    Since R80.20, in VSX mode, the Firewall Priority Queues are enabled in the static priority mode. This means that after a connection is classified to a specific queue, it cannot migrate to a different queue (classification is according to the connection type, not the load of the connection). Since Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177), in VSX/USFW mode, dynamic Priority Queues are supported but are off by default.

(III) Configuration on Security Gateway

For instructions on how to install and disable the Firewall Priority Queues, refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.

(IV) Manual Configuration

To perform manual configuration, use $FWDIR/conf/prioq.conf

 prioq.conf is a customized classification file.

Entry format: {Type, Interface, IP, src_port_num, dst_port_num, protocol}

Field Options Explanation
Type CONTROL / ROUTE  To which queue the rule refers.
interface any / external / internal / <interface_name>  On which interface the rule will be.
IP  any / local_src / local_dst  Which kind of connections.
 Source Port Number 0 (any) / port_number  Source Port Number.
 Destination Port Number 0 (any) / port_number  Destination Port Number. 
Protocol Number  protocol_num  Protocol Number.

Example of default prioq file:


You can also add BFD:
#BFD (singlehop)
{ROUTE,any,any,0,3784,17}
#BFD (multihop)
{ROUTE,any,any,0,4784,17}

(V) Monitoring

Administrator can monitor the Firewall Priority Queues in the following ways.

Note: Firewall Priority Queues on Security Gateway must already be enabled. Refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.

Note: In VSX mode, Priority Queue statistics are not available in CPView. 

  1. Use the sk101878 - CPView Utility.

    • Go to Advanced -> PrioQ -> Overview

      Provides general PrioQ information (cross instances)

      Example:

      Security Gateway R77.30 Security Gateway R80.10
    • Go to Advanced -> PrioQ -> Instances

      Provides general information about the priority queues and information per instance including the priority queues of the specific instance.

      Note: When CPU cores are not fully utilized, all values on this screen will be 0 (zero).

      Example:

      Security Gateway R77.30 Security Gateway R80.10
  2. Use SmartLog (supported only for Dynamic PrioQ).

    A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that such connection was detected and its priority is decreased.

    Example:

(VI) Limitations

Refer to the Configuration Limitations section.

(VIII) Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism

Configuration on Security Gateway R80.10 and higher

Important Notes:

  • In R80.10, Firewall Priority Queues are disabled by default.

  • In R80.20, Firewall Priority Queues are disabled by default, and the Evaluation of Heavy Connections mechanism is enabled by default (Evaluator-only mode) 

  • Starting in R80.10, configuration of Firewall Priority Queues and CoreXL Dynamic Dispatcher were separated and are no longer related to each other.

  • Before enabling these features, refer to "Limitations" section.

  • In R80.10 and higher, these three modes are the only officially supported modes (other modes are not supported, and therefore are not mentioned):

    Mode Number Mode Name Explanation
    0 Off Default.
    Firewall Priority Queues and Evaluation of Heavy Connections are completely disabled.
    1 Evaluator-only
    (Connections
    Statistics)
    Firewall Priority Queues feature is disabled, but monitoring of Heavy Connections
    (that consume the most CPU resources) is enabled in CPView Utility.
    2 On Firewall Priority Queues feature is fully enabled.

Instructions:

  • To check the current mode on Security Gateway:

    [Expert@HostName]# fw ctl multik prioq

    Example output:
    [Expert@R80_10_SA:0]# fw ctl multik prioq
    Current mode is Off
    
    Available modes:
    0.      Off
    1.      Evaluator-only
    2.      On
    
    Choose the desired mode number: (or 3 to Quit)
    
  • To fully enable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq

      Example output:
      [Expert@R80_10_SA:0]# fw ctl multik prioq
      Current mode is Off
      
      Available modes:
      0.      Off
      1.      Evaluator-only
      2.      On
      
      Choose the desired mode number: (or 3 to Quit)
      2
      New mode is: On
      Please reboot the system
      [Expert@R80_10_SA:0]#
      
    2. Choose the mode number 2 "On".

    3. Reboot (in cluster, this might cause fail-over).

  • To enable the monitoring of Heavy Connections (that consume more than 10% of the CPU resources) in CPView Utility on Security Gateway:

    Note: Beginning in Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177) and on all GA versions starting R81, this mode is supported when the Security Gateway is configured in VSX/USFW mode. In a cluster environment, this procedure does not have to be performed on all members of the cluster because it enables monitoring only

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq
    2. Choose the mode number 1 "Evaluator-only".

    3. Reboot (in cluster, this might cause fail-over).

  • To completely disable the Firewall Priority Queues on Security Gateway:

    Note: In cluster environment, this procedure must be performed on all members of the cluster.

    1. Run in Expert mode:

      [Expert@HostName]# fw ctl multik prioq
    2. Choose the mode number 0 "Off".

    3. Reboot (in cluster, this might cause fail-over).

Configuration Limitations

  1. The Firewall Priority Queues cannot be enabled in the following scenarios:

    • In R80.20/R80.30/R80.40 VSX/USFW mode::
      • "Evaluator-only" mode is not supported. (VSX and USFW mode are, however, supported since Jumbo Hotfix Accumulator for R80.40 Take 78 (PRJ-13177))
      • The Evaluator of Heavy Connections mechanism is not supported.
      • Firewall Priority Queues is supported in static priority mode only (see "Explanation about Priority Queues" section).  
    • SAM acceleration card is installed on the appliance
    • Carrier Grade NAT (CGN) is configured
    • Security Gateway is configured in Monitor Mode (per sk101670)
    • 6in4 tunnel (SIT interface) is configured
    • Some lines in the $FWDIR/boot/modules/fwkern.conf file are commented out (refer to sk106309).
  2. When SecureXL and a CoreXL FW instance are running on the same CPU core, Priority Queues and Top Connections may not function as expected.

    Such a configuration is the default on the 2200 appliance and on the 4600 appliance.

    To resolve this, disable the synchronous dequeue feature in CoreXL by permanently setting the value of kernel parameter fwmultik_sync_processing_enabled to 0 (zero).

    • To check the current value of this kernel parameter:

      [Expert@HostName]# fw ctl get int fwmultik_sync_processing_enabled
    • To set the desired value for this kernel parameter permanently (per sk26202):

      1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

        [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
      2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

        [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
      3. Add the following line (spaces are not allowed):

        fwmultik_sync_processing_enabled=0
      4. Save the changes and exit from Vi editor.

      5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

        [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
      6. Reboot the Security Gateway.

(IX) Evaluation of Heavy Connections

Introduction

This feature allows the administrator to monitor the Heavy Connections (that consume the most CPU resources) without interrupting the normal operation of the Firewall.

After enabling this feature (refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism), the relevant information is available in CPView Utility.

For detecting Elephant connection, refer to the Detect and Handle Heavy Connections.

Note: This feature is not supported in VSX/USFW mode for R77.30/R80.10/R80.20/R80.30/R80.40. However, VSX and USFW mode are supported since Jumbo Hotfix Accumulator R80.40 Take 78 (PRJ-13177), and on all GA versions starting R81.

Configuration on Security Gateway

For installation and disablement of the Evaluation of Heavy Connections mechanism, refer to Installation/Disablement of Priority Queues and Evaluation of Heavy Connections Mechanism.

Monitoring

Administrator can monitor the Evaluation of Heavy Connections in the following ways: 

Monitoring Heavy Connections

  1. Set the mode of the Firewall Priority Queues on Security Gateway to enabled:

    Version of
    Security Gateway
    Command
    R80.x

    [Expert@HostName]# fw ctl multik prioq

    Select mode 1 "Evaluator-only".
    R77.30 [Expert@HostName]# fw ctl multik set_mode 9
  2. Reboot (in cluster, this might cause fail-over).

  3. Run the sk101878 - CPView Utility:

    [Expert@HostName]# cpview
  4. Go to CPU -> Top-Connections.

    This screen displays top 10-30 (configurable) connections that consume the most CPU resources.

    Example:

    Security Gateway R77.30 Security Gateway R80.10

Use SmartLog

Note: This log is supported only for Dynamic PrioQ.

A log is issued for every Heavy Connection (that consumes more than 10% of the CPU resources) that was detected and its priority is decreased.

Example:

Limitations

Refer to Configuration Limitations section.

(X) Detect and Handle Heavy Connections

To see how to detect and handle heavy connections, refer to: sk164215 - How to Detect and Handle Heavy Connections.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment