Support Center > Search Results > SecureKnowledge Details
The Check Point Performance Sizing Utility
Solution

Table of Contents:

  • Description
  • Main Outputs
  • Supported Platforms and Versions
  • Limitations
  • Downloading and Installing cpsizeme
  • Running cpsizeme'
  • Restarting cpsizeme
  • Stopping cpsizeme
  • Updating cpsizeme
  • Uploading cpsizeme results to Check Point
  • Known issues
  • Troubleshooting
  • Related solutions

 

Description

The cpsizeme is a lightweight shell script that produces a detailed performance report of Check Point Security Gateway. This script measures the ongoing resource utilization on Security Gateway during the given time period (refer to "Running cpsizeme" section). During this period, the script gathers information about CPU, memory consumption, throughput and few other important performance parameters.

This cpsizeme output and report can assist in improving the sizing accuracy in any one of the following scenarios:

  • Replacing the current Security Gateway appliance/server with a new one.
  • Future growth and planning ahead.
  • Enabling more security Software Blades on the current Security Gateway.
  • Troubleshoot performance issues on the Security Gateway

This script allows to automatically upload the collected raw performance data securely to Check Point servers. If an e-mail address was provided, then after getting the raw performance data, a PDF report will be sent to that e-mail address.
It is possible to upload the raw data to Check Point and e-mail the report at any time, even after running the script (refer to "Running cpsizeme" section).

 

Main Outputs

These are the mains outputs of the 'cpsizeme' script:

  • Summary archive file - includes the Security Gateway's performance statistics of traffic, CPU, memory utilization, and an XML file to be used for sizing. This archive does not include connection data or IP addresses.
    In order to see the information stored in the summary archive file, run 'cpsizeme -S' command and select option 2 'Show summary of last successful session' in the menu.
    Show / Hide example
    General information
    ===================
    * Email address: johndoe@mycompany.com
    * Name of company / organization: 
    * Script version: 3.1
    * Date & time: 2014-02-17 16:46:24
    * Scheduled end: 2014-02-18 16:46:24
    * Utility Sampling duration: 1 days
    * Appliance: VMware Virtual Platform [1959 MB]
    * Active blades: FW MGMT VPN MAB A_URLF AV ASPM APP_CTL IPS DLP IA SSL_INSPECT ANTB MON TE
    * Gateway version: Check Point Gaia R77.10
    * Gateway name: R77-10-SA
    * SecureXL: on
    * Clustering:
    
    HA module not started.
    
    * ClusterXL: no
    
    Customer estimation
    ===================
    * Main functions performed by this gateway:
            * Perimeter security: y
            * DMZ security: n
            * Protect the datacenter: y
            * Segment internal networks: y
            * Protect web servers: n
    * Estimated number of users: 40
    * Estimated gateway throughput [Mbps]: 100
    * Size of internet pipe [Mbps]: 100
    * Satisfied with gateway performance: y
    * Estimated number of remote users: 10
    * Estimated number of IPSec VPN remote users: 15
    * Additional customer feedback: n
    
    Measured Data
    =============
    * Maximum gateway throughput: 28.082305 Mbps
    * Maximum packet rate: 4929 Packets/sec
    * Maximum Total CPU: 46%
            * CPU core 0: 70% (Max core utilization: 100%)
            * CPU core 1: 30% (Max core utilization: 100%)
            * CPU core 2: 37% (Max core utilization: 100%)
            * CPU core 3: 49% (Max core utilization: 91%)
    * Maximum kernel CPU: 27%
            * kernel CPU core 0: 19% (Max core kernel Utilization: 34%)
            * kernel CPU core 1: 11% (Max core kernel Utilization: 24%)
            * kernel CPU core 2: 10% (Max core kernel Utilization: 19%)
            * kernel CPU core 3: 68% (Max core kernel Utilization: 91%)
    * Estimated number of unique IPs behind gateway: 0
    * Maximum concurrent connections: 111
    * Average concurrent connections: 57
    * Maximum memory utilization: 1314964 KB
    * Minimum Free Memory: 1.91298 MB
    * Accelerated packets: 0.00%
    * VPN traffic: 0.00%
    * Detected interface packet drops: no
    * Detected install policy: no
    * SMT status: Unsupported
    * Estimated average of NAT connections: 0% (average concurrent connections:56)
    ===================================
    
  • Detailed archive file - includes all the raw performance data used for analysis and statistics, including connections and routing tables with IP addresses. The detailed archive can be used for performance troubleshooting.

  • PDF Performance Report - a graphical report, which is based on the summary archive file. This report is being generated and e-mailed to you, using the 'cpsizeme' Online Report Service (see sample report).

Note: Relevant for versions lower than R77 - If the cpsizeme report needs be sent to Check Point, then make sure that the latest CPInfo utility is installed. Refer to "Uploading cpsizeme results to Check Point" section below.

 

Supported Platforms and Versions

The cpsizeme script is supported on:

Operating Systems SecurePlatform, Gaia and IPSO 6.2
Hardware all Check Point appliances (Not supported on Open Servers or 600/700/1100/1200R/1400 devices running Gaia Embedded)
Versions R75 and above

 

Limitations

The following limitations apply to cpsizeme script:

  • SecureXL must be enabled on Security Gateway for this script to work.
  • VSX is not supported by this script.
  • In ClusterXL High Availability mode, it is not supported to run this script on Standby member.

 

Downloading and Installing cpsizeme

The cpsizeme script is part of main-train Firewall version.

Note: Starting from R77.20, a newer version is recommended for installation. For cpsizeme to work properly: 

  • DCdownloader should be updated to the latest recommended version to be able to update cpsizeme automatically.
    All of the online customers should have the newest public DA.
    The offline customers should refer to sk92449 to update/install new version of DA agent. 
  • cpsizeme must be updated to use CPInfo for data upload instead of deprecated cp_uploader. After update of DCdownloader, cpsizeme can update itself to the latest version.
    R77.20 and below have old version of cpsizeme and uses cp_uploader which is deprecated. Therefore cpsizeme must be updated to upload data to Check Point cloud.
  • The CPInfo utility must be updated to the latest recommended version to be able to upload data collected by cpsizeme.

To update cpsizeme to the newest availabale version, perform:

  1. Download the latest recommended version of cpsizeme package:

    Platform File name Download cpsizeme
    cpsizeme for Gaia / SecurePlatform cpsizeme.tgz
    cpsizeme for IPSO 6.2 cpsizeme.tar.gz

    Note: if you have a problem with downloading the tool using Chrome browser, refer to sk76080.

  2. Copy the cpsizeme package to a directory on Security Gateway (e.g., /var/log/).

  3. Extract the package:

    [Expert@HostName]# tar -xvzf <name_of_downloaded_cpsizeme_package>

  4. Assign the execute permissions to the script:

    [Expert@HostName]# chmod +x cpsizeme

  5. Move this file to the default cpsizeme directory $FWDIR/bin/ to overwrite the existing version:

    [Expert@HostName]# mv cpsizeme $FWDIR/bin/cpsizeme 

  6. Download and install the latest version of CPInfo utility from The CPInfo utility.

 

Running cpsizeme

  • To see the basic help for the script, run:

    [Expert@HostName]# cpsizeme -h

  • To see the advanced help for the script, run:

    [Expert@HostName]# cpsizeme --help

To run the script with default parameters:

[Expert@HostName]# cpsizeme

By default, the script will run for 24 hours.

If you wish run the script for different amount of time, run:

[Expert@HostName]# cpsizeme XY

where
  • X designates the amount of time to run
  • Y designates the time units: m (for minutes), h (for hours), d (for days)

Examples:
  • To run the utility for 48 hours, run:
    [Expert@HostName]# cpsizeme 48h

  • To run the utility for 75 minutes, run:
    [Expert@HostName]# cpsizeme 75m

Note: 'cpsizeme' should be run for at least 3 minutes for proper functionality.

  • To see the special menu for the script, run:

    [Expert@HostName]# cpsizeme -S
    Please choose an option:
    1       Show upload history
    2       Show summary of last successful session
    3       Show summary of gathered information
    4       Show instructions to get sizing PDF report via email
    5       Show location of generated files
    6       Send summary & detailed archives to Check Point
    7       Send summary archive to Check Point
    8       Reanswer the utility's questions
    9       Cleanup login notifications & optionally all related files
    10      Exit
    Your choice?
    

 

Restarting cpsizeme

To restart a running cpsizeme process, run:

[Expert@HostName]# cpsizeme X

where X designates the new options (duration, proxy, etc.) to be used in the new process. The previous options aren't valid for the new process.

Then choose option #2 ('Start a new session'). Previous process will be terminated and a new one will be started.

 

Stopping 'cpsizeme'

To stop a running cpsizeme process, run:

[Expert@HostName]# cpsizeme

Then choose option #3 ('Delete current session and exit') that will terminate the running process.

 

Updating cpsizeme

It is strongly recommended to run the latest version of the cpsizeme script.

  • The latest version of the 'cpsizeme' script (as of 02 Mar 2017) is: 3.6

  • To check the version of the current 'cpsizeme' script on Security Gateway, run:

    [Expert@HostName]# cpsizeme -V

  • On some Security Gateway versions, the 'cpsizeme' script will allow to check for updates and to update the script. It is recommended to choose this option when available.

  • To update the 'cpsizeme' script manually:

    1. Cleanup the existing 'cpsizeme' results:

      [Expert@HostName]# cpsizeme -S
      And select option 9 'Cleanup login notifications & optionally all related files'

    2. Remove the current 'cpsizeme' script file:

      [Expert@HostName]# rm -i /<path_to>/cpsizeme

    3. Refer to the instructions in "Installing 'cpsizeme'" section.

 

Uploading cpsizeme results to Check Point

There are two procedures to receive the cpsizeme report:

  1. Automatically upload from the Security Gateway - assuming that the Security Gateway has Internet connectivity:

    • The 'cpsizeme' script can upload the output files to Check Point. This is done when the user is prompted with the following options and selects either the first, or the second option:
      Please choose:
           1  Run the utility and automatically send both the detailed & summary
              archives to Check Point
           2  Run the utility and automatically send only the summary archive to
              Check Point
           3  Run the utility without sending the data automatically to Check Point
      Your choice?
    • Relevant for versions lower than R77 - the latest Check Point CPInfo utility must be manually installed on the Security Gateway. Make sure to install the latest version of the CPInfo utility. Otherwise, the 'cpsizeme' script will not be able to upload the collected data. To install the CPInfo utility, refer to sk92739 - The CPInfo utility.

    • A valid license must be installed on the Security Gateway (to allow uploading to Check Point servers).

    • To allow connectivity to Check Point servers, refer to the 'System Requirements' section in sk92739 - The CPInfo utility.

      • If a Proxy is used to access HTTPS servers, then run:

        [Expert@HostName]# ./cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT

      • If a username and password are required for the Proxy, then run:

        [Expert@HostName]# ./cpsizeme -p USERNAME:PASSWORD@PROXY_IP_ADDRESS:PROXY_PORT



  2. Offline options:

    1. Offline upload procedure - If the Security Gateway does not have connectivity to Check Point servers, you can upload the data via e-mail.

      Procedure:
      1. Locate the cpsizeme output XML file on the Security Gateway. Run:
        [Expert@HostName]# cpsizeme -S
        And select option 5 'Show location of generated files'.
      2. Transfer the cpsizeme output XML file from the Security Gateway to your computer.
      3. Attach the cpsizeme output XML file to an e-mail.
      4. Send the e-mail to the following e-mail address: cpsizeme_upload@checkpoint.com
      5. You will receive an e-mail from sizing@checkpoint.com with attached PDF report within 1 hour (see sample report).


    2. Upload manually the XML to Appliance Sizing Tool (AST) as follows:

      (Note: Log in to the Support Center, go to the "QUOTING TOOLS" menu and click on the "Appliance Sizing Tool".)

      1. Select the 'Advanced Settings' option:



      2. In the 'Performance Sizing Utility' section at the bottom, click on 'Choose File'.
      3. Select the XML file and click on 'Upload'.
      4. Immediately the information from the XML file will be fetched in the AST upper left column.
      5. Review the automatically completed information in the AST.
      6. Adjust characteristics as needed, such as activating additional Software Blades, for example.
        Note:
        - Check additional blades if needed
        - Choose the correct number of users
        - If the gateway passes traffic also to the Internet, select the checkbox near the Internet Connection field and note how many traffic to be send "outside",through the gateway. This portion of traffic has the direct impact on the selected blades like IPS, Application Control etc.

 

Known issues

Symptom Solved in version
Updating cpsizeme as part of evaluation process sets the evaluation duration to default (24 hours) and not the requested period. 3.2

 

Troubleshooting

Refer to "Uploading cpsizeme results to Check Point" section.

  • Problem: failed to upload report when sending the summary or the detailed archive

    Solution:

    • Check connectivity from the Security Gateway to the following sites:
      • services.checkpoint.com on TCP port 443
      • mercury.ts.checkpoint.com on TCP port 22
      For example, run telnet services.checkpoint.com 443

    • If you need to use a proxy server to connect to the above sites, use the proxy method of cpsizeme.
      Run: cpsizeme -p PROXY_IP_ADDRESS:PROXY_PORT

  • Problem: failed updating the version.

    Solution:

    • Check connectivity from the Security Gateway to the following sites:
      • services.checkpoint.com on TCP port 443
      • mercury.ts.checkpoint.com on TCP port 22

    For example, run telnet services.checkpoint.com 443

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment