Did you know you can setup a priority queue in your Check Point R77.30 appliance so that should the device become unresponsive due to high CPU load, you can still connect to it?
Have you ever had to run into a DC and pull a power cord because you could not connect to a box? Well now you can setup priority queues so you won’t have to do that.
Priority Queues are a mechanism that are intended to prioritize part of the traffic when we need to drop packets because the Security Gateway is stressed (CPU is fully utilized). In R77.20 and lower versions, when the CPU became fully utilized, part of the traffic was dropped regardless of the traffic type. As a result, control connections (described below) were dropped, which had serious negative impact (e.g., no SSH connectivity). In addition, several “heavy” connections could cause high CPU load on Security Gateway and cause issues for all other connections. However R77.30 is “protecting” the CPU cores, on which Firewall is running.
To set this up follow theses instructions:
To check the current mode on Security Gateway:
[Expert@HostName]# fw ctl multik get_mode
To fully enable the Firewall Priority Queues on Security Gateway:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
1.Run in Expert mode:
[Expert@HostName]# fw ctl multik set_mode 9
2.Reboot (in cluster, this might cause fail-over).
There are 3 modes (see chart) and you can switch easily between them.
Firewall Priority Queues feature are now fully enabled however it is not currently on. When is it on? It turns on only in an extreme condition like when the CPU is overloaded. The queues themselves are already predefined. See the chart below:
You can also use this feature to monitor the Heavy Connections (that consume the most CPU resources) without interrupting the normal operation of Firewall, using the same command fw ctl multik set_mode 1
To learn more specifics check out sk105762
Happy uptime !!