>>> On 6/12/2009 at 3:06 PM, carlopmart <[email protected]> wrote: > pkc_mls wrote: >> carlopmart a écrit : >>> Thanks for your response Little Jun, but some observations: >>> >>> a) this host have 2 GB RAM and when I push the policy, 60% of ram is >>> free. Then it isn't a RAM problem >>> >>> b) It is a clean R70 SM installation, I don't upgrade anything. My
>>> test policy only contains 25 objects and 10 rules. It is a really >>> really small policy to consume 99% cpu when I push the policy. >>> >>> I have enabled on SM side only management and log. On security >>> gateway I have enabled only firewall and monitoring options: no VPN, >>> no IPS, no QoS. Maybe the problem is monitoring??? >>> >>> Somebody have tried to limit cpu usage for fwm?? >> Did you try to run the fwm load from the command line ? >> >> You can also run the strace with the fwm load command and see what's >> going on. >> >> > > Ok, sorry for the delay response and i will try to response all questions: > > a) running fwm from command line: "time fwm load Default_Policy smaug" > > Installing CPMAD Policy On: localhost > > CPMAD policy installed successfully on lugdunum... > > CPMAD policy installation complete > > > CPMAD policy installation succeeded for: > lugdunum > > Installing policy on R70 targets: > Default_Policy.W: Security Policy Script generated into Default_Policy.pf > Default_Policy: > Compiled OK. > Installing VPN-1/FireWall-1 policy on: smaug ... > VPN-1/FireWall-1 policy installed successfully on smaug... > > VPN-1/FireWall-1 policy installation complete > VPN-1/FireWall-1 policy installation succeeded for: > smaug > > > real 1m10.624s > user 0m38.344s > sys 0m20.397s > > > b) cpu and ram resources used during compiling,loading,etc policy: > > ----total-cpu-usage---- ------memory-usage----- ----swap--- > usr sys idl wai hiq siq| used buff cach free| used free > 45 53 0 0 1 1| 453M 30M 239M 1.3G| 0 1537M > 39 53 1 0 6 1| 458M 30M 240M 1.3G| 0 1537M > 70 30 0 0 0 0| 475M 30M 241M 1.3G| 0 1537M > 32 63 0 0 3 2| 459M 26M 236M 1.3G| 0 1537M > 50 44 0 0 6 0| 467M 26M 236M 1.3G| 0 1537M > 30 51 0 0 19 0| 478M 26M 236M 1.3G| 0 1537M > 76 16 0 0 6 2| 480M 26M 236M 1.3G| 0 1537M > 85 13 0 0 1 1| 482M 26M 236M 1.3G| 0 1537M > 62 38 0 0 0 0| 487M 26M 236M 1.3G| 0 1537M > 74 26 0 0 0 0| 494M 24M 231M 1.3G| 0 1537M > 18 82 0 0 0 0| 445M 24M 231M 1.3G| 0 1537M > 74 21 2 0 3 0| 445M 24M 231M 1.3G| 0 1537M > 98 2 0 0 0 0| 445M 24M 222M 1.3G| 0 1537M > 79 20 0 0 1 0| 445M 24M 230M 1.3G| 0 1537M > 54 32 13 0 0 1| 448M 24M 201M 1.3G| 0 1537M > 37 53 0 1 5 4| 461M 24M 201M 1.3G| 0 1537M > 17 83 0 0 0 0| 476M 24M 201M 1.3G| 0 1537M > 66 33 0 0 1 0| 481M 24M 201M 1.3G| 0 1537M > 68 15 12 0 3 2| 478M 24M 201M 1.3G| 0 1537M > 41 51 1 2 3 2| 492M 24M 201M 1.3G| 0 1537M > 56 37 0 0 6 1| 497M 24M 201M 1.3G| 0 1537M > 81 10 10 0 0 0| 497M 24M 201M 1.3G| 0 1537M > > Cpu is idle at 0% most part of the time ... It is simply awesome!! ... What is sucking up all of that "sys" CPU time? The fwm process is userland. When I push my R65 policy, real 3m9.10s user 2m15.04s sys 0m2.84s Yee-haw. Check out the user CPU. But look at the system consumption compared to it. The fact that 100% CPU is used isn't really a problem as others have pointed out; an idle CPU is unused CPU. If it takes x cycles to do the job, idle CPU means it takes longer to do those x cycles. Your problem, if there is any, is how many cycles this takes. Why would you want to limit the CPU used by fwm? What else is the box doing that gets slowed down? Is the load average going up (other processes waiting to run) during policy installation? Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
