Big question...you said "The process using the most cpu is 'fw' (the
checkpoint daemon)." Do you mean "fwd" or "fwm" or did you mean exactly
what you typed with "fw?" Do you have any forgotten security servers
running which could contribute to this?
If "fw" is chewing up most of your CPU you have a problem...fw process could
be spinning as a result of a process run from the command line.
If "fwm" is chewing up most of your CPU I don't have a great answer...try a
"fwstop; fwstart" and watch the new fwm process...does it consumer more CPU
cycles as time advances?
If "fwd" is chewing up most of your CPU don't be surprised. Get a copy of
the "Porsche book" and start down the fun road of learning about Solaris
performance tuning...there's more than I can comment on here without some
sar data and time on the box to look around ;)
Good luck.
Chris
-----Original Message-----
From: Jonathan C. Detert [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 18.41
To: [EMAIL PROTECTED]
Subject: [FW1] sun cpu sys time is very high
Hello,
I am running fw-1 sp1 on a single-cpu sun box. I am only
packet filtering (i.e. not NAT, no VPN, no bandwidth shaping).
The sun box is acting as a gateway for my DMZ and for the internet.
My problem is that the cpu utilization seems too high, and it's not cuz
of any 'user' processes. The typical cpu utilization breakdown is 55%
for kernel, 0.6% for user, and the rest is idle. The process using the
most cpu is 'fw' (the checkpoint daemon), with about 2% of the cpu.
The reason this situation is a problem is that I want to start using
floodgate. However, as soon as I install a 'bandwidth policy', fgd
starts taking 40+ % of the cpu, and that leaves no idle time, which
makes the load go thru the roof, which effectively makes the internet
and the dmz inaccessible.
So, why is the kernel taking so much of the cpu?
Other fun facts are:
- The load averages about .6 ;
- no swapping is going on ;
- the box is a 220r with one 450MHz UltraSparc II cpu, 1 GB RAM, and
3 active 100Mpbs ethernet nics.
- the box is running disksuite v4.2 on solaris 2.6. All fs's are
mirrored.
- the internet bw is 18Mbps full duplex.
My best guess is that disksuite takes a lot of kernel time. Any way to
verify that without undoing disksuite?
If the excessive kernel time is simply due to packet filtering, are
there simple strategies you can use with the security policy that have
drastic affects on performance? i.e. is there a right way and a really
wrong way to implement the safe affect in security rules?
--
Happy Landings,
Jon Detert
Unix System Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202
_______________________________________________
sunmanagers mailing list
[EMAIL PROTECTED]
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
----- End forwarded message -----
--
Happy Landings,
Jon Detert
Unix System Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
