ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
sumsama1
Captain Captain
Captain
‎2015-10-05 19:37
1184 views

Checkpoint caching

Hi, I have one checkpoint Firewall which caches most of the time. I have made the batching to 300:1 and increased the java heap to 1 Gb but still same. what else can I do to decrease the caching on connector

Labels (3)
Labels
0 Likes
Report Inappropriate Content
21 Replies
pbrettle
Fleet Admiral
Fleet Admiral
‎2015-10-09 02:43

Seen this before and it was disk performance!

The first thing that the connector will do is to receive the data via the command line tool from CheckPoint and spool it straight to disk. Then the connector actually reads the files and processes them. As part of the processing, it will then spool the data to the inbound queue and also spool the processed data to the outbound queue! Yes, it is reading and storing the data that many times.

So if you have slow disk, contended disk or running on a VM without a dedicated disk, it will slow down and hence trigger caching!

Also, have you checked in the log files and seeing what it is doing? are you hitting the memory? It should give you some indication around the caching messages and show you what is going on. Also, have you considered running Logfu on the connector to see what the internal operation is?

0 Likes
Report Inappropriate Content
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-10-09 12:36

How frequently is your agent doing a full garbage collection?

Even after the changes recommended by @pganguly you are still only sending 2K EPS?

0 Likes
Report Inappropriate Content
sumsama1
Captain Captain
Captain
‎2015-10-09 22:22

Client wants all fields in ESM. Wont this filter out some fields in ESM? and in our case during peak hours sent to manager EPS is less than post aggregation EPS. HP engineer suggested us to keep ESM memory twice of working set of memory and in our case working set of memory if 4 GB.

0 Likes
Report Inappropriate Content
sumsama1
Captain Captain
Captain
‎2015-10-09 22:27

GC is happening in less than 5 secs. HP Engineer suggested us to keep ESM memory twice of working set of memory and if we decrease ESM memory we getting "Memory in red zone error". Most memory is used while rules are updating Active List and since last 15 or 20 days our sent to manager EPS is always less than post aggregation EPS.

0 Likes
Report Inappropriate Content
sumsama1
Captain Captain
Captain
‎2015-10-09 22:28

And after adding Symantec protection logs the total EPS is around 12k - 15k and this expected

0 Likes
Report Inappropriate Content
pbrettle
Fleet Admiral
Fleet Admiral
‎2015-10-09 23:40

Sorry confused now - are you seeing Memory In Red Zone messages on ESM or the connector? And where is the caching occurring also? At ESM or the connector? I have been talking about the connector, but if you have been hitting performance issues at ESM, thats a completely different discussion!

In the case of ESM, disk performance is critical - so I would be digging into this, and also make sure you have plenty of memory - and you mentioned GC is happening less than 5 second - every 5 secs or its taking 5 secs?

0 Likes
Report Inappropriate Content
AlexMuratov1
Absent Member.
Absent Member.
‎2015-10-13 15:19

"Wont this filter out some fields in ESM?":

if aggregated events have some fields are identical, they will be kept, otherwise dropped. The setting "Preserve Common Fields: Yes" is designed for this purpose. If the client would like to see a source port for example, the aggregation is not for you. But this information is not very useful usually.


"HP engineer suggested us to keep ESM memory twice of working set of memory and in our case working set of memory if 4 GB.":

Really??? Well, I am not a HP Engineer but this advise contradicts with my experience. ESM Manager is pretty greedy for memory. The only downside of the huge RAM allocation - JRE garbage collector will spend more time for global cleanup but it invoked pretty rare,usually 1 time per hour.

0 Likes
Report Inappropriate Content
AlexMuratov1
Absent Member.
Absent Member.
‎2015-10-13 17:06

I did not see you mentioned about invoking global garbage collector at the ESM each 5 seconds. Fix this first and I would not be surprised if the Check Point Connector issue will disappear after it.

0 Likes
Report Inappropriate Content
sumsama1
Captain Captain
Captain
‎2015-10-14 15:19

yes now am seeing GC happening every in every 5 secs and most syslog based connector are caching. sometime back HP suggested us to decrease ESM Java memory to twice of working set of memory (4 GB working set of memory * 2 = 8 to 12 gb ) but if we do this we get error "memory in red zone". so we using 24 GB now.

0 Likes
Report Inappropriate Content
AlexMuratov1
Absent Member.
Absent Member.
‎2015-10-14 19:27

Increase up to 32Gb and talk to your client to enable aggregation at Connector's level.

0 Likes
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.