I am experiencing some spikes in the load and this is causing slowdowns and other erratic behavior. When I look at the Front Panel in FSM, I can see the Load bar highlighted up to the 1st red bar indicating 80 or 90% utilization. My question is, how do I figure out what is causing this? I look at the status report and it is showing only 30% or so CPU. I know it is probably IDS or antivirus scanning something but how do you spot check?


  • edited May 2020

    Running Version 12.5.3.B616762
    Watchguard M470

  • You can see the CPU utilization of the individual components in WSM Firebox System Manager -> Status Report -> Process list

  • @Bruce_Briggs said:
    You can see the CPU utilization of the individual components in WSM Firebox System Manager -> Status Report -> Process list

    I looked at that, but adding up the %'s doesn't seem to equate to the high load being shown on the front panel. Is there any way to see it in a log? Sometimes I will get a report from someone complaining, but when i get a chance to look at FSM things go back to normal. Also, is there a list of what each component being shown in the process list as it relates to the subscription services used?

  • From the docs - describing the Load bar:
    "The CPU utilization value from the device is the average percentage over the last minute."
    So it is difficult to relate the load bar to processes

  • So how can you pinpoint what processes could have become overloaded? I am trying to determine what policy could be having an adverse affect on load either by being too intrusive or too aggressive in scanning. I did find that my IDS was set to full scan instead of Fast (must have been extra paranoid that day). I made the change back to Fast (default) a few weeks ago and figured that fixed the issue, but today I had reports of slowing down and just caught the load bar in the red when I started to investigate.

  • Are you using the Access Portal?

    If so, look at this:
    Process guac-standalone

    Otherwise to get help in figuring this out, consider opening a support incident.

  • Thanks for that link, I read through all the posts but it doesn't seem to apply to my situation. I don't have a firecluster, not using access portal (ATM, but plan to), and I do use a NAT rule to allow RDP sessions direct to an RDP server. I do see the reference to new firmware and have seen the new release, guess I should start there. One question, is it common practice to set a reboot on the firewalls? I know way back when I had a 2500, it would need a semi-regular kick from time to time.
    Thanks for your input Bruce!

  • From posts over the years, it seems that some sites do a weekly reboot.
    No idea how many do or don't.
    In the past, specific XTM versions have had memory leaks, and reboot would help for those versions.
    I don't schedule a reboot, but I don't have a heavily used firewall.

  • Just a quick update on this...
    I did update the firmware to latest version and of course did a reboot.
    All has been well since the update/reboot.

Sign In to comment.