I am experiencing some spikes in the load and this is causing slowdowns and other erratic behavior. When I look at the Front Panel in FSM, I can see the Load bar highlighted up to the 1st red bar indicating 80 or 90% utilization. My question is, how do I figure out what is causing this? I look at the status report and it is showing only 30% or so CPU. I know it is probably IDS or antivirus scanning something but how do you spot check?
Sign In to comment.
Running Version 12.5.3.B616762
You can see the CPU utilization of the individual components in WSM Firebox System Manager -> Status Report -> Process list
I looked at that, but adding up the %'s doesn't seem to equate to the high load being shown on the front panel. Is there any way to see it in a log? Sometimes I will get a report from someone complaining, but when i get a chance to look at FSM things go back to normal. Also, is there a list of what each component being shown in the process list as it relates to the subscription services used?
From the docs - describing the Load bar:
"The CPU utilization value from the device is the average percentage over the last minute."
So it is difficult to relate the load bar to processes
So how can you pinpoint what processes could have become overloaded? I am trying to determine what policy could be having an adverse affect on load either by being too intrusive or too aggressive in scanning. I did find that my IDS was set to full scan instead of Fast (must have been extra paranoid that day). I made the change back to Fast (default) a few weeks ago and figured that fixed the issue, but today I had reports of slowing down and just caught the load bar in the red when I started to investigate.
Are you using the Access Portal?
If so, look at this:
Otherwise to get help in figuring this out, consider opening a support incident.
Thanks for that link, I read through all the posts but it doesn't seem to apply to my situation. I don't have a firecluster, not using access portal (ATM, but plan to), and I do use a NAT rule to allow RDP sessions direct to an RDP server. I do see the reference to new firmware and have seen the new release, guess I should start there. One question, is it common practice to set a reboot on the firewalls? I know way back when I had a 2500, it would need a semi-regular kick from time to time.
Thanks for your input Bruce!
From posts over the years, it seems that some sites do a weekly reboot.
No idea how many do or don't.
In the past, specific XTM versions have had memory leaks, and reboot would help for those versions.
I don't schedule a reboot, but I don't have a heavily used firewall.
Just a quick update on this...
I did update the firmware to latest version and of course did a reboot.
All has been well since the update/reboot.