• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4063
  • Last Modified:

Checkpoint NG - high cpu usage on fwssd.exe

I have recently replaced my old firewall that was running CP 4.1 with a new system running Checkpoint NG. During the day when I have VPN users connected I notice there are many fwssd.exe process' running. One of the process' is eating up 95-98 % of the CPU.
When I check the system late at night or early in the morning all seems to be ok and the system idle process is about 97%. The Server is NT4.0 SP6a. I appreciate any help I can get with this problem.

Thanks.
0
vinnyd79
Asked:
vinnyd79
  • 3
  • 2
2 Solutions
 
Tim HolmanCommented:
It's the CheckPoint Security Server Daemon.  One of these will be kicked off every time a user logs on.
Check Point running on NT is pretty easy to swamp - I would recommend moving to a faster platform.
The problem is probably caused by an excessive amount of VPN tunnel traffic, generated by a single user.  It's quite possible one of your remote users is infected with a virus/worm or maybe just abusing their connections and downloading lots of MP3s, or something...
0
 
dschwartzerCommented:
Security server (SS) is used whenever you have  a 'resource' usage in the rulebase. For example - you are doing a UFP of CVP on the http/ftp traffic. If so, all the traffic is forwarded to the SS, and then to the appropriate 3rd party AV/server.
Anyway, look through the rulebase and try to remove the unneeded 'resource' usage. Otherwise, SS's are known for their CPU utilization. There're number of alternatives to some stuff SS's are used for. E.g. there's a URL logging mechanism, which is now also implemented in kernel - and is much faster - so you should check out kernel alternatives...

Tim, it can't be VPN, because all VPN solutions (besides SSL) are kernel based - so no user process is involved.
And, just FYI, it has been tested and proven that Intel processors are much better performers on VPN related stuff, then say Sparcs. So Intel is better then Sparc, but SPlat is better then Windows, especially NT...

Daniel
0
 
vinnyd79Author Commented:
Sorry guys,I was away from EE for a while and had forgotten about this question.
If it is not VPN,do you think it could be caused by a rule allowing UserAuth telnet access to one of my servers?The problem occurs during the day when users are logged on,and goes away in the evenings when they log off.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
Tim HolmanCommented:
Yes - it could well be caused by one of Check Point's user authentication mechanisms.  Can you disable and retest to check this ?
0
 
vinnyd79Author Commented:
Disabling it would stop a bunch of people from being able to do their work but I guess it would be a good test. I'll give it a try tomorrow morning and see what happens.
0
 
Tim HolmanCommented:
I mean turn off the telnet authentication mechanism (I assume you mean the Check Point User Auth whereby users have to authenticate with the firewall in order to use telnet ??), so users can access the telnet server direct...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now