[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] sun cpu sys time is very high
Hello, I am running fw-1 sp1 on a single-cpu sun box. I am only packet filtering (i.e. not NAT, no VPN, no bandwidth shaping). The sun box is acting as a gateway for my DMZ and for the internet. My problem is that the cpu utilization seems too high, and it's not cuz of any 'user' processes. The typical cpu utilization breakdown is 55% for kernel, 0.6% for user, and the rest is idle. The process using the most cpu is 'fw' (the checkpoint daemon), with about 2% of the cpu. The reason this situation is a problem is that I want to start using floodgate. However, as soon as I install a 'bandwidth policy', fgd starts taking 40+ % of the cpu, and that leaves no idle time, which makes the load go thru the roof, which effectively makes the internet and the dmz inaccessible. So, why is the kernel taking so much of the cpu? Other fun facts are: - The load averages about .6 ; - no swapping is going on ; - the box is a 220r with one 450MHz UltraSparc II cpu, 1 GB RAM, and 3 active 100Mpbs ethernet nics. - the box is running disksuite v4.2 on solaris 2.6. All fs's are mirrored. - the internet bw is 18Mbps full duplex. My best guess is that disksuite takes a lot of kernel time. Any way to verify that without undoing disksuite? If the excessive kernel time is simply due to packet filtering, are there simple strategies you can use with the security policy that have drastic affects on performance? i.e. is there a right way and a really wrong way to implement the safe affect in security rules? -- Happy Landings, Jon Detert Unix System Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202 _______________________________________________ sunmanagers mailing list [email protected] http://www.sunmanagers.org/mailman/listinfo/sunmanagers ----- End forwarded message ----- -- Happy Landings, Jon Detert Unix System Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|