One of our customer is facing CPU utilization of around 50 to 65 percent during the production hours.
The firewall model is PA-3220 and the PAN-OS version is 10.1.5.
Checked the session utilization, Packet buffer and descriptor all is below 10 percent.
When the CPU utilization started to increase the packet rate, throughput and TCP session on the firewall is also increasing and when it decreases the CPU utilization also.
SSL and Web-browsing were the top applications in usage. We suspect web-browsing traffic is causing the issue as we do not have ssl decryption configured which leaves us with the web-browsing traffic which is an http traffic.
Had observer few counters were increasing during the work hours hours need to know the meaning and impact of those counters.
:url_db_request 5190850705 4017
:url_db_reply 5190816573 4017
:zip_hw_in 177318579851 124016
:zip_hw_out 627779340320 434128
:zip_sw_in 199848004732 130852
:zip_sw_out 693744943688 451950
:dfa_sw 90961589404 47671
:ctd_decode_filter_chunk_normal 14434038389 9138
:aho_sw_offload 83496446878 44301
:ctd_pscan_sw 99078275564 53215
:ctd_pkt_slowpath 98653053385 52775
:pkt_flow_np 225588310161 117552
:pkt_recv 226111711878 117764
:pkt_recv_zero 220606502314 114917
:pkt_sent 304325837740 162575
:flow_np_pkt_rcv 226111711915 117764
:flow_fpga_rcv_fastpath 211929224623 110914
mainly regarding the zip_counter
Any reason why you're particularly worried about a 50-65 percent CPU utilization rate? What you've described is really just normal operation; as the load traversing the firewall increases you'll see the dataplane CPU rate increase. Decrypting traffic and enabling additional features will cause that impact to be increased.
The zip counters are the size of zip in (compressed) vs out (decompressed) in bytes. Zip files and zip content (like gzip encoded web content) are decompressed by the firewall to be able to perform ctd on the content.
There's not really anything that can be diagnosed from these counters alone, especially without a time frame. This level of CPU usage might be considered expected behaviour for that platform depending on the actual rate an type of data.
And it's normal for all of those counters to increase during working hours, since there is more traffic during working hours.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!