When you are troubleshooting CPU load issues, there are multiple items that can contribute to this:
- Individual resource intensive apps
- The CPU/RAM footprint caused by apps that are not actively being used
- Disk usage from extraneous data logging
- Volume and type of traffic passing through the NGFW
Individual apps that can increase CPU Load
Our Performance Guide article has an excellent breakdown of all the apps we offer and their relative CPU and memory requirements:
This can be a large source of your CPU load. Be default, Intrusion Protection only logs traffic and blocks nothing. This can be putting a heavy load on your CPU as there are over 20,000 rules logging traffic events. We generally only recommend using Intrusion Prevention if you are experiencing intrusion events and want to track where they are coming from.
Are you are running Web Cache? Web Cache is an app we only recommend for networks with very slow internet connections or metered bandwidth. If you are not restricted in either of these ways you should uninstall this app. Read this article on Web Cache for a more detailed explanation of Web Cache:
Spam Blocker & Phish Blocker
If you are not using an internal email server, you should uninstall Spam Blocker and Phish Blocker. These apps only scan SMTP (TCP port 25). They will not scan emails if they are downloaded from an external email server.
You should also uninstall applications that are disabled in all policy racks. The usage created by disabled apps is pretty small in comparison to everything else discussed in this document, but if you are troubleshooting an extremely high CPU load any little bit helps!
Extraneous Logging Sources
Unless you are hosting public-facing DNS records on your network, you should bypass DNS sessions. To bypass DNS, go to Config > Network > Bypass Rules. There most likely is an existing Bypass DNS rule: enable that to bypass DNS. If you do not have the default Bypass DNS rule present, create a rule setup similarly to what is shown below:
Additional System Logging Options
Under Config > Network > Advanced > Options, there are four check boxes that enable additional system-wide logging options that are not necessarily useful in all networks or at all times.
- Log bypassed sessions - should usually be disabled. This will help reduce both CPU load and disk usage. Generally, you do not need to retain logs of traffic that is bypassed from the filtering applications.
- Log local outbound sessions - should be disabled except for when troubleshooting. This logs all sessions being generated by the NGFW to external servers. Examples of this are "call-home" requests to the Untangle license server, or Web Filter categorization lookups.
- Log local inbound sessions - is disabled by default and should only be enabled for troubleshooting. This enables logging of sessions destined to the NGFW itself. An example of this would be logging into the Admin interface from a computer on the local network.
- Log blocked sessions - is disabled by default and should only be enabled for troubleshooting. This enables logging of all sessions blocked by the kernel (invalid traffic) or Filter rules.
Traffic Related Issues / Troubleshooting
You may also want to check the traffic volume your Untangle server is passing. If you are averaging over 100 sessions per minute per device, you may want to see where this traffic is coming from as it is fairly heavy traffic and will contribute to your CPU load. Go to Reports > Network > Sessions Per Minute.
Clicking the image above will load it, full-size, in a new window.
To see what devices are sending this traffic, while still in the Network category, go to the Top Client Addresses report. These are the top ten session generators in your network. If you hover your mouse over any of the pie slices, it will show you how many sessions that IP address generated over the past 24 hours. The default time frame for reports is the past 24 hours. The "Other" category is all other devices in your network besides the top ten. To see more pie slices, click on Settings on the upper right of the report. You can then adjust the Pie Slices number to a maximum of 25.
To see the where this traffic is destined, go to the Top Server Addresses. These are the top ten recipients of the sessions in your network. You should investigate the devices that are generating this traffic and see why your session count is so high.