Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 6629 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Understanding “top” and “atop” command in Sophos Firewall/UTM

Arkita Thakkar

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table Of Contents:

Overview:

This article describes the usage of commands “top” and “atop” which are used for resource monitoring, checking processor & memory usage, disk utilization, and other resource usage history.

Scenario

When Sophos Firewall is spiking up the CPU/Memory usage, we would need to isolate the services which are responsible for high resource consumption. In such scenarios, these commands would come in handy.

Understanding “top” Command:

Top (table of processes) is task manager program shows a real-time view of running processes and displays kernel-managed tasks. The command also provides a system information summary that shows resource utilization, including CPU and memory usage.

Command: top

Note: The above screenshot shows the individual CPUs (Pressed 1) 

As soon as you will run this command, it will open an interactive command mode where the top half portion will contain the statistics of processes and resource usage. And the lower half contains a list of the currently running processes.

Analysis of top output:

Below result shows, system up time from last reboot, currently logged in users and CPU load on firewall.

You can find out the all the details related to your CPU utilization in real time as seen in the screenshot below:

To understand the memory allocation on firewall, we would need to review the below string as this bifurcates the memory usage in all relevant categories. 

Note: This is the total CPU available (Averaging CPUs in a Multi CPU system).

Similarly, we can see the swap memory outcomes as well.

What is SWAP memory?

SWAP memory is the dedicated amount of hard drive that is used whenever the system runs out of RAM. There is a memory management program in device that takes care of this process. Whenever the RAM is short, the memory management program looks for all those inactive blocks of data present in RAM that have not been used for a long time. When it successfully finds those blocks, it shifts them into the swap memory. In this way, the space in the RAM is freed up and hence it can be utilized for some other programs that need processing on an urgent basis.

To isolate the services which are consuming high resources and review their utilization specifications, please refer below output to investigate.

TOP Command Shortcuts:

Shortcut Key

Explanation
I

To display or to hide load average line

T

To display or to hide task/CPU line

1

To display or hide all other CPU

M

To display or to hide RAM and SWAP details

R

To sort by PID number

P

To sort by CPU utilization

M

To sort by RAM utilization

K

To kill a process, press k then PID number then enter to kill a process

Q

To quit the top command

h

For getting help on top command

Top output keep refreshing until you press ‘q‘. With below command top command will automatically exit after 10 number of repetitions.

# top -n 10

Also, you can save the output using below command:

# top -n 1 -b > /var/top-output.txt

 

Understanding “atop” Command:

atop is a Linux process monitor tool which is similar to top, but provides more detailed information about the system state, as well as the ability to save its output to a file periodically so that the resource utilization of the system can be recorded and retrieved at a later time (for example, so that you can monitor utilization during rare or intermittent events without having to actively wait for them to occur).

Command: atop

Note: This screenshot is from Irix mode, showing the usage of a single CPU (E.g 50% listed here on a four CPU system means 12.5% of the total CPU is being used.

ATOP Command Shortcuts:

Shortcut Key

Explanation

a

Sort in order of most active resources.

c

Revert to sorting by CPU consumption (default).

d

Sort in order of disk activity.

m

Sort in order of memory usage.

n

Sort in order of network activity.

Additional Info from KB Sophos Firewall: Check the CPU usage using top

In order to understand real CPU usage in a multi-CPU system like the Sophos Firewall, you cannot use the default top settings.

top will sum up the CPU usage across all threads within a process, on all the CPUs. In the default view, if the sum is greater than 100% then it will display 99.9%. But a 4 CPU system can handle up to 400% usage of a single CPU.

If a process shows it is 99.9% that means it is taking something more than 100% of one CPU on a multiple-CPU system. That does not indicate there is a problem, as it may be a fraction of the total available CPU on a multi CPU system.

To get more meaningful numbers, follow the steps below.

Checking the CPU usage on your Sophos series Firewall

  1. Open your Sophos Firewall CLI.
  2. Go to Device Management.
  3. Go to Advanced Shell.
  4. Run the command: 
    top
  5. Press I (i in caps). This is to turn Irix mode off and will switch you to Solaris mode. 

  1. Now the % displayed will be the % of all available CPU power. In this mode, everything is scaled so the total CPU is available. This is similar to what is displayed in Webadmin > Diagnostics > System graphs  CPU usage. If a process is taking a large amount of CPU in this mode it could be a concern.
  2. Press I again and it will say Irix mode on. This will now display in Irix mode without the limit of 99%.
    Note: Press 1 within top to get a  summary of the usage of each CPU.

  1. To exit, press q then enter exit.
  2. You can find out the number of CPUs on a system by running the command:
    grep -c "^processor" /proc/cpuinfo

For example, Assuming an eight CPU system where the total CPU usage of snort threads is roughly two CPUs.
top (default):  99.9 % snort
top (Solaris mode) : 25% snort
top (Irix mode):  200% snort

Note: Even though it starts with Irix mode on, the CPU usage for processes is misleading because it is limited to 99.9%. You need to toggle it off and on again to get an accurate number.

Related Information:
https://logic.edchen.org/irix-mode-vs-solaris-mode-in-top-command/

______________________________________________________________________________________________________________________________________



Added Table of Contents, Edited Formatting, Added Horizontal Lines below disclaimer and at the end of RR
[edited by: Raphael Alganes at 9:14 AM (GMT -7) on 11 Oct 2023]
Unfiltered HTML