- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Troubleshooting Firewall Reboots due to tWebMain process in Gen 6 devices
03/26/2020 
104 People found this article helpful
44,158 Views
Description
This article outlines the steps in troubleshooting when the firewall is rebooting due to suspension of tWebMain. This is a process responsible for displaying events/information in the GUI of the firewall.
Usually when this happens, the CPU or Core 1 (in GUI) spikes up to a 100%.
Cause
There are several factors that can keep tWebMain busy:
- GUI logging: This depends on the number of log events generated. The logging on the firewall, when enabled for regular events (eg: DNS Allow, ICMP allowed, Connection NAT Mapping), will generate a large number of events. This overwhelms the tWebMain process if we have GUI Alerts enabled.
- App Control Logging / App Rule Logging
- Log Name Resolution: When this is set to DNS Then NetBIOS or just NetBIOS, requests from the machines to public DNS servers requesting PTR records, will result in errors
- Site to Site VPNs: These when configured incorrectly, even though the tunnel might work, will repeatedly generate errors which are logged.
The CPU Utilization can be found in the TSR of the firewall by doing a search for "CPU Utilization" or "Utilization per process".
The following is an excerpt from a TSR: it shows that the overall CPU Utilization is 65% (Which is above normal, but not alarming). The value 50 denotes the priority the process gets. In other words, if there is a higher priority process coming in, it will preempt one of the lower priority processes.
--CPU Monitor--
CPU Monitor:
Current 1s CPU Utilization: 100.00%
Current 10s CPU Utilization: 100.00%
Total Average CPU Utilization: 65.15%
CPU Utilization Per Process:
# Name PC PRI Total% (secs) Curr% (secs)
--- ----------------- ---------- --- ------------- -------------
1. pass_to_stack 0x81203774 50 16.24 (1224.62) 28.57 (0.30)
2. tWebListen 0x81203774 50 9.89 (746.07) 17.46 (0.18)
3. tWebMain06 0x81200cb0 50 1.50 (113.23) 6.35 (0.07)
Resolution
The following changes can be made in the firewall settings to prevent tWebMain from causing issues:
- GUI Logging: This change should be done under Log | Settings: disable GUI alerts for regular events, or if they have to be logged, send them to a syslog server (if one is configured), or change the Log filter value to Non zero (typically 60 seconds). Please see: Reduce CPU usage reviewing logs configuration
- App control/ App rule logging: This change should be done under Firewall | App Rules or Firewall | App control Advanced
- For App Rules, change the Global Log Redundancy filter value to non zero value.
- For App Control, change the filter value for the categories (27 in total). This eliminates redundant logs for the specified period of time.
NOTE: If the firewall is being managed by GMS, the logging is automatically enabled for all categories.
- Log Name Resolution: Under Log | Name Resolution, set the value to None or just DNS.
- In the diag.html page
- Enable the "Main Log Process Reschedule Interval" and set the value to 100 entries.
- Change the "Log Output Limit:" value to "1000" entries (Available for SuperMassive10000 series).
- Disable the "Exempt Redundancy Filter intervals of unfiltered events from global, category-level and group-level changes"
- If AppFlow is enabled, please disable it from AppFlow | Flow Reporting by disabling "Enable Real-Time Data Collection" and "Enable AppFlow To Local Collector"
NOTE: If the issue persists even after making the changes, collect stack trace information, TSR, settings files and Console logs if necessary and create a Collaboration Request with SEEG. Click on this link to read more about How to obtain diagnostic Logs/data from console cable connection when Firewall is freezing/locking.
NOTE: When change values in the diag.html page on SuperMassive10000 series running firmware version 6.0.5.2-72o or 6.0.5.2-73o, the firmware needs to be upgraded to 6.0.5.2-74o or later due to any button in the diag.html page are not responsive.
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO