7. NGFW for small businesses. Performance and General Recommendations

It's time to complete the series of articles on the new generation of SMB Check Point (1500 series). We hope that this was a useful experience for you and that you will continue to be with us on the TS Solution blog. The topic for the final article is not widely covered, but no less important is SMB performance tuning. In it, we will discuss the configuration options for the hardware and software of NGFW, describe the available commands and methods of interaction.

All articles in the series about NGFW for small businesses:

1. New line of CheckPoint 1500 Security Gateways

2. Unpacking and setup

3. Wireless data transmission: WiFi and LTE

4. VPN

5. SMP cloud management

6. Smart-1 Cloud

At the moment, there are not many sources of information about performance tuning for SMB solutions due to restrictions internal OS - Gaia 80.20 Embedded. In our article, we will use a centrally managed layout (dedicated Management Server) - it allows you to use more tools when working with NGFW.

Hardware

Before touching the Check Point architecture of the SMB family, you can always ask your partner to use the utility Appliance Sizing Tool, to select the optimal solution according to the given characteristics (throughput, expected number of users, etc.).

Important notes when interacting with your NGFW hardware

1. NGFW solutions of the SMB family do not have the ability to hardware upgrade system components (CPU, RAM, HDD), depending on the model, there is support for SD cards, this allows you to expand the disk capacity, but not significantly.

2. The operation of network interfaces requires control. There are not many monitoring tools in Gaia 80.20 Embedded, but you can always use the well-known command in the CLI through the Expert mode 

   #ifconfig

   

   Pay attention to the underlined lines, they will allow you to estimate the number of errors on the interface. It is highly recommended to check these parameters during the initial implementation of your NGFW, as well as periodically during operation.

3. For a full-fledged Gaia, there is a command:

   > showdiag

   With its help, it is possible to obtain information about the temperature of the hardware. Unfortunately, this option is not available in 80.20 Embedded, we will indicate the most popular SNMP traps:

   Name 

   Description

   Interface disconnected

   Disabling the interface

   VLAN removed

   Removing a Vlan

   High memory utilization

   High RAM utilization

   low disk space

   Not enough HDD space

   High CPU utilization

   High CPU utilization

   High CPU interrupt rate

   High interrupt rate

   High connection rate

   High flow of new connections

   High concurrent connections

   High level of competitive sessions

   High firewall throughput

   High throughput firewall

   High accepted packet rate

   High level of packet reception

   Cluster member state changed

   Changing the state of a cluster

   Connection with log server error

   Loss of connection with Log-Server

4. The operation of your gateway requires RAM control. For Gaia (Linux like OC) to work, this is normal situationwhen RAM consumption reaches 70-80% of usage.

   The architecture of SMB solutions does not provide for the use of SWAP memory, unlike older Check Point models. However, in the Linux system files was seen , which indicates the theoretical possibility to change the SWAP parameter.

The software part

At the time of publication of the article relevant Gaia versions are 80.20.10. You need to be aware that there are limitations when working in the CLI: some Linux commands are supported in Expert mode. NGFW evaluation requires evaluation of daemons and services, more details can be found in article my colleague. We will consider possible commands for SMB.

Working with GaiaOS

1. Viewing SecureXL Templates

   #fwaccelstat

   

2. View Boot by Core

   # fw ctl multik stat

   

3. View the number of sessions (connections).

   # fw ctl pstat

   

4. *View cluster status

   #cphaprob stat

   

5. Classic Linux command TOP

Logging

As you already know, there are three ways to work with NGFW logs (storage, processing): locally, centrally and in the cloud. The last two options imply the presence of an entity - Management Server.

Possible NGFW control schemes

Most Valuable Log Files

1. System messages (contains less information than full Gaia)

   # tail -f /var/log/messages2

   

2. Blade error messages (quite a useful file when troubleshooting)

   # tail -f /var/log/log/sfwd.elg

   

3. View messages from the buffer at the level of the system kernel.

   #dmesg

   

Blade configuration

This section will not contain complete instructions for setting up your NGFW Check Point, it only contains our recommendations, selected by experience.

Application Control / URL Filtering

• It is recommended to avoid the ANY, ANY (Source, Destination) conditions in the rules.

• In the case of setting a custom URL resource, it will be more efficient to use a regular expression like: (^|..)checkpoint.com

• Avoid excessive use of rule based logging and blocking pages (UserCheck).

• Make sure the technology works correctly "SecureXL". Most of the traffic must go through accelerated/medium path. Also, don't forget to filter the rules by the most used ones (field hits ).

HTTPS Inspection

It's no secret that 70-80% of user traffic comes from HTTPS connections, so this requires resources from your gateway's processor. In addition, HTTPS-Inspection is involved in the work of IPS, Antivirus, Antibot.

Starting from version 80.40 there was opportunity work with HTTPS rules without the Legacy Dashboard, here is some recommended rule order:

• Bypass for a group of addresses and networks (Destination).

• Bypass for a group of URLs.

• Bypass for internal IP and privileged access networks (Source).

• Inspect for required networks, users

• Bypass for everyone else.

* It's always better to manually select HTTPS or HTTPS Proxy services, leave Any. Log events according to Inspect rules.

IPS

The IPS blade may cause an error when installing the policy on your NGFW if too many signatures are used. According to article from Check Point, the SMB device architecture is not designed to run the full recommended IPS settings profile.

To resolve or prevent the issue, follow these steps:

1. Clone the Optimized profile with the name “Optimized SMB” (or whatever you like).

2. Edit the profile, go to the IPS → Pre R80.Settings section and turn off Server Protections.

   

3. At your discretion, you can disable CVE older than 2010, these vulnerabilities may be rarely found in small offices, but they affect performance. To disable some of them, go to Profile→ IPS→ Additional Activation → Protections to deactivate list

   

Instead of a conclusion

As part of a series of articles about the new generation of NGFW of the SMB family (1500), we tried to highlight the main features of the solution, demonstrated the configuration of important security components using specific examples. We will be happy to answer any questions about the product in the comments. Stay with you, thank you for your attention!

A large selection of materials on Check Point from TS Solution. In order not to miss new publications, follow the updates on our social networks (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen).

Source: habr.com