7. NGFW for small businesses. Performance and General Recommendations
It's time to complete the series of articles on the new generation of SMB Check Point (1500 series). We hope that this was a useful experience for you and that you will continue to be with us on the TS Solution blog. The topic for the final article is not widely covered, but no less important is SMB performance tuning. In it, we will discuss the configuration options for the hardware and software of NGFW, describe the available commands and methods of interaction.
All articles in the series about NGFW for small businesses:
At the moment, there are not many sources of information about performance tuning for SMB solutions due to restrictions internal OS - Gaia 80.20 Embedded. In our article, we will use a centrally managed layout (dedicated Management Server) - it allows you to use more tools when working with NGFW.
Hardware
Before touching the Check Point architecture of the SMB family, you can always ask your partner to use the utility Appliance Sizing Tool, to select the optimal solution according to the given characteristics (throughput, expected number of users, etc.).
Important notes when interacting with your NGFW hardware
NGFW solutions of the SMB family do not have the ability to hardware upgrade system components (CPU, RAM, HDD), depending on the model, there is support for SD cards, this allows you to expand the disk capacity, but not significantly.
The operation of network interfaces requires control. There are not many monitoring tools in Gaia 80.20 Embedded, but you can always use the well-known command in the CLI through the Expert mode
#ifconfig
Pay attention to the underlined lines, they will allow you to estimate the number of errors on the interface. It is highly recommended to check these parameters during the initial implementation of your NGFW, as well as periodically during operation.
For a full-fledged Gaia, there is a command:
> showdiag
With its help, it is possible to obtain information about the temperature of the hardware. Unfortunately, this option is not available in 80.20 Embedded, we will indicate the most popular SNMP traps:
Name
Description
Interface disconnected
Disabling the interface
VLAN removed
Removing a Vlan
High memory utilization
High RAM utilization
low disk space
Not enough HDD space
High CPU utilization
High CPU utilization
High CPU interrupt rate
High interrupt rate
High connection rate
High flow of new connections
High concurrent connections
High level of competitive sessions
High firewall throughput
High throughput firewall
High accepted packet rate
High level of packet reception
Cluster member state changed
Changing the state of a cluster
Connection with log server error
Loss of connection with Log-Server
The operation of your gateway requires RAM control. For Gaia (Linux like OC) to work, this is normal situationwhen RAM consumption reaches 70-80% of usage.
The architecture of SMB solutions does not provide for the use of SWAP memory, unlike older Check Point models. However, in the Linux system files was seen , which indicates the theoretical possibility to change the SWAP parameter.
The software part
At the time of publication of the article relevant Gaia versions are 80.20.10. You need to be aware that there are limitations when working in the CLI: some Linux commands are supported in Expert mode. NGFW evaluation requires evaluation of daemons and services, more details can be found in article my colleague. We will consider possible commands for SMB.
Working with GaiaOS
Viewing SecureXL Templates
#fwaccelstat
View Boot by Core
# fw ctl multik stat
View the number of sessions (connections).
# fw ctl pstat
*View cluster status
#cphaprob stat
Classic Linux command TOP
Logging
As you already know, there are three ways to work with NGFW logs (storage, processing): locally, centrally and in the cloud. The last two options imply the presence of an entity - Management Server.
Possible NGFW control schemes
Most Valuable Log Files
System messages (contains less information than full Gaia)
# tail -f /var/log/messages2
Blade error messages (quite a useful file when troubleshooting)
# tail -f /var/log/log/sfwd.elg
View messages from the buffer at the level of the system kernel.
#dmesg
Blade configuration
This section will not contain complete instructions for setting up your NGFW Check Point, it only contains our recommendations, selected by experience.
Application Control / URL Filtering
It is recommended to avoid the ANY, ANY (Source, Destination) conditions in the rules.
In the case of setting a custom URL resource, it will be more efficient to use a regular expression like: (^|..)checkpoint.com
Avoid excessive use of rule based logging and blocking pages (UserCheck).
Make sure the technology works correctly "SecureXL". Most of the traffic must go through accelerated/medium path. Also, don't forget to filter the rules by the most used ones (field hits ).
HTTPS Inspection
It's no secret that 70-80% of user traffic comes from HTTPS connections, so this requires resources from your gateway's processor. In addition, HTTPS-Inspection is involved in the work of IPS, Antivirus, Antibot.
Starting from version 80.40 there was opportunity work with HTTPS rules without the Legacy Dashboard, here is some recommended rule order:
Bypass for a group of addresses and networks (Destination).
Bypass for a group of URLs.
Bypass for internal IP and privileged access networks (Source).
Inspect for required networks, users
Bypass for everyone else.
* It's always better to manually select HTTPS or HTTPS Proxy services, leave Any. Log events according to Inspect rules.
IPS
The IPS blade may cause an error when installing the policy on your NGFW if too many signatures are used. According to article from Check Point, the SMB device architecture is not designed to run the full recommended IPS settings profile.
To resolve or prevent the issue, follow these steps:
Clone the Optimized profile with the name βOptimized SMBβ (or whatever you like).
Edit the profile, go to the IPS β Pre R80.Settings section and turn off Server Protections.
At your discretion, you can disable CVE older than 2010, these vulnerabilities may be rarely found in small offices, but they affect performance. To disable some of them, go to Profileβ IPSβ Additional Activation β Protections to deactivate list
Instead of a conclusion
As part of a series of articles about the new generation of NGFW of the SMB family (1500), we tried to highlight the main features of the solution, demonstrated the configuration of important security components using specific examples. We will be happy to answer any questions about the product in the comments. Stay with you, thank you for your attention!