Sannu abokan aiki! A yau zan so in tattauna wani batu mai mahimmanci ga yawancin masu gudanar da Check Point, "CPU da RAM Optimization". Ba sabon abu ba ne don ƙofa da / ko uwar garken gudanarwa don cinye yawancin waɗannan albarkatun ba zato ba tsammani, kuma mutum zai so ya fahimci inda suke "zuba" kuma, idan zai yiwu, amfani da su da kyau.
1. Nazari
Don nazarin nauyin sarrafawa, yana da amfani a yi amfani da umarni masu zuwa, waɗanda aka shigar a cikin yanayin ƙwararru:
top yana nuna duk matakai, adadin albarkatun CPU da RAM da aka cinye cikin kashi, lokacin aiki, fifikon tsari da a hakikanin lokaciи
cpwd_admin list Duba Point WatchDog Daemon, wanda ke nuna duk kayan aikin aikace-aikacen, PID, matsayi, da adadin gudu
cpstat -f cpu os Amfanin CPU, lambar su da rarraba lokacin sarrafawa cikin kashi
cpstat-f memory os amfani da rumbun RAM, nawa aiki, RAM kyauta da ƙari
Madaidaicin magana shine cewa ana iya duba duk umarnin cpstat ta amfani da mai amfani cpview. Don yin wannan, kawai kuna buƙatar shigar da umarnin cpview daga kowane yanayi a cikin zaman SSH.
ps zuw dogon jerin duk matakai, ID ɗin su, ƙwaƙwalwar kama-da-wane da ƙwaƙwalwar ajiya a cikin RAM, CPU
Wani bambancin umarnin:
ps-aF nuna mafi tsada tsari
fw ctl kusanci -l -a rarraba cores don lokuta daban-daban na Firewall, wato fasahar CoreXL
ku ctl pstat Binciken RAM da alamomin gabaɗaya na haɗin gwiwa, kukis, NAT
kyauta -m RAM buffer
Kungiyar ta cancanci kulawa ta musamman. netsat da bambancinsa. Misali, netstat-i zai iya taimakawa wajen magance matsalar saka idanu kan allo. Siga, fakitin RX da aka sauke (RX-DRP) a cikin fitowar wannan umarni yana ƙoƙarin girma da kansa saboda faɗuwar ƙa'idar ƙa'ida (IPv6, Bad / Alamomin VLAN mara kyau, da sauransu). Koyaya, idan saukad da ya faru don wani dalili, to yakamata kuyi amfani da wannan don fara binciken dalilin da yasa wannan cibiyar sadarwa ke zubar da fakiti. Sanin dalilin, aikin appline kuma ana iya inganta shi.
Idan an kunna ruwan sa ido, zaku iya duba waɗannan ma'aunin a hoto a cikin SmartConsole ta danna abu kuma zaɓi Bayanin Na'ura & Lasisi.
Ba a ba da shawarar ba da damar saka idanu akai-akai, amma yana yiwuwa a yini ɗaya don gwaji.
Bugu da ƙari, za ka iya ƙara ƙarin sigogi don saka idanu, ɗaya daga cikinsu yana da amfani sosai - Bytes throughput (appline bandwidth).
Idan akwai wani tsarin sa ido, misali, kyauta , wanda ya dogara da SNMP, kuma ya dace don gano waɗannan matsalolin.
2. RAM yana "leaks" akan lokaci
Sau da yawa tambaya takan taso cewa bayan lokaci, ƙofar ko uwar garken yana fara cinye RAM da yawa. Ina so in sake tabbatar muku: wannan labari ne na yau da kullun don tsarin Linux.
Kallon fitowar umarni kyauta -m и cpstat-f memory os akan aikace-aikacen daga yanayin ƙwararru, zaku iya ƙididdigewa da duba duk sigogi masu alaƙa da RAM.
Dangane da samuwan ƙwaƙwalwar ajiya akan ƙofa a wannan lokacin Memwaƙwalwar ajiya kyauta + Ƙwaƙwalwar ajiya + Ƙwaƙwalwar ajiya = + - 1.5 GB, yawanci.
Kamar yadda SR ya ce, bayan lokaci uwar garken ƙofar/sarrafa yana samun ingantawa kuma yana amfani da ƙarin ƙwaƙwalwar ajiya, har zuwa kusan 80% amfani, kuma yana tsayawa. Kuna iya sake kunna na'urar sannan za'a sake saita mai nuna alama. 1.5 GB na RAM na kyauta tabbas ya isa ƙofar don aiwatar da duk ayyuka, kuma da wuya gudanarwa ya kai irin waɗannan ƙimar ƙimar.
Hakanan, fitar da umarnin da aka ambata zai nuna nawa kuke da shi Ƙananan ƙwaƙwalwar ajiya (RAM a cikin mai amfani sarari) da kuma babban ƙwaƙwalwar ajiya (RAM a cikin kernel sarari) amfani.
Hanyoyin kernel (ciki har da na'urori masu aiki kamar su Check Point kernel modules) kawai suna amfani da Ƙananan ƙwaƙwalwar ajiya. Koyaya, matakan mai amfani na iya amfani da ƙananan ƙananan ƙwaƙwalwar ajiya da Babban ƙwaƙwalwar ajiya. Bugu da ƙari, Ƙananan ƙwaƙwalwar ajiya yana kusan daidai Jimlar Ƙwaƙwalwa.
Ya kamata ku damu kawai idan akwai kurakurai a cikin rajistan ayyukan "Modules sake yi ko tafiyar matakai ana kashe su don maido da ƙwaƙwalwar ajiya saboda OOM (Ba a ƙwaƙwalwar ajiya)". Sannan yakamata ku sake yin ƙofa kuma ku tuntuɓi tallafi idan sake kunnawa bai taimaka ba.
Ana iya samun cikakken bayanin a ciki и .
3. Ingantawa
A ƙasa akwai tambayoyi da amsoshi game da inganta CPU da RAM. Ya kamata ku amsa su da gaskiya ga kanku kuma ku saurari shawarwarin.
3.1. An zaɓi layin daidai? Akwai aikin matukin jirgi?
Duk da girman girman, cibiyar sadarwar na iya girma kawai, kuma wannan kayan aikin ba zai iya jurewa da nauyi ba. Zabi na biyu, idan babu girma kamar haka.
3.2. An kunna binciken HTTPS? Idan haka ne, an saita fasahar bisa ga Mafi Kyawun Ƙa'ida?
Koma zuwa idan kai abokin ciniki ne, ko zuwa .
Tsarin dokoki a cikin manufofin dubawa na HTTPS yana da matuƙar mahimmanci wajen inganta buɗe shafukan HTTPS.
Tsarin dokoki da aka ba da shawarar:
- Keɓance ƙa'idodi tare da nau'ikan/URLs
- duba dokoki tare da rukunoni/URLs
- Bincika dokoki don duk sauran nau'ikan
Ta hanyar kwatanci tare da manufofin Tacewar zaɓi, Check Point yana neman wasan fakiti daga sama zuwa ƙasa, don haka an fi sanya ƙa'idodin kewayawa a sama, tunda ƙofa ba za ta ɓata albarkatu ba kan aiwatar da duk ƙa'idodin idan wannan fakitin yana buƙatar tsallakewa.
3.3 Ana amfani da abubuwan kewayon adireshi?
Abubuwan da ke da kewayon adireshi, kamar cibiyar sadarwar 192.168.0.0-192.168.5.0, suna cin RAM sosai fiye da abubuwan cibiyar sadarwa 5. Gabaɗaya, ana ɗaukar kyakkyawan aiki don share abubuwan da ba a amfani da su a cikin SmartConsole, tunda duk lokacin da aka saita manufa, ƙofa da uwar garken gudanarwa suna kashe albarkatu kuma, mafi mahimmanci, lokaci don tabbatarwa da amfani da manufar.
3.4. Yaya aka tsara manufar Rigakafin Barazana?
Da farko, Check Point yana ba da shawarar matsar da IPS zuwa bayanin martaba daban da ƙirƙirar ƙa'idodi daban-daban don wannan ruwan.
Misali, mai gudanarwa yana tunanin cewa sashin DMZ yakamata a kiyaye shi da IPS kawai. Sabili da haka, don kada ƙofa ta ɓata albarkatu akan fakitin sarrafawa ta wasu ruwan wukake, ya zama dole don ƙirƙirar ƙa'ida ta musamman don wannan ɓangaren tare da bayanin martaba wanda kawai IPS ke kunna.
Game da kafa bayanan martaba, ana ba da shawarar kafa shi bisa ga mafi kyawun ayyuka a cikin wannan (shafukan 17-20).
3.5. Sa hannu nawa ne a cikin Gano yanayin a cikin saitunan IPS?
Ana ba da shawarar yin aiki tuƙuru kan sa hannu ta ma'anar cewa ya kamata a kashe sa hannun da ba a yi amfani da shi ba (alal misali, sa hannu don aiki da samfuran Adobe yana buƙatar ƙarfin kwamfuta mai yawa, kuma idan abokin ciniki ba shi da irin waɗannan samfuran, yana da ma'ana don kashewa. sa hannu). Sa'an nan kuma sanya Prevent maimakon Detect a inda zai yiwu, saboda ƙofar yana kashe kuɗi don sarrafa duk haɗin haɗin gwiwa a cikin yanayin Detect, a cikin Prevent yanayin nan da nan ya sauke haɗin kuma baya ɓarna kayan aiki akan cikakken sarrafa fakitin.
3.6. Waɗanne fayiloli ne ake sarrafa su ta Ƙimar Barazana, Cire Barazana, ɓangarorin Anti-Virus?
Ba shi da ma'ana don yin koyi da bincika fayilolin tsawo waɗanda masu amfani da ku ba su zazzagewa ba ko kuma kuna la'akari da cewa ba lallai ba ne a kan hanyar sadarwar ku (alal misali, bat, fayilolin exe za a iya toshe su cikin sauƙi ta amfani da ruwan Fadakarwa na Abun ciki a matakin Tacewar zaɓi, don haka albarkatun ƙofar za su kasance. kashe kasa). Haka kuma, a cikin Tsarin Kwaikwayo na Barazana, zaku iya zaɓar mahalli (tsarin aiki) don yin koyi da barazanar a cikin akwatin sandbox kuma shigar da Muhalli Windows 7 lokacin da duk masu amfani ke aiki tare da sigar 10, shima ba shi da ma'ana.
3.7. An sanya ka'idojin Layer na Firewall da aikace-aikacen bisa ga mafi kyawun aiki?
Idan ka'idar tana da hits da yawa (matches), to ana bada shawarar sanya su a saman sosai, da dokoki tare da ƙaramin adadin hits - a ƙasan ƙasa. Babban abu shi ne tabbatar da cewa ba su shiga tsakani ba kuma kada su zo juna. Shawarar tsarin gine-gine na Tacewar zaɓi:
Bayani:
Dokokin Farko - ana sanya dokoki tare da mafi yawan matches anan
Dokokin surutu - ƙa'ida don watsar da zirga-zirgar ababen hawa kamar NetBIOS
Dokar Stealth - haramcin samun ƙofofin ƙofofin da gudanarwa ga kowa, ban da waɗanda aka ƙayyade a cikin Dokokin Tabbatar da Ƙofar Gateway.
Tsaftacewa, Ƙarshe da Dokokin Sauke yawanci ana haɗa su cikin doka ɗaya don hana duk abin da ba a yarda da shi ba
An kwatanta bayanan aiki mafi kyau a ciki .
3.8. Menene saitunan ayyukan da masu gudanarwa suka ƙirƙira?
Misali, ana ƙirƙira wasu sabis na TCP akan takamaiman tashar jiragen ruwa, kuma yana da ma'ana don cire alamar "Match for Any" a cikin manyan saitunan sabis ɗin. A wannan yanayin, wannan sabis ɗin zai faɗi musamman ƙarƙashin ƙa'idar da ta bayyana, kuma ba za ta shiga cikin ƙa'idodin inda Kowane ke cikin ginshiƙin Sabis ba.
Da yake magana game da ayyuka, yana da kyau a faɗi cewa wani lokacin yana da mahimmanci don tweak lokacin fita. Wannan saitin zai ba ku damar amfani da albarkatun ƙofa da hankali, don kada ku ci gaba da ƙarin lokacin zaman TCP / UDP don ƙa'idodin da ba sa buƙatar babban lokaci. Misali, a cikin hoton da ke ƙasa, na canza lokacin sabis na yankin-udp daga daƙiƙa 40 zuwa daƙiƙa 30.
3.9. Ana amfani da SecureXL kuma menene adadin haɓakawa?
Kuna iya bincika ingancin SecureXL tare da manyan umarni a yanayin ƙwararru akan ƙofa fwacel stat и fw accelstats -s. Na gaba, kuna buƙatar gano irin nau'in zirga-zirgar zirga-zirga da ke haɓakawa, menene samfuran (samfurin) zaku iya ƙirƙirar ƙarin.
Ta hanyar tsoho, Ba a kunna Samfuran Sauke ba, ba da damar su zai sami tasiri mai kyau akan aikin SecureXL. Don yin wannan, je zuwa saitunan ƙofa da Maɓallin Ingantawa:
Hakanan, lokacin aiki tare da tari, don haɓaka CPU, zaku iya musaki aiki tare na ayyuka marasa mahimmanci, kamar UDP DNS, ICMP, da sauransu. Don yin wannan, je zuwa saitunan sabis → Na ci gaba → Aiki tare da haɗin haɗin gwiwar Jiha Aiki tare yana kunna akan gungu.
An bayyana duk Mafi kyawun Ayyuka a cikin .
3.10. Yaya ake amfani da CoreXl?
Fasahar CoreXL, wacce ke ba ku damar amfani da CPUs da yawa don misalan Firewall (modules na wuta), tabbas yana taimakawa haɓaka aikin na'urar. Tawagar farko fw ctl kusanci -l -a zai nuna misalin Firewall da aka yi amfani da su da kuma na'urori masu sarrafawa da aka ba su ga SND da ake buƙata (wani tsarin da ke rarraba zirga-zirga zuwa ƙungiyoyin wuta). Idan ba duk na'urori masu sarrafawa ke da hannu ba, ana iya ƙara su tare da umarnin cpconfig a bakin gate.
Hakanan labari mai kyau shine a saka don kunna Multi-Queue. Multi-Queue yana magance matsalar lokacin da na'ura mai sarrafawa tare da SND ke amfani da kashi da yawa, kuma yanayin wuta akan sauran na'urori masu sarrafawa ba su da aiki. Sa'an nan SND zai iya ƙirƙirar layukan da yawa don NIC guda ɗaya kuma ya saita fifiko daban-daban don zirga-zirga daban-daban a matakin kernel. A sakamakon haka, za a yi amfani da muryoyin CPU da hankali. An kuma bayyana hanyoyin a .
A ƙarshe, Ina so in faɗi cewa waɗannan sun yi nisa da duk Mafi kyawun Ayyuka don inganta wuraren duba, amma mafi mashahuri. Idan kuna son neman duba manufofin tsaro ko warware matsalar Check Point, da fatan za a tuntuɓi [email kariya].
Na gode da hankali!
source: www.habr.com