Moni anzanu! Lero ndikufuna kukambirana za mutu woyenera kwambiri kwa oyang'anira ambiri a Check Point, "CPU ndi Kukhathamiritsa kwa RAM". Si zachilendo kuti chipata ndi / kapena seva yoyang'anira iwononge zambiri mwazinthuzi mosayembekezereka, ndipo wina angafune kumvetsetsa kumene "amadumphira" ndipo, ngati n'kotheka, azigwiritsa ntchito mwaluso.
1. Kusanthula
Kusanthula purosesa katundu, ndi zothandiza kugwiritsa ntchito malamulo awa, amene analowa mumalowedwe akatswiri:
pamwamba ikuwonetsa njira zonse, kuchuluka kwazinthu za CPU ndi RAM zomwe zimadyedwa muperesenti, nthawi yokwera, ntchito yofunika kwambiri komanso mu nthawi yeniyeniΠΈ
cpwd_admin mndandanda Onani Point WatchDog Daemon, yomwe imawonetsa ma module onse ogwiritsira ntchito, PID yawo, mawonekedwe, ndi kuchuluka kwamayendedwe
cpstat -f cpu os Kugwiritsa ntchito CPU, chiwerengero chawo ndi kugawa nthawi ya purosesa mu peresenti
cpstat -f kukumbukira os kugwiritsa ntchito pafupifupi RAM, kuchuluka kwachangu, RAM yaulere ndi zina zambiri
Ndemanga yolondola ndikuti malamulo onse a cpstat amatha kuwonedwa pogwiritsa ntchito zofunikira cp view. Kuti muchite izi, muyenera kungolowetsa lamulo la cpview kuchokera munjira iliyonse mu gawo la SSH.
ps uwu mndandanda wautali wa njira zonse, ID yawo, kukumbukira kukumbukira ndi kukumbukira mu RAM, CPU
Kusiyana kwina kwa lamulo:
ps-aF onetsani njira yodula kwambiri
fw ctl kuyanjana -l -a kugawa ma cores pazochitika zosiyanasiyana za firewall, ndiko kuti, ukadaulo wa CoreXL
fw ctl pstat Kusanthula kwa RAM ndi zisonyezo wamba zolumikizirana, makeke, NAT
-m RAM buffer
Gululo likuyenera kusamalidwa mwapadera. netsa ndi kusiyanasiyana kwake. Mwachitsanzo, netstat -i zingathandize kuthetsa vuto loyang'anira ma clipboard. The parameter, RX waponya mapaketi (RX-DRP) mu linanena bungwe la lamulo limakonda kukula palokha chifukwa cha zoletsedwa protocol madontho (IPv6, Bad / Osayembekezereka VLAN tags, ndi ena). Komabe, ngati madontho achitika pazifukwa zina, ndiye kuti muyenera kugwiritsa ntchito izi kuti muyambe kufufuza chifukwa chake mawonekedwe a netiweki akugwetsa mapaketi. Podziwa chomwe chimayambitsa, ntchito ya pulogalamuyo imatha kukonzedwanso.
Ngati tsamba la Monitoring layatsidwa, mutha kuwona ma metric awa mu SmartConsole podina chinthu ndikusankha Chidziwitso cha Chipangizo & License.
Sitikulimbikitsidwa kuti muzitha kuyang'anira tsamba la Monitoring mosalekeza, koma ndizotheka tsiku loyesa.
Komanso, mutha kuwonjezera magawo owunikira, imodzi mwazo ndiyothandiza kwambiri - Bytes Throughput (appline bandwidth).
Ngati pali njira ina yowunikira, mwachitsanzo, yaulere , yomwe idakhazikitsidwa pa SNMP, ndiyoyeneranso kuzindikira mavutowa.
2. RAM "imatha" pakapita nthawi
Nthawi zambiri funso limabwera kuti pakapita nthawi, chipata kapena seva yoyang'anira imayamba kudya RAM yochulukirapo. Ndikufuna kukutsimikizirani: iyi ndi nkhani yabwinobwino pamakina ngati Linux.
Kuyang'ana zotsatira za lamulo -m ΠΈ cpstat -f kukumbukira os pa pulogalamu yochokera ku akatswiri, mutha kuwerengera ndikuwona magawo onse okhudzana ndi RAM.
Kutengera kukumbukira komwe kulipo pachipata pakadali pano Kukumbukira Kwaulere + Memory ya Buffers + Memory Cached = + - 1.5 GB, kawirikawiri.
Monga SR imanenera, pakapita nthawi seva yolowera / kasamalidwe imakonzedwa bwino ndipo imagwiritsa ntchito kukumbukira zambiri, mpaka pafupifupi 80% kugwiritsa ntchito, ndikuyima. Mukhoza kuyambiransoko chipangizo ndiyeno chizindikiro adzakhala bwererani. 1.5 GB ya RAM yaulere ndiyokwanira kuti chipata chigwire ntchito zonse, ndipo kasamalidwe sikamafika pazigawo zotere.
Komanso, zotsatira za malamulo otchulidwawo zidzasonyeza kuchuluka kwa zomwe muli nazo kukumbukira kochepa (RAM mu malo ogwiritsa ntchito) ndi kukumbukira kwambiri (RAM mu kernel space) yogwiritsidwa ntchito.
Njira za Kernel (kuphatikiza ma module omwe akugwira ntchito monga Check Point kernel modules) amangogwiritsa ntchito kukumbukira kochepa. Komabe, njira za ogwiritsa ntchito zimatha kugwiritsa ntchito kukumbukira kwa Low ndi High. Komanso, Low memory ndi pafupifupi wofanana ndi Kukumbukira Kwathunthu.
Muyenera kuda nkhawa ngati pali zolakwika muzolemba "ma module ayambiranso kapena njira zomwe zimaphedwa kuti zibwezeretse kukumbukira chifukwa cha OOM (Osakumbukira)". Kenako muyenera kuyambitsanso chipata ndikulumikizana ndi chithandizo ngati kuyambiranso sikuthandiza.
Kufotokozera kwathunthu kungapezeke mu ΠΈ .
3. Kukhathamiritsa
Pansipa pali mafunso ndi mayankho okhudza kukhathamiritsa kwa CPU ndi RAM. Muyenera kuwayankha moona mtima kwa inu nokha ndikumvera malingaliro.
3.1. Kodi mzerewu unasankhidwa molondola? Kodi panali ntchito yoyeserera?
Ngakhale kukula koyenera, maukonde amatha kukula, ndipo zida izi sizingathe kuthana ndi katunduyo. Njira yachiwiri, ngati panalibe kukula kwake.
3.2. Kodi kuyendera kwa HTTPS ndikololedwa? Ngati ndi choncho, kodi ukadaulo umapangidwa molingana ndi Best Practice?
Onani ku ngati ndinu kasitomala wathu, kapena .
Dongosolo la malamulo mu mfundo zowunikira za HTTPS ndizofunikira kwambiri pakukwaniritsa kutsegulidwa kwa masamba a HTTPS.
Ndondomeko zovomerezeka:
- Malamulo a bypass okhala ndi magulu/ma URL
- fufuzani malamulo ndi magulu/ma URL
- Onani malamulo amagulu ena onse
Poyerekeza ndi ndondomeko ya firewall, Check Point imayang'ana paketi ya paketi kuchokera pamwamba mpaka pansi, kotero kuti malamulo odutsa amaikidwa bwino pamwamba, popeza chipata sichidzawononga zipangizo poyendetsa malamulo onse ngati paketi iyi iyenera kudumpha.
3.3 Kodi zinthu zamaadiresi zimagwiritsidwa ntchito?
Zinthu zokhala ndi ma adilesi osiyanasiyana, monga netiweki 192.168.0.0-192.168.5.0, zimadya kwambiri RAM kuposa zinthu 5 zama network. Kawirikawiri, zimaonedwa kuti ndizochita bwino kuchotsa zinthu zomwe sizinagwiritsidwe ntchito mu SmartConsole, popeza nthawi iliyonse ndondomeko ikakhazikitsidwa, seva yolowera pakhomo ndi yoyang'anira imagwiritsa ntchito chuma ndipo, chofunika kwambiri, nthawi yotsimikizira ndi kugwiritsa ntchito ndondomekoyi.
3.4. Kodi ndondomeko ya Threat Prevention imakonzedwa bwanji?
Choyamba, Check Point imalimbikitsa kusuntha IPS ku mbiri yosiyana ndikupanga malamulo osiyana a tsamba ili.
Mwachitsanzo, woyang'anira akuganiza kuti gawo la DMZ liyenera kutetezedwa ndi IPS. Chifukwa chake, kuti chipata chisawononge chuma pakukonza mapaketi ndi masamba ena, ndikofunikira kupanga lamulo makamaka pagawo ili ndi mbiri yomwe IPS yokha imayatsidwa.
Ponena za kukhazikitsa mbiri, tikulimbikitsidwa kuti tiyike molingana ndi machitidwe abwino mu izi ( masamba 17-20 ).
3.5. Ndi masiginecha angati mu Detect mode mumakonzedwe a IPS?
Ndibwino kuti tigwire ntchito molimbika pa siginecha chifukwa chakuti siginecha yosagwiritsidwa ntchito iyenera kuyimitsidwa (mwachitsanzo, siginecha yogwiritsira ntchito zinthu za Adobe imafunikira mphamvu zambiri zamakompyuta, ndipo ngati kasitomala alibe zinthu zotere, ndizomveka kuletsa. ma signature). Kenako ikani Kuteteza m'malo mwa Dziwani ngati kuli kotheka, chifukwa chipatacho chimagwiritsa ntchito zothandizira pokonza kugwirizana konse mu Detect mode, mu Prevent mode nthawi yomweyo imagwetsa kugwirizanako ndipo sichiwononga chuma pakukonzekera kwathunthu kwa paketi.
3.6. Ndi mafayilo ati omwe amakonzedwa ndi Mayeso a Threat Emulation, Threat Extraction, Anti-Virus masamba?
Palibe zomveka kutsanzira ndikusanthula mafayilo owonjezera omwe ogwiritsa ntchito samatsitsa kapena mumawona kuti sizofunikira pamanetiweki (mwachitsanzo, bat, exe mafayilo amatha kutsekedwa mosavuta pogwiritsa ntchito tsamba la Content Awareness pamlingo wa firewall, kotero zothandizira pachipata zikhala adawononga pang'ono). Komanso, muzosintha za Threat Emulation, mutha kusankha Chilengedwe (machitidwe ogwiritsira ntchito) kutengera zowopseza mu sandbox ndikuyika Chilengedwe Windows 7 pomwe ogwiritsa ntchito onse akugwira ntchito ndi mtundu wa 10, sizomveka.
3.7. Kodi malamulo a firewall ndi Application layer layer amayikidwa molingana ndi machitidwe abwino?
Ngati lamulo liri ndi zovuta zambiri (machesi), ndiye kuti tikulimbikitsidwa kuziyika pamwamba kwambiri, ndikulamulira ndi kugunda kochepa - pansi kwambiri. Chachikulu ndikuwonetsetsa kuti zisadumphane komanso kuti zisagwirizane. Zomangamanga zovomerezeka za firewall:
Zofotokozera:
Malamulo Oyamba - malamulo omwe ali ndi machesi ambiri aikidwa apa
Ulamuliro wa Noise - lamulo loletsa magalimoto achinyengo monga NetBIOS
Stealth Rule - kuletsa kulowa pazipata ndi kasamalidwe kwa onse, kupatula zomwe zidanenedwa mu Kutsimikizika kwa Malamulo a Gateway
Malamulo Oyeretsa, Omaliza ndi Ogwetsa nthawi zambiri amaphatikizidwa kukhala lamulo limodzi kuti aletse chilichonse chomwe sichinali chololedwa kale.
Zochita zabwino kwambiri zimafotokozedwa mu .
3.8. Ndi zochunira zotani pazithandizo zopangidwa ndi oyang'anira?
Mwachitsanzo, ntchito ina ya TCP ikupangidwa pa doko linalake, ndipo ndizomveka kuti musayang'ane "Match for Any" muzokonda Zapamwamba za utumiki. Pankhaniyi, ntchitoyi idzagwera mwachindunji pansi pa lamulo lomwe likuwonekera, ndipo silingatenge nawo mbali pamalamulo omwe Aliyense ali mu gawo la Services.
Ponena za mautumiki, ndiyenera kutchula kuti nthawi zina zimakhala zofunikira kusintha nthawi. Kukonzekera uku kukuthandizani kuti mugwiritse ntchito zida zapazipata mwanzeru, kuti musasunge nthawi yowonjezera ya TCP / UDP pama protocol omwe safunikira nthawi yayitali. Mwachitsanzo, pazithunzi pansipa, ndidasintha nthawi yopuma ya domain-udp kuchoka pa masekondi 40 kukhala masekondi 30.
3.9. Kodi SecureXL imagwiritsidwa ntchito ndipo kuchuluka kwa mathamangitsidwe ndi chiyani?
Mutha kuyang'ana mtundu wa SecureXL ndi malamulo akulu mumachitidwe odziwa pachipata fwaccel stat ΠΈ fw accelstats -s. Chotsatira, muyenera kudziwa kuti ndi mtundu wanji wamagalimoto omwe akuchulukirachulukira, ndi ma templates (ma template) omwe mungapange zambiri.
Mwachikhazikitso, Drop Templates saloledwa, kuwapangitsa kukhala ndi zotsatira zabwino pakugwira ntchito kwa SecureXL. Kuti muchite izi, pitani ku zoikamo pachipata ndi tabu ya Optimizations:
Komanso, pogwira ntchito ndi gulu, kukhathamiritsa CPU, mutha kuletsa kulumikizana kwazinthu zosafunikira, monga UDP DNS, ICMP, ndi ena. Kuti muchite izi, pitani ku zoikamo zautumiki β Advanced β Synchronize maulumikizidwe a State Synchronization yayatsidwa pagulu.
Zochita Zabwino Zonse zikufotokozedwa mu .
3.10. Kodi CoreXl imagwiritsidwa ntchito bwanji?
Ukadaulo wa CoreXL, womwe umakupatsani mwayi wogwiritsa ntchito ma CPU angapo pama firewall (ma module a firewall), amathandizira kukhathamiritsa magwiridwe antchito a chipangizocho. Team choyamba fw ctl kuyanjana -l -a idzawonetsa zochitika za firewall zomwe zimagwiritsidwa ntchito ndi mapurosesa omwe aperekedwa ku SND yofunikira (module yomwe imagawira magalimoto ku mabungwe a firewall). Ngati si mapurosesa onse omwe akukhudzidwa, akhoza kuwonjezeredwa ndi lamulo cpconfig pachipata.
Komanso nkhani yabwino ndikuyika kuti mutsegule Multi-Queue. Multi-Queue amathetsa vuto pamene purosesa yokhala ndi SND imagwiritsidwa ntchito ndi maperesenti ambiri, ndipo zochitika zozimitsa moto pa mapurosesa ena sizigwira ntchito. Kenako SND imatha kupanga mizere yambiri ya NIC imodzi ndikuyika zofunika kwambiri pamagalimoto osiyanasiyana pamlingo wa kernel. Chifukwa chake, ma CPU cores adzagwiritsidwa ntchito mwanzeru. Njira zimafotokozedwanso mu .
Pomaliza, ndikufuna kunena kuti izi ndizotalikirana ndi Njira Zabwino Kwambiri pakuwongolera Check Point, koma zodziwika kwambiri. Ngati mungafune kupempha kuwunikiridwa kwa mfundo zanu zachitetezo kapena kuthetsa vuto la Check Point, chonde lemberani [imelo ndiotetezedwa].
Zikomo chifukwa cha chidwi chanu!
Source: www.habr.com