Tarisa Poindi: CPU uye RAM optimization

Mhoro vaunoshanda navo! Nhasi ndinoda kukurukura nyaya yakakosha kune vakawanda Check Point administrator, "CPU uye RAM Optimization". Hazvishamisi kuti gedhi uye / kana manejimendi sevha ishandise zvisingatarisirwi zvakawanda zvezviwanikwa izvi, uye munhu angade kunzwisisa kwaano "kudonhedza" uye, kana zvichibvira, vashandise zvakanyanya.

1. Ongororo

Kuti uongorore mutoro we processor, zvinobatsira kushandisa mirairo inotevera, iyo inopinzwa mune nyanzvi mode:

pamusoro inoratidza maitiro ese, huwandu hweCPU uye RAM zviwanikwa zvinodyiwa muzana, uptime, process yekutanga uye zvimwe munguva chaiyoи

cpwd_admin list Tarisa Point WatchDog Daemon, iyo inoratidza ese maapline modules, PID yavo, chimiro, uye nhamba yekumhanya.

cpstat -f cpu os Kushandiswa kweCPU, nhamba yavo uye kugovera kwe processor nguva muzana

cpstat -f ndangariro os kushandiswa kweiyo RAM, yakawanda sei inoshanda, yemahara RAM uye nezvimwe

Chirevo chaicho ndechekuti yese cpstat mirairo inogona kutariswa uchishandisa utility cpview. Kuti uite izvi, iwe unongoda kuisa iyo cpview command kubva kune chero maitiro muSSH sesheni.

ps auxwf runyorwa rurefu rwemaitiro ese, ID yavo, yakagarwa ndangariro uye ndangariro mu RAM, CPU

Imwe mutsauko wemurairo:

ps-aF ratidza nzira inodhura zvakanyanya

fw ctl affinity -l -a kugoverwa kwemacores ezviitiko zvakasiyana zvefirewall, kureva, CoreXL tekinoroji

fw ctl pstat Kuongororwa kwe RAM uye zviratidzo zvakajairwa zvekubatanidza, makuki, NAT

akasununguka -m RAM buffer

Chikwata chinofanirwa kutariswa zvakanyanya. netsat uye kusiyana kwayo. Semuyenzaniso, netstat -i inogona kubatsira kugadzirisa dambudziko rekutarisa clipboards. Iyo parameter, RX yakadonhedza mapaketi (RX-DRP) mukubuda kwemurairo uyu inokura yega nekuda kwekudonha kwemutemo protocol (IPv6, Yakashata / Yakashata VLAN tags, nevamwe). Zvisinei, kana madonhwe akaitika nokuda kwechimwe chikonzero, saka unofanira kushandisa izvi zvinyorwakutanga kuferefeta kuti nei iyi network interface iri kudonhedza mapaketi. Kuziva chikonzero, kushanda kweappline kunogonawo kugadziriswa.

Kana Monitoring blade ikabatidzwa, unogona kuona mametric aya zvine graphic muSmartConsole nekudzvanya pane chimwe chinhu uye wosarudza Ruzivo Nezve Rezinesi.

Hazvikurudzirwe kugonesa Monitoring blade nguva dzose, asi zvinogoneka kwezuva rebvunzo.

Uyezve, iwe unogona kuwedzera mamwe ma parameter ekutarisa, imwe yacho inobatsira zvikuru - Bytes Throughput (appline bandwidth).

Kana paine imwe yekutarisa system, semuenzaniso, yemahara Zabbix, iyo yakavakirwa paSNMP, inokodzerawo kuona matambudziko aya.

2. RAM "inodonha" nekufamba kwenguva

Kazhinji mubvunzo unomuka kuti nekufamba kwenguva, gedhi kana manejimendi server inotanga kushandisa yakawanda uye yakawanda RAM. Ndinoda kukusimbisa: iyi inyaya yakajairika yeLinux-senge masisitimu.

Tichitarisa kuburitsa kwekuraira akasununguka -m и cpstat -f ndangariro os pane appline kubva kunyanzvi modhi, unogona kuverenga uye kuona ese ma paramita ane chekuita ne RAM.

Kubva pane ndangariro iripo pane gedhi panguva ino Ndangariro Yemahara + Buffers Memory + Cached Memory = +-1.5 GB, kazhinji.

Sekutaura kunoita SR, nekufamba kwenguva gedhi / manejimendi sevha inogadziridzwa uye inoshandisa yakawanda uye yakawanda ndangariro, kusvika kunosvika makumi masere muzana kushandiswa, uye kumira. Unogona reboot mudziyo uye ipapo chiratidzo chichaitwa patsva. 80 GB ye RAM yemahara yakanyatsokwana kuti gedhi rekuita mabasa ese, uye manejimendi haawanzo kusvika padanho rakadaro.

Zvakare, kuburitsa kwemirairo yataurwa kucharatidza kuti une yakawanda sei low memory (RAM munzvimbo yemushandisi) uye high memory (RAM mune kernel space) yakashandiswa.

Kernel maitiro (kusanganisira anoshanda mamodule akadai seCheck Point kernel modules) anongoshandisa Yakaderera memory. Nekudaro, maitiro emushandisi anogona kushandisa ese ari maviri Low uye High memory. Uyezve, Low memory inenge yakaenzana ne Yese Ndangariro.

Iwe unofanirwa kunetseka chete kana paine zvikanganiso mumatanda "modules reboot kana maitiro ari kuurayiwa kuti atorezve ndangariro nekuda kweOOM (Kunze kwendangariro)". Ipapo iwe unofanirwa kutangazve gedhi uye kubata rutsigiro kana reboot isingabatsire.

Tsanangudzo yakazara inogona kuwanikwa mukati sk99547 и sk99593.

3. Optimization

Pazasi pane mibvunzo nemhinduro nezve CPU uye RAM optimization. Iwe unofanirwa kuvapindura zvakatendeseka kwauri uye teerera kune zvinokurudzirwa.

3.1. Mutsara wakasarudzwa zvakanaka here? Panga paine chirongwa chekuyedza?

Pasinei nekuita saizi yakakodzera, network inogona kungokura, uye iyi midziyo haigone kurarama nemutoro. Yechipiri sarudzo, kana pakanga pasina saizi yakadai.

3.2. Kuongorora kweHTTPS kwakagoneswa here? Kana zvirizvo, tekinoroji yakagadziridzwa zvinoenderana neBest Practice?

Tarisa kune articlekana uri mutengi wedu, kana kuti sk108202.

Kurongeka kwemitemo mugwaro rekuongorora reHTTPS kwakakosha zvikuru mukugadzirisa kuvhurwa kwemasaiti eHTTPS.

Inokurudzirwa kurongeka kwemitemo:

1. Bypass mitemo ine zvikamu/URLs
2. ongorora mitemo nezvikamu/maURL
3. Ongorora mitemo yezvimwe zvikamu zvose

Nekufananidza nefirewall policy, Check Point inotarisa packet match kubva kumusoro kusvika pasi, saka bypass mitemo inoiswa zvakanyanya kumusoro, sezvo gedhi risingazotambisire zviwanikwa pakumhanya kuburikidza nemitemo yese kana pakiti iyi ichida kusvetuka.

3.3 Zvinhu zvekero-siyana zvinoshandiswa here?

Zvinhu zvine kero dzakasiyana siyana, senge network 192.168.0.0-192.168.5.0, zvinodya zvakanyanya RAM kupfuura 5 network zvinhu. Kazhinji, inoonekwa seyakanaka tsika yekudzima zvinhu zvisina kushandiswa muSmartConsole, sezvo pese pese paiswa mutemo, gedhi uye manejimendi sevha inopedza zviwanikwa uye, zvinonyanya kukosha, nguva yekuona uye kushandisa iyo politisi.

3.4. Iyo Threat Prevention policy inogadziriswa sei?

Chekutanga pane zvese, Check Point inokurudzira kufambisa IPS kune yakaparadzana mbiri uye kugadzira yakaparadzana mitemo yeiyi blade.

Semuenzaniso, maneja anofunga kuti chikamu cheDMZ chinofanira kuchengetedzwa chete neIPS. Naizvozvo, kuitira kuti gedhi risaparadze zviwanikwa pakugadzirisa mapaketi nemamwe mablades, zvinodikanwa kugadzira mutemo wakanangana nechikamu ichi chine chimiro umo IPS chete inogoneswa.

Nezve kumisikidza maprofile, zvinokurudzirwa kuimisa zvinoenderana neakanakisa maitiro mune izvi gwaro( mapeji 17-20 ).

3.5. Mangani masiginecha muDetect mode mune IPS marongero?

Zvinokurudzirwa kushanda nesimba pamasiginecha mupfungwa yekuti masiginecha asina kushandiswa anofanirwa kuvharwa (semuenzaniso, masiginecha ekushanda kweAdobe zvigadzirwa zvinoda simba rakawanda rekombuta, uye kana mutengi asina zvigadzirwa zvakadaro, zvine musoro kudzima. masiginicha). Wobva waisa Dziviriro panzvimbo yeDetect pazvinogoneka, nekuti gedhi rinoshandisa zviwanikwa pakugadzirisa iyo yese yekubatanidza muDetect mode, muDziviriro mode inodonhedza iyo yekubatanidza uye isingatadzise zviwanikwa pakugadzirisa kwakazara kwepaketi.

3.6. Ndeapi mafaera anogadziriswa neiyo Threat Emulation, Threat Extraction, Anti-Virus blades?

Izvo hazvina musoro kutevedzera uye kuongorora mafaera ekuwedzera ayo vashandisi vako vasingadhawunirodhe kana iwe waunoona zvisina kufanira panetiweki yako (semuenzaniso, bat, exe mafaera anogona kuvharika zviri nyore uchishandisa iyo Content Awareness blade padanho re firewall, saka zviwanikwa zvegedhi zvichave. kushandiswa zvishoma). Uyezve, muKutyisidzira Emulation marongero, unogona kusarudza Nzvimbo (operating system) kutevedzera kutyisidzira mubhokisi rejecha uye kuisa Mamiriro Windows 7 kana vashandisi vese vari kushanda neiyo 10th vhezheni, zvakare hazvina musoro.

3.7. Iyo firewall uye Application layer mitemo inoiswa zvinoenderana neakanakisa maitiro?

Kana mutemo une hits yakawanda (matches), zvino zvinokurudzirwa kuti uzviise kumusoro, uye mitemo ine nhamba shomanana yehits - pazasi chaipo. Chinhu chikuru ndechekuita shuwa kuti haapesane uye asapindirana. Yakakurudzirwa firewall policy architecture:

Tsananguro:

Mitemo Yekutanga - mitemo ine machisi akawanda yakaiswa pano
Noise Rule - mutemo wekudonhedza spurious traffic seNetBIOS
Stealth Rule - kurambidzwa kupinda mumasuwo uye manejimendi kune vese, kunze kweiyo masosi akatsanangurwa muKubvumikisa kune Gateway Mitemo.
Kuchenesa-Up, Yekupedzisira uye Kudonhedza Mitemo inowanzobatanidzwa kuita mutemo mumwechete kurambidza zvese zvaisatenderwa kare.

Yakanyanya tsika data inotsanangurwa mukati sk106597.

3.8. Ndeapi marongero emabasa akagadzirwa nevatungamiriri?

Semuenzaniso, imwe sevhisi yeTCP iri kugadzirwa pane imwe chiteshi, uye zvine musoro kuti usatarise "Match for Any" muZvirongwa zvePamusoro zvesevhisi. Muchiitiko ichi, sevhisi iyi ichawira zvakananga pasi pemutemo wainooneka, uye haizotora chikamu mumitemo iyo Chero iri muSevhisi column.

Kutaura nezve masevhisi, zvakakosha kuti titaure kuti dzimwe nguva zvinodikanwa kugadzirisa nguva. Kuseta uku kuchakubvumidza kuti ushandise zviwanikwa zvegedhi zvine hungwaru, kuti urege kuchengeta yakawedzera TCP / UDP chikamu chenguva yemapuroteni asingade yakakura nguva yekubuda. Semuenzaniso, mune iyo skrini iri pazasi, ndakachinja iyo domain-udp sevhisi nguva yekubuda kubva pamakumi mana masekonzi kusvika makumi matatu.

3.9. Is SecureXL inoshandiswa uye chii chikamu chekuwedzera?

Iwe unogona kutarisa mhando yeSecureXL nemirairo mikuru mune nyanzvi mode pamusuwo fwaccel stat и fw accelstats -s. Tevere, iwe unofanirwa kuona kuti rudzii rwetraffic rwuri kukurumidza, ndeapi matemplate (matemplate) aunogona kugadzira akawanda.

Nekumisikidza, Drop Templates haina kugoneswa, ichivagonesa ichave nemhedzisiro yakanaka pakushanda kweSecureXL. Kuti uite izvi, enda kumagadzirirwo egedhi uye iyo Optimizations tab:

Zvakare, kana uchishanda nesumbu, kukwirisa iyo CPU, unogona kudzima kuwiriranisa kweasina-akakosha masevhisi, akadai UDP DNS, ICMP, uye mamwe. Kuti uite izvi, enda kune zvigadziriso zvesevhisi → Yepamberi → Batanidza zvinongedzo zveState Synchronization inogoneswa pane sumbu.

Yese Maitiro Akanakisisa anotsanangurwa mukati sk98348.

3.10. CoreXl inoshandiswa sei?

CoreXL tekinoroji, iyo inokutendera kuti ushandise akawanda maCPU ezviitiko zvefirewall (firewall modules), zvirokwazvo inobatsira kukwirisa mashandiro echishandiso. Chikwata chekutanga fw ctl affinity -l -a icharatidza yakashandiswa firewall zviitiko uye ma processor akapihwa kune inodiwa SND (module inogovera traffic kune firewall masangano). Kana asiri ese ma processor anobatanidzwa, anogona kuwedzerwa nemurairo cpconfig pasuo.
Uyewo nyaya yakanaka ndeyekuisa hotfix kugonesa Multi-Queue. Multi-Queue inogadzirisa dambudziko kana processor ine SND ichishandiswa nevakawanda muzana, uye mafirewall zviitiko pane mamwe ma processor haashande. Ipapo SND yaizokwanisa kugadzira mitsetse yakawanda yeNIC imwe uye kuseta zvakakoshesesa zvakasiyana kune dzakasiyana traffic padanho rekernel. Nekuda kweizvozvo, iyo CPU cores ichashandiswa zvakanyanya nehungwaru. Nzira dzinotsanangurwa zvakare mu sk98348.

Mukupedzisa, ndinoda kutaura kuti aya ari kure neakanakisa Maitiro ekugadzirisa Check Point, asi anonyanya kufarirwa. Kana iwe uchida kukumbira kuongororwa kwegwaro rako rekuchengetedza kana kugadzirisa nyaya yeCheck Point, ndapota taura [email inodzivirirwa].

Спасибо за внимание!

Source: www.habr.com