Molweni balingane! Namhlanje ndingathanda ukuxoxa ngesihloko esifanelekileyo kubalawuli abaninzi be-Check Point: "Ukuphucula i-CPU kunye ne-RAM." Kukho iimeko ezininzi xa isango kunye / okanye iseva yokulawula idla ngokungalindelekanga ezininzi zezi zixhobo, kwaye ndingathanda ukuqonda apho "zihamba" kwaye, ukuba kunokwenzeka, zisebenzise ngobulumko.
1. Uhlalutyo
Ukuhlalutya umthwalo weprosesa, kuluncedo ukusebenzisa le miyalelo ilandelayo, efakwe kwimo yobuchule:
umphezulu ibonisa zonke iinkqubo, inani le-CPU kunye nemithombo ye-RAM esetyenzisiweyo njengepesenti, ixesha lokuphumla, inkqubo ephambili kunye ngexesha lokwenyaniΠΈ
cpwd_uluhlu lolawulo Khangela i-Point WatchDog Daemon, ebonisa zonke iimodyuli zesicelo, i-PID yazo, isimo kunye nenani lokuqalisa
cpstat -f cpu os Ukusetyenziswa kwe-CPU, inani labo kunye nokuhanjiswa kwexesha leprosesa njengepesenti
cpstat -f inkumbulo os usetyenziso lwe-RAM ebonakalayo, ingakanani esebenzayo, i-RAM yasimahla kunye nokunye
Uphawu oluchanekileyo kukuba yonke imiyalelo ye-cpstat inokujongwa ngokusebenzisa into eluncedo cpview. Ukwenza oku, kufuneka ufake nje umyalelo we-cpview kuyo nayiphi na indlela kwiseshoni ye-SSH.
ps auxwf uluhlu olude lwazo zonke iinkqubo, i-ID yabo, imemori ebonakalayo kunye nememori kwi-RAM, CPU
Olunye umyalelo owahlukileyo:
ps-aF iya kubonisa eyona nkqubo ibiza kakhulu
fw ctl unxulumano -l -a ukuhanjiswa kwee-cores kwiimeko ezahlukeneyo ze-firewall, oko kukuthi, iteknoloji ye-CoreXL
fw ctl pstat Uhlalutyo lwe-RAM kunye nezalathi zoqhagamshelwano ngokubanzi, iicookies, NAT
simahla -m Isikhuseli RAM
Iqela lifanelwe ingqalelo ekhethekileyo netsat kunye nokwahluka kwayo. Umzekelo, netstat -i inokunceda ukusombulula ingxaki yokubeka iliso kwibhodi eqhotyoshwayo. Ipharamitha, i-RX ilahle iipakethi (i-RX-DRP) ekuphumeni kwalo myalelo, njengomthetho, ikhula ngokwayo ngenxa yokuhla kweeprotocol ezingekho mthethweni (IPv6, Bad / iithegi zeVLAN ezingalindelekanga kunye nabanye). Nangona kunjalo, ukuba amathontsi ayenzeka ngesinye isizathu, kufuneka usebenzise oku ukuqalisa ukuphanda kunye nokuqonda ukuba kutheni ujongano lwenethiwekhi olunikiweyo lulahla iipakethi. Emva kokuba ufumene isizathu, ukusebenza kwe-app kunokwandiswa.
Ukuba iblade yokuJonga yenziwe yasebenza, ungajonga ezi metrics ngokomfanekiso kwiSmartConsole ngokucofa into kwaye ukhethe "Isixhobo kunye neeNkcukacha zeLayisensi."
Akukhuthazwa ukuba uvule i-Monitoring blade ngokusisigxina, kodwa ngosuku lokuvavanya kunokwenzeka.
Ngaphezu koko, unokongeza iiparameters ezininzi zokubeka iliso, enye yazo iluncedo kakhulu - Bytes Throughput (i-application throughput).
Ukuba kukho enye inkqubo esweni, umzekelo, free , esekelwe kwi-SNMP, ikwafanelekile ukuchonga ezi ngxaki.
2. I-RAM iyavuza ngokuhamba kwexesha
Umbuzo uhlala uvela ukuba ekuhambeni kwexesha, isango okanye iseva yolawulo iqala ukusebenzisa ngakumbi nangakumbi i-RAM. Ndifuna ukukuqinisekisa: eli libali eliqhelekileyo kwiinkqubo ezifana neLinux.
Ukujonga imveliso yemiyalelo simahla -m ΠΈ cpstat -f inkumbulo os kwi-app ukusuka kwimo yengcali, ungabala kwaye ujonge zonke iiparameters ezinxulumene ne-RAM.
Ngokusekelwe kwimemori ekhoyo kwisango ngoku Imemori yasimahla + Buffers Memory + Inkumbulo egciniweyo = +-1.5 GB, ngokuqhelekileyo.
Njengoko i-CP isitsho, ngokuhamba kwexesha isango / iseva yolawulo ikhulisa kwaye isebenzisa imemori engaphezulu nangaphezulu, ifikelela malunga ne-80% yokusetyenziswa, kwaye iyeke. Unokuphinda uqalise isixhobo, kwaye emva koko isalathisi siya kusekwa kwakhona. I-1.5 GB ye-RAM yamahhala yanele ngokwaneleyo ukuba isango lokwenza yonke imisebenzi, kwaye ulawulo alufane lufikelele kumaxabiso anjalo.
Kwakhona iziphumo zemiyalelo ekhankanyiweyo ziya kubonisa ukuba ungakanani na Inkumbulo ephantsi (RAM kwindawo yomsebenzisi) kunye Inkumbulo ephezulu (RAM kwisithuba sekernel) esetyenzisiweyo.
Iinkqubo zeKernel (kubandakanya iimodyuli ezisebenzayo ezinjengeemodyuli ze-Check Point kernel) sebenzisa kuphela Imemori ephantsi. Nangona kunjalo, iinkqubo zomsebenzisi zinokusebenzisa zombini imemori ephantsi kunye nePhezulu. Ngaphezu koko, inkumbulo ephantsi iphantse yalingana no Inkumbulo epheleleyo.
Kufuneka ukhathazeke kuphela ukuba kukho iimpazamo kwiilogi "Iimodyuli ziqalisa kwakhona okanye iinkqubo ziyabulawa ukuze kubuyiselwe imemori ngenxa ye-OOM (Ngaphandle kwenkumbulo)". Emva koko kufuneka uqalise kwakhona isango kwaye uqhagamshelane nenkxaso ukuba ukuqalisa kwakhona akuncedi.
Inkcazo epheleleyo inokufumaneka kwi ΠΈ .
3. Ukuphucula
Apha ngezantsi kukho imibuzo kunye neempendulo malunga nokwenza ngcono i-CPU kunye ne-RAM. Kufuneka uphendule ngokunyanisekileyo kuwe kwaye umamele iingcebiso.
3.1. Ngaba isicelo sikhethwe ngokuchanekileyo? Ngaba bekukho iprojekthi yokulinga?
Ngaphandle kobungakanani obufanelekileyo, inethiwekhi inokukhula ngokulula, kwaye esi sixhobo asinakukwazi ukumelana nomthwalo. Olwesibini ukhetho kukuba bekungekho saying ngolo hlobo.
3.2. Ngaba uhlolo lwe-HTTPS luvuliwe? Ukuba ewe, ngaba itekhnoloji iqwalaselwe ngokweNdlela yokuSebenza okuGqwesileyo?
Ibhekisele ku , ukuba ungumxhasi wethu, okanye .
Umyalelo wemithetho kumgaqo-nkqubo wokuhlola we-HTTPS udlala indima enkulu ekulungiseni ukuvulwa kweendawo ze-HTTPS.
Ulandelelwano olucetyiswayo lwemithetho:
- Imithetho ye-Bypass eneendidi/ii-URL
- Hlola imigaqo kunye neendidi / ii-URL
- Hlola imithetho yazo zonke ezinye iindidi
Ngokufanisa kunye nomgaqo-nkqubo we-firewall, i-Check Point ikhangela umdlalo ngeepakethi ukusuka phezulu ukuya ezantsi, ngoko kungcono ukubeka imithetho yokudlula phezulu, ekubeni isango aliyi kuchitha izibonelelo ekusebenzeni kuyo yonke imithetho ukuba le pakethi idinga. ukuba ipasiswe.
3.3 Ngaba kusetyenziswe izinto zoluhlu lweedilesi?
Izinto ezinoluhlu lweedilesi, umzekelo, inethiwekhi 192.168.0.0-192.168.5.0, ithatha kakhulu i-RAM kunezinto zenethiwekhi ezi-5. Ngokuqhelekileyo, kuthathwa njengento efanelekileyo yokususa izinto ezingasetyenziswanga kwi-SmartConsole, ekubeni ixesha ngalinye umgaqo-nkqubo ufakwe, isango kunye neseva yokulawula ichitha izibonelelo kwaye, okona kubaluleke kakhulu, ixesha, ukuqinisekisa kunye nokusebenzisa umgaqo-nkqubo.
3.4. Uqulunqwa njani umgaqo-nkqubo woThintelo lweTreat?
Okokuqala, i-Check Point incoma ukubeka i-IPS kwiprofayili eyahlukileyo kunye nokudala imithetho eyahlukileyo yale blade.
Ngokomzekelo, umlawuli ukholelwa ukuba icandelo le-DMZ kufuneka likhuselwe kuphela usebenzisa i-IPS. Ngoko ke, ukuthintela isango lokuchitha izibonelelo kwiipakethi zokucubungula ngamanye ama-blades, kuyimfuneko ukudala umgaqo ngokuthe ngqo kweli candelo kunye neprofayili apho i-IPS kuphela inikwe amandla.
Ngokumalunga nokuseta iinkangeleko, kucetyiswa ukuba uyimise ngokweendlela ezilungileyo kule (iphepha 17-20).
3.5. Kwiisetingi ze-IPS, zingaphi iisayino ezikhoyo kwimowudi yokukhangela?
Kunconywa ukuba ufunde ngokucophelela iisignesha ngengqiqo yokuba ezingasetyenziswanga kufuneka zikhubazwe (umzekelo, iisignesha zokusebenza kweemveliso ze-Adobe zifuna amandla amaninzi ekhompyutheni, kwaye ukuba umthengi akanalo iimveliso ezinjalo, kunengqiqo ukukhubaza iisignesha). Okulandelayo, faka uThintelo endaweni yokuFumana apho kunokwenzeka, kuba isango lichitha izibonelelo ukusetyenzwa koqhagamshelo lonke kwimowudi ye-Detect, ilahla ngokukhawuleza umdibaniso kwaye ayichithi izibonelelo ekuqhubeni ngokupheleleyo ipakethe.
3.6. Zeziphi iifayile ezicutshungulwa ngokuLingisa iTreat, ukutsalwa kweTreat, iiblade zeAnti-Virus?
Akukho ngqiqweni ukulinganisa kunye nokuhlalutya iifayile zezandiso abasebenzisi bakho abangazikhuphiyo, okanye ucinga ukuba akukho mfuneko kumsebenzi womnatha wakho (umzekelo, bat, iifayile ze-exe zinokuvaleka ngokulula kusetyenziswa iblade yoKwazisa ngoMxholo kwinqanaba lomlilo, ngoko ke isango elincinci. izibonelelo ziya kuchithwa). Ngaphezu koko, kwiisetingi zokuLingisa iSisongelo unokukhetha iNdawo (inkqubo yokusebenza) ukulinganisa izoyikiso kwibhokisi yesanti kunye nokufaka iNdawo Windows 7 xa bonke abasebenzisi besebenza ngenguqulo ye-10 ayinangqondo nayo.
3.7. Ngaba i-firewall kunye ne-Application level level icwangciswe ngokuhambelana neyona ndlela isebenzayo?
Ukuba umgaqo unama-hits amaninzi (umdlalo), ngoko kuyacetyiswa ukuba uwabeke phezulu kakhulu, kunye nemithetho enenani elincinci lokubetha - ezantsi kakhulu. Into ephambili kukuqinisekisa ukuba abaphambanisi okanye badibane. Uyilo olucetyiswayo lomgaqo-nkqubo we-firewall:
Iinkcazo:
Imithetho yokuQala - imithetho enelona nani likhulu lematshisi ibekwe apha
Umthetho weNgxolo-umthetho wokulahla i-traffic enganyanisekanga njenge-NetBIOS
Umthetho weStealth - uthintela ukufowuna kwiisango kunye nolawulo kubo bonke ngaphandle kwaloo mithombo ichaziweyo kuQinisekiso lweMithetho yeSango
I-Coca-Up, iGqibelo kunye neMithetho yokuLahla ihlala idityaniswa ibe ngumgaqo omnye ukunqanda yonke into ebingavumelekanga ngaphambili.
Idatha yokusebenza kakuhle ichazwe kwi .
3.8. Zeziphi iisetingi iinkonzo ezidalwe ngabalawuli?
Ngokomzekelo, enye inkonzo ye-TCP yenziwe kwi-port ethile, kwaye kunengqiqo ukuba ungakhethi "umdlalo kuyo nayiphi na" kwiisetingi eziPhezulu zenkonzo. Kule meko, le nkonzo iya kuwela ngokukodwa phantsi komgaqo apho ibonakala khona, kwaye ayiyi kuthatha inxaxheba kwimigaqo apho Nayiphi na idweliswe kwikholamu yeeNkonzo.
Ukuthetha malunga neenkonzo, kuyafaneleka ukukhankanya ukuba ngamanye amaxesha kuyimfuneko ukulungisa ixesha lokuhamba. Esi sicwangciso siya kukuvumela ukuba usebenzise izibonelelo zesango ngobulumko, ukuze ungabambi ixesha elongezelelweyo kwiiseshoni ze-TCP / UDP zeprotocol ezingadingi ixesha elikhulu lokuphuma. Ngokomzekelo, kwi-screenshot engezantsi, nditshintshe ixesha lokuphuma kwenkonzo ye-domain-udp ukusuka kwimizuzwana ye-40 ukuya kwimizuzwana ye-30.
3.9. Ngaba i-SecureXL isetyenzisiwe kwaye yintoni ipesenti yokukhawuleza?
Unokujonga umgangatho we-SecureXL usebenzisa imiyalelo esisiseko kwimowudi yengcali kwisango ubalo lwefwaccel ΠΈ fw accel izibalo -s. Okulandelayo, kufuneka ufumanise ukuba luhlobo luni lwetrafikhi olukhawuleziswayo, kwaye zeziphi ezinye iitemplates ezinokuthi zenziwe.
Iitemplates zokulahla azenziwanga ngokungagqibekanga; Ukwenza oku, yiya kuseto lwesango kunye nethebhu yoLungiso:
Kwakhona, xa usebenza kunye neqela ukuze ukwandise i-CPU, unokukhubaza ukuvumelanisa kweenkonzo ezingabalulekanga, ezifana ne-UDP DNS, ICMP kunye nabanye. Ukwenza oku, yiya kuseto lwenkonzo β Ekwinqanaba Eliphambili β Ngqamanisa imidibaniso yeLizwe Ungqamaniso luvulwe kwiqela.
Zonke ezona Sebenzi ziPhakamileyo zichazwe kwi .
3.10. Isetyenziswa njani iCoreXl?
Itekhnoloji ye-CoreXL, evumela ukusetyenziswa kwee-CPU ezininzi kwiimeko zomlilo (iimodyuli zomlilo), ngokuqinisekileyo inceda ukunyusa ukusebenza kwesixhobo. Iqela kuqala fw ctl unxulumano -l -a izakubonisa iziganeko zomlilo ezisetyenzisiweyo kunye nabaqhubekekisi ababelwe kwi-SND (imodyuli esasaza itrafikhi kumaziko e-firewall). Ukuba ayizizo zonke iiprosesa ezisetyenzisiweyo, zingongezwa ngomyalelo cpconfig esangweni.
Kwakhona ibali elihle kukubeka ukwenza iMulti-Queue. I-Multi-Queue isombulula ingxaki xa iprosesa ene-SND isetyenziswa kwiipesenti ezininzi, kwaye iimeko ze-firewall kwezinye iiprosesa zingasebenzi. Emva koko i-SND iya kuba namandla okwenza imigca emininzi ye-NIC enye kwaye ibeke izinto eziphambili ezibalulekileyo kwi-traffic eyahlukileyo kwinqanaba le-kernel. Ngenxa yoko, ii-CPU cores ziya kusetyenziswa ngobukrelekrele ngakumbi. Iindlela nazo zichazwe kwi .
Ukuqukumbela, ndingathanda ukuthi ezi ayizizo zonke ezona Sebenzi ziBalaseleyo zokuphucula indawo yokuHlola, kodwa zezona zidumileyo. Ukuba ungathanda uku-odola uphicotho lwepolisi yakho yokhuseleko okanye usombulule ingxaki enxulumene neNdawo yokuHlola, nceda uqhagamshelane [imeyile ikhuselwe].
Π‘ΠΏΠ°ΡΠΈalu
umthombo: www.habr.com