7. NGFW for small businesses. Performance and general guidelines

It’s time to complete the series of articles about the new generation of Check Point SMB (1500 series). We hope this was a rewarding experience for you and that you will continue to be with us on the TS Solution blog. The topic for the final article is little touched on, but no less important – tuning SMB performance. In it, we will touch upon the possibilities for configuring the hardware and software part of the NGFW operation, describe the available commands and methods of interaction.

All articles in the series about NGFW for small business:

  1. New line of CheckPoint 1500 Security Gateway

  2. Unpacking and setup

  3. Wireless data transmission: WiFi and LTE

  4. VPN

  5. Cloud SMP management

  6. Smart-1 Cloud

At the moment there are not many sources of information about performance tuning for SMB solutions due to restrictions internal OS – Gaia 80.20 Embedded. In this article, we will use a centrally managed layout (dedicated Management Server) – it allows you to apply more tools when working with NGFW.

Hardware part

Before touching on the architecture of the Check Point SMB family, you can always contact your partner to use the utility Appliance Sizing Tool, for the selection of the optimal solution according to the given characteristics (bandwidth, expected number of users, etc.).

Important notes when interacting with the hardware of your NGFW

  1. NGFW solutions of the SMB family do not have the ability to hardware upgrade system components (CPU, RAM, HDD), depending on the model, there is support for SD cards, this allows you to expand the disk capacity, but not significantly.

  2. The operation of network interfaces requires monitoring. There are not many monitoring tools in Gaia 80.20 Embedded, but you can always use a well-known command in the CLI via Expert mode

    # ifconfig

    Pay attention to the underlined lines, they will allow you to estimate the number of errors on the interface. It is highly recommended to check these parameters during the initial deployment of your NGFW, as well as periodically during operation.

  3. For a full-fledged Gaia, there is a command:

    > show diag

    With its help it is possible to obtain information about the temperature of the hardware. Unfortunately, 80.20 Embedded does not have this option, we will indicate the most popular SNMP traps:

    Name

    Description

    Interface disconnected

    Disable an interface

    VLAN removed

    Vlan removal

    High memory utilization

    High RAM utilization

    Low disk space

    Little HDD space

    High CPU utilization

    High CPU utilization

    High CPU interrupts rate

    High interrupt rate

    High connection rate

    High flow of new connections

    High concurrent connections

    High level of competitive sessions

    High Firewall throughput

    High throughput Firewall

    High accepted packet rate

    High packet reception

    Cluster member state changed

    Cluster state change

    Connection with log server error

    Lost Communication with Log-Server

  4. Your gateway requires RAM control. For Gaia to work (Linux like OC) it is normal situationwhen the RAM consumption reaches 70-80% of use.

    The architecture of SMB solutions does not provide for the use of SWAP memory, in contrast to the older Check Point models. However, was seen in the Linux system files, which suggests that it is theoretically possible to change the SWAP parameter.

Software part

At the time of the article release actual Gaia version – 80.20.10. You need to be aware that there are limitations when working in the CLI: in Expert mode, some Linux commands are supported. To evaluate the work of NGFW, an evaluation of the work of daemons and services is required, for more details, see article my colleague. We will look at the possible commands for SMB.

Working with Gaia OS

  1. View SecureXL Templates

    # fwaccel stat

  2. View boot by core

    # fw ctl multik stat

  3. View the number of sessions (connections).

    # fw ctl pstat

  4. * View cluster status

    # cphaprob stat

  5. Classic Linux TOP command

Logging

As you already know, there are three ways to work with NGFW logs (storage, processing): locally, centrally and in the cloud. The last two options imply the presence of an entity – Management Server.

Possible NGFW control schemes

Most valuable log files

  1. System messages (contains less information than full Gaia)

    # tail -f / var / log / messages2

  2. Blade error messages (quite useful file when troubleshooting)

    # tail -f /var/log/log/sfwd.elg

  3. Viewing messages from the buffer at the system kernel level.

    # dmesg

Blade configuration

This section will not contain complete instructions for setting up your NGFW Check Point, it only contains our recommendations, selected empirically.

Application Control / URL Filtering

  • It is recommended to avoid the conditions ANY, ANY (Source, Destination) in the rules.

  • In the case of specifying a custom URL resource, it will be more efficient to use regular expressions like: (^ | ..) checkpoint.com

  • Avoid excessive use of rule-based logging and displaying block pages (UserCheck).

  • Make sure the technology is working correctly “SecureXL”… Most of the traffic must go through accelerated / medium path… Also, do not forget to filter the rules by the most used (field Hits ).

HTTPS-Inspection

It’s no secret that 70-80% of user traffic comes from HTTPS connections, so this requires resources from your gateway processor. In addition, HTTPS-Inspection is involved in the work of IPS, Antivirus, Antibot.

Since version 80.40 possibility work with HTTPS rules without Legacy Dashboard, here is some recommended rule order:

  • Bypass for a group of addresses and networks (Destination).

  • Bypass for a group of urls.

  • Bypass for internal IP and networks with privileged access (Source).

  • Inspect for required networks, users

  • Bypass for everyone else.

* It is always best to manually select HTTPS or HTTPS Proxy services, not leaving Any. Log events according to Inspect rules.

IPS

The IPS blade can cause a policy installation error on your NGFW if too many signatures are used. According to article from Check Point, SMB device architecture is not designed to run the full recommended IPS configuration profile.

To fix or prevent the problem, follow these steps:

  1. Clone the Optimized profile called “Optimized SMB” (or whatever you like).

  2. Edit the profile, go to IPS → Pre R80.Settings and turn off Server Protections.

  3. At your discretion, you can deactivate CVEs older than 2010, these vulnerabilities can rarely be found in small offices, but they affect performance. To disable some of them go to Profile -> IPS -> Additional Activation -> Protections to deactivate list

Instead of a conclusion

As part of a series of articles on the new generation of NGFW of the SMB (1500) family, we tried to highlight the main capabilities of the solution, demonstrated the configuration of important security components using specific examples. We will be happy to answer any questions about the product in the comments. We stay with you, thank you for your attention!

A large selection of materials on Check Point from TS Solution. In order not to miss new publications – follow the updates on our social networks (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *