7. NGFW for small businesses. Performance and general guidelines
It’s time to complete the series of articles about the new generation of Check Point SMB (1500 series). We hope this was a rewarding experience for you and that you will continue to be with us on the TS Solution blog. The topic for the final article is little touched on, but no less important – tuning SMB performance. In it, we will touch upon the possibilities for configuring the hardware and software part of the NGFW operation, describe the available commands and methods of interaction.
All articles in the series about NGFW for small business:
New line of CheckPoint 1500 Security Gateway
Unpacking and setup
Wireless data transmission: WiFi and LTE
VPN
Cloud SMP management
Smart-1 Cloud
At the moment there are not many sources of information about performance tuning for SMB solutions due to restrictions internal OS – Gaia 80.20 Embedded. In this article, we will use a centrally managed layout (dedicated Management Server) – it allows you to apply more tools when working with NGFW.
Hardware part
Before touching on the architecture of the Check Point SMB family, you can always contact your partner to use the utility Appliance Sizing Tool, for the selection of the optimal solution according to the given characteristics (bandwidth, expected number of users, etc.).
Important notes when interacting with the hardware of your NGFW
NGFW solutions of the SMB family do not have the ability to hardware upgrade system components (CPU, RAM, HDD), depending on the model, there is support for SD cards, this allows you to expand the disk capacity, but not significantly.
The operation of network interfaces requires monitoring. There are not many monitoring tools in Gaia 80.20 Embedded, but you can always use a well-known command in the CLI via Expert mode
# ifconfig
Pay attention to the underlined lines, they will allow you to estimate the number of errors on the interface. It is highly recommended to check these parameters during the initial deployment of your NGFW, as well as periodically during operation.
For a full-fledged Gaia, there is a command:
> show diag
With its help it is possible to obtain information about the temperature of the hardware. Unfortunately, 80.20 Embedded does not have this option, we will indicate the most popular SNMP traps:
Name
Description
Interface disconnected
Disable an interface
VLAN removed
Vlan removal
High memory utilization
High RAM utilization
Low disk space
Little HDD space
High CPU utilization
High CPU utilization
High CPU interrupts rate
High interrupt rate
High connection rate
High flow of new connections
High concurrent connections
High level of competitive sessions
High Firewall throughput
High throughput Firewall
High accepted packet rate
High packet reception
Cluster member state changed
Cluster state change
Connection with log server error
Lost Communication with Log-Server
Your gateway requires RAM control. For Gaia to work (Linux like OC) it is normal situationwhen the RAM consumption reaches 70-80% of use.
The architecture of SMB solutions does not provide for the use of SWAP memory, in contrast to the older Check Point models. However,
was seen in the Linux system files, which suggests that it is theoretically possible to change the SWAP parameter. Software part
At the time of the article release actual Gaia version – 80.20.10. You need to be aware that there are limitations when working in the CLI: in Expert mode, some Linux commands are supported. To evaluate the work of NGFW, an evaluation of the work of daemons and services is required, for more details, see article my colleague. We will look at the possible commands for SMB.
Working with Gaia OS
View SecureXL Templates
# fwaccel stat
View boot by core
# fw ctl multik stat
View the number of sessions (connections).
# fw ctl pstat
* View cluster status
# cphaprob stat
Classic Linux TOP command
Logging
As you already know, there are three ways to work with NGFW logs (storage, processing): locally, centrally and in the cloud. The last two options imply the presence of an entity – Management Server.
Possible NGFW control schemes
Most valuable log files
System messages (contains less information than full Gaia)
# tail -f / var / log / messages2
Blade error messages (quite useful file when troubleshooting)
# tail -f /var/log/log/sfwd.elg
Viewing messages from the buffer at the system kernel level.
# dmesg
Blade configuration
This section will not contain complete instructions for setting up your NGFW Check Point, it only contains our recommendations, selected empirically.
Application Control / URL Filtering
It is recommended to avoid the conditions ANY, ANY (Source, Destination) in the rules.
In the case of specifying a custom URL resource, it will be more efficient to use regular expressions like: (^ | ..) checkpoint.com
Avoid excessive use of rule-based logging and displaying block pages (UserCheck).
Make sure the technology is working correctly “SecureXL”… Most of the traffic must go through accelerated / medium path… Also, do not forget to filter the rules by the most used (field Hits ).
HTTPS-Inspection
It’s no secret that 70-80% of user traffic comes from HTTPS connections, so this requires resources from your gateway processor. In addition, HTTPS-Inspection is involved in the work of IPS, Antivirus, Antibot.
Since version 80.40 possibility work with HTTPS rules without Legacy Dashboard, here is some recommended rule order:
Bypass for a group of addresses and networks (Destination).
Bypass for a group of urls.
Bypass for internal IP and networks with privileged access (Source).
Inspect for required networks, users
Bypass for everyone else.
* It is always best to manually select HTTPS or HTTPS Proxy services, not leaving Any. Log events according to Inspect rules.
IPS
The IPS blade can cause a policy installation error on your NGFW if too many signatures are used. According to article from Check Point, SMB device architecture is not designed to run the full recommended IPS configuration profile.
To fix or prevent the problem, follow these steps:
Clone the Optimized profile called “Optimized SMB” (or whatever you like).
Edit the profile, go to IPS → Pre R80.Settings and turn off Server Protections.
At your discretion, you can deactivate CVEs older than 2010, these vulnerabilities can rarely be found in small offices, but they affect performance. To disable some of them go to Profile -> IPS -> Additional Activation -> Protections to deactivate list
Instead of a conclusion
As part of a series of articles on the new generation of NGFW of the SMB (1500) family, we tried to highlight the main capabilities of the solution, demonstrated the configuration of important security components using specific examples. We will be happy to answer any questions about the product in the comments. We stay with you, thank you for your attention!
A large selection of materials on Check Point from TS Solution. In order not to miss new publications – follow the updates on our social networks (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen).