checkpoint firewall - efficiency drive
we run a 2 node cluster of checkpoint firewall with a number of remote sites coming up to us over a MPLS network presented to us on a Cisco router
this Cisco router is connected to a dedicated interface on the firewall
we are ultimately looking to reduce the amount of spurious traffic that comes up this link and hots the firewall only to be discarded
we have a process to switch the firewall log file at 23.59 every work day
doing some quick and dirty analysis on the fw logs we seem to be seeing approx 15 - 20 percent of log entries being logged as dropped or rejected
my question is; is this a reasonable overhead for the firewall. what sort of percentage of your log entries are dropped or rejected
thank you
Laurence
Who is Participating?
Experts Exchange Solution brought to you by
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2007 Basic 239 lessons
-
Microsoft ApplicationsCertification: MCSA MCSE Microsoft Certified Solutions Associate & … 398 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2016 Part … 125 lessons
Experts Exchange Solution brought to you by
Checkpoint recommended best practice in areas of e.g.
- Throughput which can impact the box's memory utilization and to consider for the maximal (possible) session rate necessary for efficiency and effective,
- Timeouts adjustment to reduce to maximize the TCP and UDP connections to serve, it varies for protocol and baseline from daily will give some estimate. This needs tuning
- Assess the diagnostics information such as CPU utilization to look out for constant high CPU consumption by a process can be caused by numerous factors, or even look out for constant increase in memory consumption might suggest some memory leak and to search for errors from various kernel modules and hardware components
- Look at FW specific stats such as use of "fwaccel stats" to review acceleration statistics, use of "cat /proc/ppk/stats" to check for abnormal total number of packets that passed through interfaces and use of "cat /proc/ppk/drop_statistics"
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98348
Even load balancer can be consider for HA configuration of FW (which can be active-active, at least for our case if availability is concern).
The "tedious" log analysis is does expected but technology can chip in if the log are piped remotely to external syslog and either there is the use of "analyser" (Checkpoint has SmartLog for proactive investigation over multiple log files, time periods etc) to analysis it by FW provider. The configuration is shared here too)
Otherwise is using SIEMS like technology to filter out only security events (include drop or rejected cases) and make an analysis to the SOC or NOC tier responser or FW admin.