checkpoint firewall - efficiency drive

Hello All

we run a 2 node cluster of checkpoint firewall with a number of remote sites coming up to us over a MPLS network presented to us on a Cisco router

this Cisco router is connected to a dedicated interface on the firewall

we are ultimately looking to reduce the amount of spurious traffic that comes up this link and hots the firewall only to be discarded

we have a process to switch the firewall log file at 23.59 every work day

doing some quick and dirty analysis on the fw logs we seem to be seeing approx 15 - 20 percent of log entries being logged as dropped or rejected

my question is; is this a reasonable overhead for the firewall. what sort of percentage of your log entries are dropped or rejected

thank you

Laurence
laurence childsDirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
FW is primed to be the perimeter defence so it is expected to front all type of traffic including noise, spurious one, malicious and "knocking" traffic. This is also why DoS and DDoS can be a load for FW which has also (and normally) separate upstream service to handle it or a on-premise separate box for it.

Checkpoint  recommended best practice  in areas of e.g.
- Throughput which can impact the box's memory utilization and to consider for the maximal (possible) session rate necessary for efficiency and effective,
- Timeouts adjustment to reduce to maximize the TCP and UDP connections to serve, it varies for protocol and baseline from daily will give some estimate. This needs tuning
- Assess the diagnostics information such as CPU utilization to look out for constant high CPU consumption by a process can be caused by numerous factors, or even look out for constant increase in memory consumption might suggest some memory leak  and to search for errors from various kernel modules and hardware components
- Look at FW specific stats such as use of "fwaccel stats" to review acceleration statistics, use of "cat /proc/ppk/stats" to check for abnormal total number of packets that passed through interfaces and use of "cat /proc/ppk/drop_statistics" / "cat /proc/ppk/viol_statistics" to correlate with above box health and period stint of such traffic (which can be intentional)...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98348

Even load balancer can be consider for HA configuration of FW (which can be active-active, at least for our case if availability is concern).

The "tedious" log analysis is does expected but technology can chip in if the log are piped remotely to external syslog and either there is the use of "analyser" (Checkpoint has SmartLog for proactive investigation over multiple log files, time periods etc) to analysis it by FW provider. The configuration is shared here too)

Otherwise is using SIEMS like technology to filter out only security events (include drop or rejected cases) and make an analysis to the SOC or NOC tier responser or FW admin.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.