IPS Analyzer Tool - How to analyze IPS performance efficiently

File uploaded by Omer Shliva

on Oct 5, 2018•Last modified by Omer Shliva

on Oct 5, 2018

Version 2Show Document

Like • Show 7 Likes7
Comment • 7
View in full screen mode

(1) Introduction

The IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.

The IPS Analyzer Tool is supported on R77 and above.

(2) Procedure

Collect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".
Compress the IPS statistics output folder on Security Gateway:
[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/
[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>
Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.
Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:
1. Open Windows Command Prompt
2. Run:
  C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"
Review the output files:
- AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)
- analyzer.log - Log file

*NOTE*

The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:

"Threat Prevention Protection – ID NUM"

If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.

(3) IPS Analyzer Tool Survey

We would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you.

Click here to take the survey.

For any question please contact:

omersh@checkpoint.com

Attachments

Analyzer.exe.zip5.1 MB

Outcomes

Manuel Kuback Oct 5, 2018 5:38 AM

Omer Shliva Hi Omer,

what I do miss in the Analyzer Report is something like a counter. Like what protection hit how many times while the IPS_statistics script was running.

Best regards,
Manuel

Actions

Smadi Paradise

@ Manuel Kuback on Oct 13, 2018 3:04 AM

This information is not available as the IPS engine doesn't process protections one by one. That's why we collect IPS statistics.

These statistics are available in the form of 4 excel files generated on your management/gw.

The IPS Analyzer's purpose is to make these statistics readable by customers, by processing all the statistics into a single HTML with the relevant processed info.

1 person found this helpful

Actions

Dameon Welch-Abernathy

@ Hugo van der Kooij on Oct 5, 2018 9:00 AM

I suspect those are false-positives.

Actions

Omer Shliva

@ Hugo van der Kooij on Oct 6, 2018 2:36 AM

This executable was developed in-house. It doesn't contain any malicious activity.

Actions

Santiago Platero Oct 11, 2018 9:47 AM

Hi Omer Shliva awesome tool, I ran it and was able to fine tune-in my Security Gateway, but I have a recommendation to make and a question:

- I think you should clarify that for Security Gateway/Management running on R80.10/R80.20 is not necessary to replace the scripts with the "improved version". On the sk110737 say is applicable for R80.10, but in the procedure also says to follow the steps for "versions R77 and above" of the sk43733, in which explicitly ask to replace the scripts. I replaced them and obviously the script fails, kudos for that SK that made me do a backup of the original scripts.

- The second thing is about the "Threat Prevention protection - ID NUM", I had only two entries of that, but I want to know (and if you know it, of course) how can I track which TP protections are referring to? Maybe the ID is the object ID in the database? I tried to find it that way but I couldn't

Again, an awesome tool and I think Check Point should include the Analyzer.exe in the SmartConsole.

Thanks!

Actions

Omer Shliva

@ Santiago Platero on Oct 14, 2018 2:49 AM

Santiago,

Thank you for your comments.

Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”.

We will update sk43733 so it would be more clear.

Regarding “Threat prevention protections”, the tool currently displays only IPS protection names.

Signatures from other blades such as Application control or Anti-Bot appear with the following convention: "Threat Prevention Protection x", where x is an arbitrary number.

We can still assist to identify these protections if you’ll send csv output files.

1 person found this helpful

Actions

7 Comments

Manuel Kuback Oct 5, 2018 5:38 AM
Omer Shliva Hi Omer,

what I do miss in the Analyzer Report is something like a counter. Like what protection hit how many times while the IPS_statistics script was running.

Best regards,
Manuel
Like • Show 1 Like1
Actions
- Smadi Paradise @ Manuel Kuback on Oct 13, 2018 3:04 AM
  This information is not available as the IPS engine doesn't process protections one by one. That's why we collect IPS statistics.
  These statistics are available in the form of 4 excel files generated on your management/gw.
  The IPS Analyzer's purpose is to make these statistics readable by customers, by processing all the statistics into a single HTML with the relevant processed info.
  1 person found this helpful
  Like • Show 2 Likes2
  Actions
Hugo van der Kooij Oct 5, 2018 8:08 AM
Call me paranoid. But this doesn't look like a file you want to execute.
https://www.virustotal.com/nl/file/38cef3cc4acffbb0d33c495038e60394c34839999434b9ee2e2610d5d5fcdd90/analysis/1538751865/
Like • Show 0 Likes0
Actions
- Dameon Welch-Abernathy @ Hugo van der Kooij on Oct 5, 2018 9:00 AM
  I suspect those are false-positives.
  Like • Show 1 Like1
  Actions
- Omer Shliva @ Hugo van der Kooij on Oct 6, 2018 2:36 AM
  This executable was developed in-house. It doesn't contain any malicious activity.
  Like • Show 0 Likes0
  Actions
Santiago Platero Oct 11, 2018 9:47 AM
Hi Omer Shliva awesome tool, I ran it and was able to fine tune-in my Security Gateway, but I have a recommendation to make and a question:

- I think you should clarify that for Security Gateway/Management running on R80.10/R80.20 is not necessary to replace the scripts with the "improved version". On the sk110737 say is applicable for R80.10, but in the procedure also says to follow the steps for "versions R77 and above" of the sk43733, in which explicitly ask to replace the scripts. I replaced them and obviously the script fails, kudos for that SK that made me do a backup of the original scripts.

- The second thing is about the "Threat Prevention protection - ID NUM", I had only two entries of that, but I want to know (and if you know it, of course) how can I track which TP protections are referring to? Maybe the ID is the object ID in the database? I tried to find it that way but I couldn't

Again, an awesome tool and I think Check Point should include the Analyzer.exe in the SmartConsole.

Thanks!
Like • Show 1 Like1
Actions
- Omer Shliva @ Santiago Platero on Oct 14, 2018 2:49 AM
  Santiago,
  Thank you for your comments.
  
  Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”.
  We will update sk43733 so it would be more clear.
  
  Regarding “Threat prevention protections”, the tool currently displays only IPS protection names.
  Signatures from other blades such as Application control or Anti-Bot appear with the following convention: "Threat Prevention Protection x", where x is an arbitrary number.
  We can still assist to identify these protections if you’ll send csv output files.
  1 person found this helpful
  Like • Show 1 Like1
  Actions

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) Introduction

(2) Procedure

(3) IPS Analyzer Tool Survey

Attachments

Outcomes

Related Content

Recommended Content

Incoming Links