topic Re: Rate limiting the bandwith from the CP gateway in Firewall and Security Management

Rate limiting the bandwith from the CP gateway

Heath — Thu, 04 Oct 2018 20:25:52 GMT

We have some sites that were lean on available bandwidth before we implemented the CP gateway and now our networking guys are getting called out on networking issues. When they look at the top talkers the CP is constantly in the mix if not at the top.

I was wanting to know if there was a way to limit the bandwidth used for things like updates and such from the gateway. My networking guys are telling me that it looks like the gateway slowly ramps up as if to see how much it can use and I would like to cap that bandwidth usage at these certain sites. If there is not a way to do this then how have others dealt with this issue?

These are a mix of R77.30 and R80.10 gateways with R80.10 management. Thanks!

Re: Rate limiting the bandwith from the CP gateway

PhoneBoy — Thu, 04 Oct 2018 22:57:14 GMT

I've never heard anyone complain about this.

The updates the gateway downloads should be fairly minimal unless you've configured the system to automatically download all packages with CPUSE (not the default), which would be the only thing that would require any significant bandwidth.

Re: Rate limiting the bandwith from the CP gateway

JozkoMrkvicka — Fri, 05 Oct 2018 21:23:00 GMT

QoS ?

By the way, I run into similar case and it was caused by backups.If you have enabled logging of Implied Rules, you should be able to find this traffic going from firewall.

Re: Rate limiting the bandwith from the CP gateway

Heath — Mon, 08 Oct 2018 16:23:34 GMT

We haven't setup QoS on the CP but that's an good thought. I know we could do this on the router outside the CP but can this be limited from the CP with a CP QoS policy?

Re: Rate limiting the bandwith from the CP gateway

AlekseiShelepov — Mon, 08 Oct 2018 18:55:49 GMT

I would advise not to enable QoS on Check Point without a very good reason and further investigate what exactly this traffic is. As Dameon said it is not normal that gateway itself generates big amounts of traffic.Maybe you have some hide NAT setting.

What blades are enabled on gateways? What is configured for auto-update of these blades? What's the source and destination of this traffic? What protocol, port, application is that? Can you see it in logs of the gateway? Can you find it in tcpdump or fwmonitor?

Re: Rate limiting the bandwith from the CP gateway

Heath — Thu, 11 Oct 2018 22:20:57 GMT

It looks like the option to download hotfixes is set to manual but I did see that 'Automatically update Deployment Agent (recommended)' was enabled. Could this be causing the download spikes?

I long term solution is the upgrade the connection bandwidth at the site, but I need to remedy the CP causing the bandwidth to be over utilized in the current state. I've ask our networking team to give me data on when the site has been over utilized so I can hopefully find a correlation in the CP logs. Any suggestions on how to accomplish this easily once I get the data?

Re: Rate limiting the bandwith from the CP gateway

PhoneBoy — Fri, 12 Oct 2018 05:36:08 GMT

I suppose it's possible but I know the Deployment Agent is very small (few megabytes).

It shouldn't cause a massive bandwidth spike.

Other than the periodic downloads of signatures and possibly CPUSE packages, the only other traffic the gateway generates is in response to network traffic (e.g. to categorize URLs or check ThreatCloud), e.g. sk83520: How to verify that Security Gateway and/or Security Management Server can access Check Point servers?

Those queries in general should be relatively small also.

To provide specific advice, more details are clearly needed.

I suggest working with the TAC on this.