cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Danny
Pearl

Max Power (max) - Fix me beautiful

image.png max is a community driven health, security and performance optimization script. GPL licensed.

Installation (expert mode) or download:

curl_cli http://dannyjung.de/max | zcat > /usr/bin/max && chmod +x /usr/bin/max


max.png

Spoiler

Changelog

  • 0.1 - Initial Release (Early Availability)
  • 0.2 - Added checks for address spoofing, stateful inspection

The script name is referring to Check Points Maximizing Network Performance guide and Tim Hall's Max Power Firewalls book, which (together with Michael Endrizzi's free CoreXL training) inspired me to start this accompanying project. As Valeri Loukine mentioned in his Gateway Performance Optimization post, it's a tough challenge to master. This script is here to help.

8 Replies

Re: Max Power (max) - Fix me beautiful

Great tool if you didn't a similar one already! Smiley Happy Nicely written too..

I'm not entirely sure how far you wanted to go with this tool, but maybe I can put some things on the wish-list

  • check if aggressive aging is not active from fw ctl pstat
  • check if acceleration templates are not disabled high up in the rulebase from fwaccel stat
  • take number on top of release maybe? early takes could indicate possible problems that are already fixed in later takes, i.e. grep 'was installed successfully' /opt/CPInstLog/DA_UI.log | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}'
  • take say 3 samples of all CPU core usage from top output and see if any of them is running flat out, might be indication of wrong split between SXL and CoreXL or CoreXL allocation

else keep producing more of these! Smiley Happy

Danny
Pearl

Re: Max Power (max) - Fix me beautiful

Hi Kaspars Zibarts,

thanks for your kind words. I'm hoping the community drives this project as far as possible.

I've noticed that all optimization guides feature simple if-then instructions (e.g. Max Power 2 , 'Special Case: 2 Cores' notes that if a firewall only has 2 Cores with 10Gbps interfaces then it's not recommended for productive use.)

However, no one started to put these instructions into executable code making is easier to correctly apply and use it.

From this perspective I see absolutely no similarities between our ccc script and max.

max is very modular. I put every check into a separate function empowering the CheckMates community to easily create and post new functions here to be added to the script.

Regards,

Danny

Re: Max Power (max) - Fix me beautiful

What a great tool !

I can imagine to have this, CCC script and health check script as one bundle. Why we have 3 separate scripts if we can merge them into one ?

It will be up to user what he need to check/configure.

Just idea for further cooperation Smiley Happy

Kind regards,
Jozko Mrkvicka
Danny
Pearl

Re: Max Power (max) - Fix me beautiful

The next version of our ccc script will have an option to install and start max.

I won't merge the scripts into one (yet) as their code is absolutely different. max is 99.9% modular, won't preload anything, doesn't require user interaction etc. while ccc highly interacts with the user to access common Check Point commands.

0 Kudos

Re: Max Power (max) - Fix me beautiful

Interesting work, Danny Jung‌. Timothy Hall‌, what do you say?

0 Kudos

Re: Max Power (max) - Fix me beautiful

When writing the first edition of my book, I did think to myself at one point: "Hmm I bet I could write a script that would run all the discovery commands, parse the output and issue alerts based on the output".  For any findings the script could even reference the relevant page number in the book for further reading, if the finding did not make sense or more context was required to take meaningful action to correct it.  Never quite got the time to write it, although the healthcheck.sh tool created by Check Point was kind of similar to that concept.  Love it!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Danny
Pearl

Re: Max Power (max) - Fix me beautiful

Tim wrote: "For any findings the script could even reference the relevant page number in the book for further reading.."

This is exactly what I have in mind for the script: Referencing the exact RFC, page number in your book, Check Point SK etc. This way the script will then hopefully also be respected for it's educational character besides building trust and liability for it's recommendations.

Danny
Pearl

Re: Max Power (max) - Fix me beautiful

New Release: Version 0.2

0 Kudos