cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) Introduction

The IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.

The IPS Analyzer Tool is supported on R77 and above.

(2) Procedure

  1. Collect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".

  2. Compress the IPS statistics output folder on Security Gateway:

    [Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/
    [Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>
  3. Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.

  4. Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:

    1. Open Windows Command Prompt

    2. Run:

      C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"
  5. Review the output files:

    • AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)

    • analyzer.log - Log file

*NOTE*

The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:

"Threat Prevention Protection – ID NUM"

If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.

(3) IPS Analyzer Tool Survey

We would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. 

Click here to take the survey.

For any question please contact:

Tags (1)
12 Replies

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Omer Shliva‌ Hi Omer,

what I do miss in the Analyzer Report is something like a counter. Like what protection hit how many times while the IPS_statistics script was running.

Best regards,
Manuel

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Call me paranoid. But this doesn't look like a file you want to execute.

https://www.virustotal.com/nl/file/38cef3cc4acffbb0d33c495038e60394c34839999434b9ee2e2610d5d5fcdd90/...

0 Kudos
Admin
Admin

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

I suspect those are false-positives.

Employee+
Employee+

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

This executable was developed in-house. It doesn't contain any malicious activity.

0 Kudos

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Hi Omer Shliva‌ awesome tool, I ran it and was able to fine tune-in my Security Gateway, but I have a recommendation to make and a question:

- I think you should clarify that for Security Gateway/Management running on R80.10/R80.20 is not necessary to replace the scripts with the "improved version". On the sk110737 say is applicable for R80.10, but in the procedure also says to follow the steps for "versions R77 and above" of the sk43733, in which explicitly ask to replace the scripts. I replaced them and obviously the script fails, kudos for that SK that made me do a backup of the original scripts.

- The second thing is about the "Threat Prevention protection - ID NUM", I had only two entries of that, but I want to know (and if you know it, of course) how can I track which TP protections are referring to? Maybe the ID is the object ID in the database? I tried to find it that way but I couldn't

Again, an awesome tool and I think Check Point should include the Analyzer.exe in the SmartConsole.

Thanks!

Employee
Employee

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

This information is not available as the IPS engine doesn't process protections one by one.  That's why we collect IPS statistics.

These statistics are available in the form of 4 excel files generated on your management/gw.

The IPS Analyzer's purpose is to make these statistics readable by customers, by processing all the statistics into a single HTML with the relevant processed info. 

Employee+
Employee+

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Santiago,

Thank you for your comments.

Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”.

We will update sk43733 so it would be more clear.

Regarding “Threat prevention protections”, the tool currently displays only IPS protection names.

Signatures from other blades such as Application control or Anti-Bot appear with the following convention: "Threat Prevention Protection x", where x is an arbitrary number.

We can still assist to identify these protections if you’ll send csv output files.

Sai_Thu
Ivory

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Hi Omer_Shliva,

Following numbers come up in the report. please could you share how to find out exactly which protection are they?

Threat Prevention protection 39737

Threat Prevention protection 39708

Threat Prevention protection 39696

 

Thanks.

 

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

There are a couple questions I'm asking myself before activating this script.

  1. Is there any performance impact by running this script?
  2. What is the ideal length of time to run this script?
  3. Shouldn't this script be run over a longer period of time? If not, why?

 

I'm looking to activate IPS at a client and reviewing the best practice on how to do so.

Came across this tool, thought it could be a welcome addition to my IPS activation procedure. 🙂

0 Kudos

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

I've found that the IPS Analyzer tool is more suited for particular troubleshooting situations involving IPS performance rather than being used as a regular tool for a new or existing IPS deployment.  In general it is more fruitful to optimize the configuration of IPS Protections in bulk using profiles with specific overrides if needed.  If there are still performance problems and it is suspected that IPS is the culprit, the next step is to confirm that IPS is actually the cause with these steps:

  • Baseline CPU load
  • Run ips off command on gateway
  • Wait 60 seconds
  • Measure new CPU load
  • Run ips on command on gateway
  • Confirm baseline of CPU load

If it is confirmed that IPS is the cause, keep in mind that exceptions will save very little CPU as they only change the action/decision (Prevent/Detect/Inactive) after inspection and have very little impact for decreasing CPU load.  A "null profile" can be used on an R80.10+ gateway to exclude certain traffic from IPS inspection completely and help further isolate what is driving the CPU load up, usually it is some high-speed LAN-to-LAN traffic getting looked at by an IPS Protection with a Performance Impact rating of High or Critical.

Once you've done all these things and still can't figure out why IPS is driving the CPU load up, it is now time for the IPS Analyzer tool.  It does cause some minor performance impact (but nothing horrible from what I've seen), and if IPS-driven CPU load is persistently high you shouldn't need to run it more than a few minutes to find the offending IPS Protection.  Obviously if there are only intermittent or "random" IPS-driven CPU spikes you will need to run it long enough to catch a spike "in the act".

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Thanks for the information.

 

I know that only IPS protections name will show in the report. But do you have any idea how to find which threat prevention protection is showing in the report as a random number?

 

Threat Prevention protection 49820
Threat Prevention protection 7775
Threat Prevention protection 1319
0 Kudos
Employee+
Employee+

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Yes.

Please email me with the tool's output.

omersh@checkpoint.com

0 Kudos