- Local User Groups
The IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.
The IPS Analyzer Tool is supported on R77 and above.
Collect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".
Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/
Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.
Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:
Open Windows Command Prompt
Run:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"
Review the output files:
AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)
analyzer.log - Log file
The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:
"Threat Prevention Protection – ID NUM"
If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.
We would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you.
Click here to take the survey.
For any question please contact:
Hi Omer Shliva awesome tool, I ran it and was able to fine tune-in my Security Gateway, but I have a recommendation to make and a question:
- I think you should clarify that for Security Gateway/Management running on R80.10/R80.20 is not necessary to replace the scripts with the "improved version". On the sk110737 say is applicable for R80.10, but in the procedure also says to follow the steps for "versions R77 and above" of the sk43733, in which explicitly ask to replace the scripts. I replaced them and obviously the script fails, kudos for that SK that made me do a backup of the original scripts.
- The second thing is about the "Threat Prevention protection - ID NUM", I had only two entries of that, but I want to know (and if you know it, of course) how can I track which TP protections are referring to? Maybe the ID is the object ID in the database? I tried to find it that way but I couldn't
Again, an awesome tool and I think Check Point should include the Analyzer.exe in the SmartConsole.
This information is not available as the IPS engine doesn't process protections one by one. That's why we collect IPS statistics.
These statistics are available in the form of 4 excel files generated on your management/gw.
The IPS Analyzer's purpose is to make these statistics readable by customers, by processing all the statistics into a single HTML with the relevant processed info.
Thank you for your comments.
Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”.
We will update sk43733 so it would be more clear.
Regarding “Threat prevention protections”, the tool currently displays only IPS protection names.
Signatures from other blades such as Application control or Anti-Bot appear with the following convention: "Threat Prevention Protection x", where x is an arbitrary number.
We can still assist to identify these protections if you’ll send csv output files.
Following numbers come up in the report. please could you share how to find out exactly which protection are they?
Threat Prevention protection 39737
Threat Prevention protection 39708
Threat Prevention protection 39696
There are a couple questions I'm asking myself before activating this script.
I'm looking to activate IPS at a client and reviewing the best practice on how to do so.
Came across this tool, thought it could be a welcome addition to my IPS activation procedure. 🙂
I've found that the IPS Analyzer tool is more suited for particular troubleshooting situations involving IPS performance rather than being used as a regular tool for a new or existing IPS deployment. In general it is more fruitful to optimize the configuration of IPS Protections in bulk using profiles with specific overrides if needed. If there are still performance problems and it is suspected that IPS is the culprit, the next step is to confirm that IPS is actually the cause with these steps:
If it is confirmed that IPS is the cause, keep in mind that exceptions will save very little CPU as they only change the action/decision (Prevent/Detect/Inactive) after inspection and have very little impact for decreasing CPU load. A "null profile" can be used on an R80.10+ gateway to exclude certain traffic from IPS inspection completely and help further isolate what is driving the CPU load up, usually it is some high-speed LAN-to-LAN traffic getting looked at by an IPS Protection with a Performance Impact rating of High or Critical.
Once you've done all these things and still can't figure out why IPS is driving the CPU load up, it is now time for the IPS Analyzer tool. It does cause some minor performance impact (but nothing horrible from what I've seen), and if IPS-driven CPU load is persistently high you shouldn't need to run it more than a few minutes to find the offending IPS Protection. Obviously if there are only intermittent or "random" IPS-driven CPU spikes you will need to run it long enough to catch a spike "in the act".
Thanks for the information.
I know that only IPS protections name will show in the report. But do you have any idea how to find which threat prevention protection is showing in the report as a random number?
|Threat Prevention protection 49820|
|Threat Prevention protection 7775|
|Threat Prevention protection 1319|
I was trying to give this tool a try given some recent issues that started chewing up our 23500 performances (Memory wise) in a Memory Leakage kind of fashion. Done everything and TAC has no clue as to what is going on yet.
The problem is that we don't have any computer running 32-bit anymore and this tools is requiring a 32-bit machine (What??)
When I run this from the command line (even As Administrator) I get the following:
C:\Users\TruthSerum\Downloads\Tools>Analyzer.exe OFFLINE "C:\Users\TruthSerum\Tools\Downloads\14-37-22__07-27-2019"
This version of C:\Users\TruthSerum\Downloads\Tools\Analyzer.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.
The actual pop up states "Unsupported 16-Bit Application" on the title of the windows, with the additional message:
"The program or feature "\??\C:\Users\TruthSerum\Downloads\Tools\Analyzer.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available."
I am running Windows 10 Enterprise 64-bit. This machine also used to run the SmartDashboard. Have no issues with any other Checkpoint provided tools, but this one.
First of all, thanks for the sharing this tool. It gives us some good visibility that i didnt have before.
In my reports output i get the "Other" and "I/S" typer of traffic with some % relevance in some gateways.
Is it possible to share what is "I/S" and what could be inside "Other" (even if by exclusion)
Thanks for your time,
Thanks for the tool. It'd be good to have a way of matching TP id to actual protection names
I've a number of protection with critical load impact. Could you please tell me which protections matches the below IDs
Threat Prevention protection 2031
Threat Prevention protection 1984
Threat Prevention protection 1697
Threat Prevention protection 1700
Threat Prevention protection 1695
Threat Prevention protection 1982
Threat Prevention protection 1983
Threat Prevention protection 1778
There was a webminar recently about using the smartconsole extension for turning all IPS protection to prevent mode, on the basis that if no traffic is matching an IPS protection then it has no impact on performances. On this topic it is recommended to turn off IPS protection that are not in used. Any views ?
collected statistics as per SK. It tells I will get following files:
The output files are:
Analyzer gives warnings that report is not complete because of missing files:
Missing or empty file C:\sdstat_output_file.csv
File C:\sdstat_output_file.csv is not valid. Please note that the report is incomplete
I have these showing up as Critical Protections.
Threat Prevention protection 421
Threat Prevention protection 362
Threat Prevention protection 398
Threat Prevention protection 433
Threat Prevention protection 913
Threat Prevention protection 902
Threat Prevention protection 903
Threat Prevention protection 881