Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
Hi every one. I am putting together some documentation to train the new starters on checkpoint IPS just an over view and some tasty in depth details sort of thing. I have a couple of questions that I am trying to find answers to.
The first one is a generic question over load on the firewall. Obviously switching on IPS will increase load on the gateway and this over all load will vary depending on the type and volume of traffic traversing the firewall. Can any one suggest a rough % increase as a ball park figure so for instance you would expect to see a 5% increase in CPU load on the firewall just fow switching on the IPS module. Do not worry about flagging the whole PXL (medium path) impact on secure XL I am going to be flagging that in a separate section as a heads up I am just looking for a ball park figure expected load increase on un-accelerated traffic.
The second question is around the order of processing when traffic is passed to the streaming engine for deep inspection. Looking through the documentation I have found all the wonderful marketing listing some of the components such as:
Passive streaming Libary
Context Management Infastucture
What I was wondering is if checkpoint can comment on the order in which these engines are called so I can let students know that when it hits this engine these processes are going to be called and we can expect to see them called in this order?
Any input would be greatly appreciated.
There is a lot of existing documentation concerning your questions:
sk95193: ATRG: IPS gives insight into the IPS Blade and how it works
sk98348 Best Practices - Security Gateway Performance both contain help for IPS optimization
Also interesting to read are:
Short summary of IPS architecture;
PSL (passive streaming layer) > Verify tcp retransmission, reassemble packets into a protcol segment, prevent tcp spoofing
USL (Unified Streaming Library) > This is the connector between PSL and protocol parsers. USL will decide which protocol parser will be used to retrieve information from packet.
SPII (Stateful Protocol Inspection Infrastructure ) > This will verify that the packet is RFC compliant and headers correspond to expected state.
CMI (Context Management ) > Recieves contexts from parsers, decides and runs active protections on relevant contexts, decides the final action to be performed on the packet. Core of the IPS
PM (Pattern Matcher) > Enables protections to be more accurate. Decreases the development time of new protections.
Works in two tiers to improve performance.
ASPII (Accelerated Stateful Protocol Infrastructure ) > This manages which protection will run on which connection.
Performance > IPS blade will definitely increase the load on gateway but depends on your protections in profile and vary traffic characteristic. Perhaps check mates may give the percentage of the IPS blade activation impact.
There is a script collects (get_ips_statistics.sh) and analyse data for showing which matched IPS protections cause a high load on the CPU. sk43733
Debug > fw ctl zdebug + aspii spii cmi machine | for knowing which protections actually run on a certain conn.
#ips debug -e <filter > -o <output file>
-m fw + vm drop spii cmi aspii advp ips