cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee
Employee

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) Introduction

The IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.

The IPS Analyzer Tool is supported on R77 and above.

(2) Procedure

  1. Collect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".

  2. Compress the IPS statistics output folder on Security Gateway:

    [Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/
    [Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>
  3. Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.

  4. Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:

    1. Open Windows Command Prompt

    2. Run:

      C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"
  5. Review the output files:

    • AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)

    • analyzer.log - Log file

*NOTE*

The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:

"Threat Prevention Protection – ID NUM"

If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.

(3) IPS Analyzer Tool Survey

We would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. 

Click here to take the survey.

For any question please contact:

Tags (1)
8 Replies

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Omer Shliva‌ Hi Omer,

what I do miss in the Analyzer Report is something like a counter. Like what protection hit how many times while the IPS_statistics script was running.

Best regards,
Manuel

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Call me paranoid. But this doesn't look like a file you want to execute.

https://www.virustotal.com/nl/file/38cef3cc4acffbb0d33c495038e60394c34839999434b9ee2e2610d5d5fcdd90/...

0 Kudos
Admin
Admin

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

I suspect those are false-positives.

Employee
Employee

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

This executable was developed in-house. It doesn't contain any malicious activity.

0 Kudos

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Hi Omer Shliva‌ awesome tool, I ran it and was able to fine tune-in my Security Gateway, but I have a recommendation to make and a question:

- I think you should clarify that for Security Gateway/Management running on R80.10/R80.20 is not necessary to replace the scripts with the "improved version". On the sk110737 say is applicable for R80.10, but in the procedure also says to follow the steps for "versions R77 and above" of the sk43733, in which explicitly ask to replace the scripts. I replaced them and obviously the script fails, kudos for that SK that made me do a backup of the original scripts.

- The second thing is about the "Threat Prevention protection - ID NUM", I had only two entries of that, but I want to know (and if you know it, of course) how can I track which TP protections are referring to? Maybe the ID is the object ID in the database? I tried to find it that way but I couldn't

Again, an awesome tool and I think Check Point should include the Analyzer.exe in the SmartConsole.

Thanks!

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

This information is not available as the IPS engine doesn't process protections one by one.  That's why we collect IPS statistics.

These statistics are available in the form of 4 excel files generated on your management/gw.

The IPS Analyzer's purpose is to make these statistics readable by customers, by processing all the statistics into a single HTML with the relevant processed info. 

Employee
Employee

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Santiago,

Thank you for your comments.

Replacing scripts to improved version is under “procedure for versions R77 and above” in sk43733 and is not specified under “procedure for versions R80.10”.

We will update sk43733 so it would be more clear.

Regarding “Threat prevention protections”, the tool currently displays only IPS protection names.

Signatures from other blades such as Application control or Anti-Bot appear with the following convention: "Threat Prevention Protection x", where x is an arbitrary number.

We can still assist to identify these protections if you’ll send csv output files.

Sai_Thu
Ivory

Re: IPS Analyzer Tool - How to analyze IPS performance efficiently

Hi Omer_Shliva,

Following numbers come up in the report. please could you share how to find out exactly which protection are they?

Threat Prevention protection 39737

Threat Prevention protection 39708

Threat Prevention protection 39696

 

Thanks.

 

0 Kudos