This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
‎2024-04-21 03:12 AM

Maestro high logging rate

If I understand correctly, all SGMs in a security group send their logs to the SMO.
The logs are then forwarded from the SMO to the Security Management Server.

We currently have 10 SGMs in the security group and we can see that the SMO requires a lot of CPU performance to process the log files.

Why am I asking the question:

- Can we speed up log processing on the SMO except to reduce logging via the policy settings?
- Are there any whitepapers or recommendations how we can deal with high log volume in Maestro environments?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
3 Replies
emmap
Employee
Employee
‎2024-04-21 08:57 PM

SGMs don't send their logs to SMO, they all make their own outbound TCP connections to the log server. Assuming they're routing out the mgmt interface, they will each have their own pool of source ports to use, so that the SMO can very efficiently pop the reply packets back over based purely on the dport of that reply packet. Hence it should not be that SMO is burdened with log generation. 

Can you provide more information on the CPU load you're seeing?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2024-04-22 04:02 AM
In response to emmap

Thanks for the description.

I would open a support ticket for this case as I cannot make the information public.

@emmap Does Check Point have deep dive information that enhances the information in the Maestro training, SK's and Admin guides?
- E.g. what exactly do the
                  - VLAN 3700+SG (Correction Layer),
                  - VLAN 3800+SG (SYNC),
                  - VLAN 3900+SG (CIN) 
   used between MHO and appliance do? 
- Which of the VLANs mentioned above would be used to transmit the logs?


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
emmap
Employee
Employee
‎2024-04-22 04:30 AM
In response to HeikoAnkenbrand

I'm not sure if there's more information outside of training materials. Those VLANs are used internally on the downlinks for piping those virtual interfaces between SGMs/MHOs. There's also a VLAN per interface, 1024+port number. So if you're using eth1-Mgmt1, that would go over VLAN 1025 on the downlinks, as I understand it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events