Maestro high logging rate

HeikoAnkenbrand

If I understand correctly, all SGMs in a security group send their logs to the SMO.
The logs are then forwarded from the SMO to the Security Management Server.

We currently have 10 SGMs in the security group and we can see that the SMO requires a lot of CPU performance to process the log files.

Why am I asking the question:

- Can we speed up log processing on the SMO except to reduce logging via the policy settings?
- Are there any whitepapers or recommendations how we can deal with high log volume in Maestro environments?

➜ CCSM Elite, CCME, CCTE

emmap

SGMs don't send their logs to SMO, they all make their own outbound TCP connections to the log server. Assuming they're routing out the mgmt interface, they will each have their own pool of source ports to use, so that the SMO can very efficiently pop the reply packets back over based purely on the dport of that reply packet. Hence it should not be that SMO is burdened with log generation.

Can you provide more information on the CPU load you're seeing?

HeikoAnkenbrand

Thanks for the description.

I would open a support ticket for this case as I cannot make the information public.

@emmap Does Check Point have deep dive information that enhances the information in the Maestro training, SK's and Admin guides?
- E.g. what exactly do the
                  - VLAN 3700+SG (Correction Layer),
                  - VLAN 3800+SG (SYNC),
                  - VLAN 3900+SG (CIN)
   used between MHO and appliance do?
- Which of the VLANs mentioned above would be used to transmit the logs?

➜ CCSM Elite, CCME, CCTE

emmap

I'm not sure if there's more information outside of training materials. Those VLANs are used internally on the downlinks for piping those virtual interfaces between SGMs/MHOs. There's also a VLAN per interface, 1024+port number. So if you're using eth1-Mgmt1, that would go over VLAN 1025 on the downlinks, as I understand it.