This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2018-02-14 01:36 AM

SmartEvent Correlation units

All,

in our R77.30 setup we run a 3 server MDS set with abou 50 customers each, connected is a SmartEvent server with 3 Correlation units to be able to share the load. Now we also have a new R80.10 MDS server, where we add all new customers and also have 1 SmartEvent server and added 2 Correlation units.

Now we are being told the Correlation units will not be used in R80.10, can anyone give us some idea's on the best practice for these type of setups?

Regards, Maarten
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2018-02-14 02:44 PM

As far as I know, Correlation Units are still used in R80.10.

Who said that they were going away?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-02-15 07:52 AM
In response to PhoneBoy

One of my colleagues attended the CPX Barcelona and there it was told by a CP employee.

Today we had a session with our SE and Jim, one of the Nordic SE's.

Jim pointed out that the SmarEvent architecture for R77.x and R80.x are different.

In the R77.x SmartEvent setup, there is 1 link from Logging server to the correlation unit and from there to the SmartEvent server. 

In R80.x there is a link from the logging server to the Correlation Unit AND a link from the logging server to the SmartEvent server.

DUe to the latter in our setup 1 SmartEvent server is getting hit with the full load of all logging from all 400+ firewalls. While the correlation units are only configured to handle a number of Domains and are running on empty.

The advise was pretty simple, build more SmartEvent servers to handle the load of all logging.

Next to that in our setup we need to allow some customers access directly to the SmartEvent views, this would be a lot simpler in a full R80.x environment, but this means migrating those customers to the new setup with R80.10.

Regards, Maarten
PhoneBoy
Admin
Admin
‎2018-02-15 09:44 AM
In response to Maarten_Sjouw

Keep in mind that there are two different indexing processes going on pre-R80.x:

  • Logs (ala SmartLog)
  • Event Correlation (ala SmartEvent)

In R80.x, these have been unified to a single index. 
Log Servers in R80.x are doing a fair bit of the work already flagging the logs from various blades.

That means the Correlation Units in R80.x have a little less to do.

Do they go away? Not necessarily.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events