This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ven
Participant
‎2024-03-21 01:05 AM

pros & cons of Accounting on rules

Hello Experts, 

I would like to understand the pros & cons of enabling  Accounting within a rule. 

Also does it has any affect on the Log server or GW and will it impact in any way increasing the log amount or slow indexing ?

In Summary: One of our customer has accounting enabled for 90% of their rules and complains that they are receiving large amount of log data  - 50Gb of logs/per day. Secondly, they cannot see live logs on the tracker (1-2 hr delay of logs on the tracker). 

Upon reviewing and comparing the current daily log rate &  indexing rate with log server hardware datasheet we understood that the machine is undersized., but I would like to understand if there are any parameters that we can tweak on the GW, MGMT and Log server to reduce amount of log data and indexing issue.   

Many thanks!!

 

 

 

 

Preview file
10 KB
0 Kudos
2 Replies
emmap
Employee
Employee
‎2024-03-21 01:49 AM

Accounting enabled means that the gateway has to add how much data was used on connections matching the rule, so it absolutely increases log volumes and resource utilisation on the gateways and log servers. Reviewing the requirement for accounting and disabling it on rules that have a lot of hits that don't need it would definitely help.

0 Kudos
Tomer_Noy
Employee
Employee
‎2024-03-21 07:26 AM

On average, Accounting can double the number of logs in your environment as the gateway will send an initial log when a connection is opened and another log when the connection is closed to update on how much traffic passed on the connection.

For long-lived connections this can be even more because every ~10 minutes by default another update log will be sent with the traffic info up to that point. The update logs may be smaller in size, but there is still overhead and updating logs in the log server is more compute intensive than just adding logs.

Having said all the above, many customers do use Accounting but you need to make sure the log server is sized properly.

Another way to significantly reduce load and amount of logs is to leverage "Session Logs" instead of "Connection Logs". This is a setting in the detailed Track options of the rule (similar to Accounting). Instead of sending logs on each connection, the gateway can send an initial log on the first connection and then just accumulate data on subsequent connections that have the exact same match criteria, and only update the session every 10 minutes.
On very frequent and short-lived connections such as DNS, NTP and often http/https this can significantly reduce the volume of logs, with minimal sacrifice of information. Even queries will be faster because there are fewer logs to scan.

You can keep Accounting when using Session logs and you will have the total traffic info on the full session (which includes all similar connections).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events