Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend
Jump to solution

Optimizing an IPS profile for SMB

Policy install on SMB appliances can fail if the IPS configuration enables too many protections. According to CP, SMB devices were never designed to run a full IPS policy and it is suggested to check sk105217 "Commit function failed"/"Installation failed" error on policy installation failure on sma... for configuration suggestions:

  • When managed by R80.x Security Management server, create an IPS profile based on the top of the built-in Optimized Profile; up to R77.30 Security Management server, clone the Recommended Profile.
  • Deactivate the "Server protections" option in IPS policy of the SMB Profile. In R80.x, it is found in the Pre R80 Settings:

 

Deactivate Server Protections

  • Deactivate IPS protections whose CVE is from 2010 and/or older - these are vulnerabilities you would rarely find in Small Office environment and the performance impact of them is not cost effective.

In R80.x you can add categories to Profile > IPS > Additional Activation > Protections to deactivate list:


R80.20 Optimized SMB Profile

  • You can also deactivate IPS protections for traffic that does not pass through those gateways, e.g. Protocol FTP if FTP is never used.

If this adaptions do not resolve the policy install issue, you can consult sk117793 Policy installation / fetch fails on Centrally Managed 1400 appliance  and sk126372 Policy installation on SMB appliances fails with "Load on Module failed - not enough disc s....

 

Please note that this is my own configuration that has not been checked by CheckPoint - and is open for discussions, corrections and additions. Also see this list SMB documents for more. 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

This has been resolved by following this procedure:

- Cleared directories $FWDIR/state/__tmp/FW1, $FWDIR/database/cpeps_flash/ and $FWDIR/database/cpeps/

- enable only FW blade on SMB device object

- install policy

- enable TP blades on SMB object again

- install policy

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

24 Replies
HristoGrigorov

Is it possible to exclude all but certain protocols from IPS ? For example if I want only HTTP(S), DNS and SMTP inspected.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As stated above, you can deactivate IPS for protocols not needing inspection.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

You do want me to go and exclude all protocol one by one. Ugh, that's what I want to avoid?

0 Kudos
PhoneBoy
Admin
Admin

IPS only inspects traffic allowed by your access policy.

If you only allow HTTPS, DNS, and SMTP via your access policy, IPS will only inspect that traffic.

0 Kudos
HristoGrigorov

Thanx for the clarification. That is somehow logical but I am being paranoid lately Smiley Happy

0 Kudos
Rodney_Hopkins2
Contributor

This is absolutely true.  I would add one additional piece of information.  In my experience with 1100 devices, the recommendation to disable protections earlier than 2010 was not enough.  As the years progressed, I had to disable protections from later years as well.  For example, in 2014, disabling protections older than 2010 worked.  By 2015, I had to disable protections older than 2012.  2016, disable protections older than 2013 and so on.  For the 1100 series at least, it worked out to roughly a window of 3 to 5 years of IPS protections that I could have enabled at any given time.

The newer 1400 series have more RAM and are more powerful, so they may be able to handle more.

G_W_Albrecht
Legend Legend
Legend

Just recently, i discovered that after firmware update to R77.20.80, on a 1140 SMB appliance policy install will fail as there are too many enabled blades, that is FW, VPN, IPS, ABOT, AV, APCL, URLF, QoS. Even setting new .80 Advanced Settings "Move temporary policy files to storage" to true does not help. That is a bad sign for a hardware that is supported until summer 2020...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Yeah, hmm... It is now evident that SMB appliances are just not up to task of being full FW + TP solution. It is good that there are so many blades to choose from but running all of them at the same time is overkill even on 1470/1490.  I have enabled only the AC/UF and IPS blades. Works somehow but SFWD process crashes way to often (max rss increased to 300MB). I understood there are other people experiencing same problem.

Would love to enable HTTPS inspection also. But I am kind of afraid to do it Smiley Happy

And I wonder what it will be when/if R80.20 is released.

For me, stability is more important than anything else.  

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You have to think of SMB appliances as successors to the Edge / Safe@Office units - and in comparison, they have a whole lot more functionality - apart from NGTP, just look into the advanced routing possible now. But that enabling NGTP Blades lowers the traffic throughput is clear, and you can not argue that buying the blades and services makes the hardware able to cope with them performance-wise. More expensive hardware makes more ressources available, it would be unnecessarys otherwise 😉

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Rodney_Hopkins2
Contributor

Have you hit upon the magic combination or magic number of blades that can be enabled at once?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

No, because that also depends very much on the traffic, both its load and mix that can be quite different at every customer.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

This has been resolved by following this procedure:

- Cleared directories $FWDIR/state/__tmp/FW1, $FWDIR/database/cpeps_flash/ and $FWDIR/database/cpeps/

- enable only FW blade on SMB device object

- install policy

- enable TP blades on SMB object again

- install policy

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Pedro_Espindola
Advisor

Hello Hristo,

In the beginning I had some issues with HTTPS Inspection, but I worked with TAC and R&D was able to reach a stable build, I believe starting from build 402. GA is 392, but build 437 is available for download in sk134253 and also corrects some CVEs and VPN issues.

I am currently running HTTPS Inspection and full NGTP in a 1450 cluster with 12 users, 3 Site-to-site VPN Tunnels, 200 Mbps link. It is working fine.

There were some serious memory leak issues in SFWD but they seem to be solved as well. It has been weeks without a failover due to SFWD crash.

I believe we will see greater improvements in R77.20.85 also, which should be out in October.

HristoGrigorov

Hey Pedro,

I am running cluster of two 1470 appliances used by 70 users, 5 SS VPNs, few remote access users on a dual ISP connection with total 100 Mbps capacity. Not too much I think. Build is also 437.

Some days it will work fine, no issues. But on most of the days SFWD will crash every now and then. It is immediately restarted by a watchdog service and there is no failover in the cluster. In fact the only visible effect is that all SS VPNs are restarted (currently open user connections are dropped).  I have no other custom settings on the device other than the RSS memory increased to 300MB. R77.20.75 build 239 was the last one that had stable SFWD process that never crashed. 

SecureXL does not work also for me. When I enabled it device restarts in few minutes. TAC was able to fix that and provide me with custom build but I had to replace it with 437 because of the CVE security fixes. I hope they will include this fix in the main branch. 

HTTPS Inspection generally works here but I have disabled it because of the SNI problem that seems to be properly fixed only in R80.10 so far. Check this thread:

https://community.checkpoint.com/thread/6245-is-there-any-workaround-for-sni-https-traffic-when-enab... 

I hope stability will be improved even more but as we discussed in another thread current Gaia embedded design is not very good (everything is handled by a single process). I am assuming this and other things will change in R80.20 if it is still planned release for SMB.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You wrote:

I hope stability will be improved even more but as we discussed in another thread current Gaia embedded design is not very good (everything is handled by a single process). I am assuming this and other things will change in R80.20 if it is still planned release for SMB.

I would expect that a much smaller hardware footprint exists on this kind of embedded devices and that everything is handled by a single process is only a symptom of a reduction process. I do not expect these things to change in the future - if the hardware platform gets more power ( see the difference between 600/1100 and 7x0/14x0 models ), more functionality can be added. But in the same time, the "big" GAiA devices also get better hardware that makes new functionality possible. So the SMB devices will always keep behind and no full R80.20 port could ever be released for install on SMB. I do remember the older SMB units being included in turbines to provide them safe internet connectivity. 1200Rs are just looking richt for this field of application.

Next Version is R77.20.81, and a little bird has told me that it might bring more flexible ISP connections (more than four).

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
HristoGrigorov

Hi,

This is all too exciting but sadly SecureXL does not really work on SMB if you have ISP in load-balancing configuration. On primary/backup it works fine. I hope they fix that as well.

Reference sk104679

0 Kudos
G_W_Albrecht
Legend Legend
Legend

The sk104679 does speak about ISP Redundancy enabled in Primary/Backup mode, and it also includes SMB as well as all CP versions up to R77.30. The configuration of ISPs in load-balancing configuration does not work with SecureXL at all despite of hotfixes installed. I would not expect that this can be fixed for SMBs...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Why would LB cause more load than HA? Btw, it is more like load sharing, not really balancing.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

HA only has to check if the primary is up, but LS has to distribute the load according to some algorithm or config between the ISPs. This is similar ti the use of multiple cores as distributing work there also needs ressources...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Correct me if I am wrong but LB only works on outbound connections? Also, I do not think link selection algorithm is that complex to cause any significant load. It all depends on how many concurrent connections there are of course but still... Do not underestimate SMB power Smiley Happy

Also, If it cannot LB between 2x ISP links why on earth would I need 4x ? One primary and three backups sounds crazy to me.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can use SecureXL together with ISP redundancy (let us use the correct term). but not when ISP LB is needed - but what is the gain of using SecureXL on SMBs ? LB surely works on outbound connections as you rarely can control inbound connections.

The question of link selection algorithm is a rather complicated theme especially if the ISPs have different performance characteristics. Dpending on hard- and software, adding a second core might give 30% to 70% improvement (maybe even up tp 90%, but Amdahl's law rules).

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Hmm, isn't SecureXL supposed to offload some traffic from firewall module thus reducing actual load on the system? Something especially needed on these low-end devices. 

I believe link selection on SMB is pure round-robin algorithm. Smiley Happy I seriously doubt it is accounting for latency and such.... or keeping in time stats and trying to use some predictive methods... May be utilizing some fast math to prioritize link based on pre-configured preference.

I would vote for adding more memory and disk space rather than increasing number of cores but this is purely personal preference Smiley Happy

0 Kudos
HristoGrigorov

Now, look at this. Beautiful isn't it? Smiley Happy

[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:03] [INFO] CPWD is already performing active monitoring on CheckPoint services/processes
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:04] [SUCCESS] cposd started successfully (pid=2814)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:41:04] [SUCCESS] RTDB started successfully (pid=2834)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:42:38] [SUCCESS] SFWD started successfully (pid=5397)
[cpWatchDog 2162 1744208784]@RD6281[13 Sep 12:42:43] [SUCCESS] CPHAMCSET started successfully (pid=6707)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 9:03:11] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 9:04:11] [SUCCESS] SFWD started successfully (pid=21999)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 11:32:19] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 11:33:19] [SUCCESS] SFWD started successfully (pid=28000)
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 13:40:58] [ERROR] Process SFWD terminated abnormally : Unhandled signal 11 (SIGSEGV). Core dumped.
[cpWatchDog 2162 1744208784]@RD6281[14 Sep 13:41:58] [SUCCESS] SFWD started successfully (pid=30460)

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is a completely different theme, so please post that seperately from Optimizing an IPS profile for SMB

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events