This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tomer_Sole
Mentor
Mentor
‎2018-06-21 08:59 AM
Jump to solution

IPS Analyzer Tool - are you running it?

The IPS Analyzer Tool runs on your gateway for a short amount of time, and issues an HTML report of which individual IPS protections took the most CPU and RAM on the gateway during the runtime of the tool.

Supported Gateways are R77 and above.

For more information go to IPS Analyzer Tool - How to analyze IPS performance efficiently 

I wanted to use this thread to ask who is running it and what are your thoughts of it. 

Q: Why can't I run it from SmartConsole by default?

A: We plan to add that in one of our next releases.

(Don't mind the actual names of the protections in this screenshot, this image is not a result of a run on an actual gateway, it is a random generation of existing protection names, just to showcase the report's look and feel):

Smadi ParadiseOmer Shliva

2 Solutions

Accepted Solutions
L_Daniel
Employee Alumnus
Employee Alumnus
‎2022-12-11 05:00 AM
Jump to solution

Hey Tomer & All 

 

I will like to share with you the following 2 SK that you can use in case you want to do Performance investigation & Protection Impact understanding . 

 

Solution 1: 

From version 81.10 , we have a better tool than the Analyzer, the tool was migrated on top of the HCP tool ( See SK171436 - HeathCheck Point HCP ) , once you install the HCP it will be possible to see the protections impact on the system in the final report under the Threat Prevention section. 

In order to see the Threat Prevention in the HCP report do the following :

  •  hcp --enable-product "Threat Prevention" 
  •  hcp -r all  

it is possible to open the hcp report from inside the smart console using the HCP extension add-on , see "SmartConsole Extension Installation" section from the HCP SK.   if you don't want to use the extension in the smart console , please copy and paste the report from the gateway to your windows environment explore it .   

Screen Shot 2022-12-11 at 14.48.18.png

 

 

 

Screen Shot 2022-12-11 at 14.51.04.png

 

 

 

Solution 2: 

See sk167553 -  "Performance Investigation Procedure - How To"  

The Threat Prevention team created this SK in order to support customers for most common performance investigations , it has almost everything the Threat Prevention team do while investigating system under load . 

 

Hope this answer give you answers for all your questions . 

 

 

 

 

View solution in original post

24 Replies
Smadi_Paradise
Employee Alumnus
Employee Alumnus
‎2018-06-21 01:10 PM
Jump to solution

Thanks

image001.jpg
Preview file
1 KB
0 Kudos
Gomboragchaa
Advisor
‎2018-06-21 07:27 PM
Jump to solution

Thank you,

 It is a little bit complicated to get by an e-mail.

==============================================

For getting the latest version of Analyzer tool please contact:

IPS_Analyzer_Tool@checkpoint.com

==============================================

0 Kudos
Arne_Boettger
Collaborator
‎2018-06-25 09:55 PM
Jump to solution

I tried to use it, but never got useful output.

First, I did not enjoy using it because with MDS and VSX, there are many steps to perform manually to get visible output.

And second, most of the time my IPS Analyzer output was empty. I am not sure if this was due to "IPS Bypass under load" or simply no relevant connections during my run.

So, third, I was missing a concise instruction like how long to run the capture to get useful output, wether it captures only new connections during the run or also existing connections.

Mircea_Mitroi
Explorer
‎2018-10-04 07:40 AM
Jump to solution

Hey!

I tried to use it today for a customer and received twice some confusing, incomplete results...there were no protection names. Any idea?

Thx,

Mircea

0 Kudos
Stephan_Minkole
Explorer
‎2019-01-09 03:07 AM
In response to Mircea_Mitroi
Jump to solution

Same here.

Any hints to resolve are appreciated.

0 Kudos
r1der
Advisor
‎2022-04-26 09:54 AM
Jump to solution

Hello, is this tool available for R80.40 or is there something better? I tried to access the link but get an "Access Denied", even when logged in.

You do not have sufficient privileges for this resource or its parent to perform this action.

0 Kudos
Arne_Boettger
Collaborator
‎2022-05-18 04:49 AM
In response to r1der
Jump to solution

Hello,

I, also, wanted to use the IPS Analyzer to verify something in the lab. The SK shows "Access Denied" even tough I can find it an it is listed as "Access Level: Basic".

As @Tomer_Sole seems to be inactive, maybe @Omer_Shliva can give us an explanation?

Kind regards, Arne

0 Kudos
_Val_
Admin
Admin
‎2022-05-18 05:19 AM
In response to Arne_Boettger
Jump to solution

Hi Arne, the tool is retired, and SK is not longer available. Mind, this post is 4 years old. 

0 Kudos
Marcel_Gramalla
Advisor
‎2022-05-18 05:55 AM
In response to _Val_
Jump to solution

I found this tool quite helpful. Is there any new tool for analyzing performance of IPS and maybe even other Blades? Would be really cool to see something like FW is only taking 20% CPU Usage, but IPS adds another 10% and AV/AB 20% etc.. 

0 Kudos
Arne_Boettger
Collaborator
‎2022-05-18 06:09 AM
In response to _Val_
Jump to solution

Hi Val,

thank you for the quick response. I found it implemented as "ips stats" and "ips pmstats" and will give it a try with R81.10.

Nonetheless it would be helpful to place this information in an SK article, because a search for "IPS Analyzer" lists sk110737, the popup help lists R81.10 as relevant, but the SK does not load with an error message.

Kind regards, Arne

0 Kudos
_Val_
Admin
Admin
‎2022-05-18 06:46 AM
In response to Arne_Boettger
Jump to solution

What kind of search are you referring to, Google?

0 Kudos
Marcel_Gramalla
Advisor
‎2022-05-18 06:55 AM
In response to _Val_
Jump to solution

Support Page actually displays this:

ips.PNG

0 Kudos
_Val_
Admin
Admin
‎2022-05-18 07:47 AM
In response to Marcel_Gramalla
Jump to solution

Hmmm, might be a caching issue, thanks for reporting. I will pass it on to the Support Center ppl

0 Kudos
SarmChanatip
Participant
‎2022-12-03 07:43 AM
In response to _Val_
Jump to solution

Hi Val,

I'm just curious if this tool shows the percentage of CPU utilization for each protection name in the report as well.

I've never used this tool before and would like to know how much CPU each IPS protection consumes. 

 

Regards,

Sarm

 

0 Kudos
_Val_
Admin
Admin
‎2022-12-04 02:20 AM
In response to SarmChanatip
Jump to solution

See above, the tool is discontinued.

0 Kudos
SarmChanatip
Participant
‎2022-12-04 05:34 AM
In response to _Val_
Jump to solution

Hi Val,

I saw your comment about the tool being discontinued, and I am just wondering if the IPS analyzer tool provides information like the percentage of CPU used for each protection.  I'm looking for a way to track how much CPU utilization each IPS protection consumes. 

 

I'd really appreciate it if you could answer here.

 

Regards,

Sarm

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-12-04 06:51 AM
In response to SarmChanatip
Jump to solution

You may want to give the newer IPS Collector a try, but it is not clear whether it is supported beyond R81.10:

sk128432: IPS Collector: On demand troubleshooting tool for customers

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
_Val_
Admin
Admin
‎2022-12-06 12:54 AM
In response to SarmChanatip
Jump to solution

Asking about obsolete tool capabilities is rather pointless, don't you think?

Performance impact is showing for each protection as Low/Moderate/High, but converting it to a precise percentage is tricky because it all depends on the traffic. 

What are you trying to achieve, exactly?

0 Kudos
L_Daniel
Employee Alumnus
Employee Alumnus
‎2022-12-11 05:00 AM
Jump to solution

Hey Tomer & All 

 

I will like to share with you the following 2 SK that you can use in case you want to do Performance investigation & Protection Impact understanding . 

 

Solution 1: 

From version 81.10 , we have a better tool than the Analyzer, the tool was migrated on top of the HCP tool ( See SK171436 - HeathCheck Point HCP ) , once you install the HCP it will be possible to see the protections impact on the system in the final report under the Threat Prevention section. 

In order to see the Threat Prevention in the HCP report do the following :

  •  hcp --enable-product "Threat Prevention" 
  •  hcp -r all  

it is possible to open the hcp report from inside the smart console using the HCP extension add-on , see "SmartConsole Extension Installation" section from the HCP SK.   if you don't want to use the extension in the smart console , please copy and paste the report from the gateway to your windows environment explore it .   

Screen Shot 2022-12-11 at 14.48.18.png

 

 

 

Screen Shot 2022-12-11 at 14.51.04.png

 

 

 

Solution 2: 

See sk167553 -  "Performance Investigation Procedure - How To"  

The Threat Prevention team created this SK in order to support customers for most common performance investigations , it has almost everything the Threat Prevention team do while investigating system under load . 

 

Hope this answer give you answers for all your questions . 

 

 

 

 

Timothy_Hall
Legend Legend
Legend
‎2022-12-11 05:03 PM
In response to L_Daniel
Jump to solution

Thanks so much, this will be very helpful for a new offering I am currently working on.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
SarmChanatip
Participant
‎2022-12-15 07:04 AM
In response to L_Daniel
Jump to solution

Hi L_Daniel

Thank you so much for sharing this, I will give it a try.

Regards,

Sarm

0 Kudos
svori
Collaborator
Collaborator
‎2023-04-05 01:37 AM
In response to L_Daniel
Jump to solution

Hi,

Is it safe to run hcp along with TP enabled in production.

Will it have any impact on gateway operation ?

 

Thanks

0 Kudos
L_Daniel
Employee Alumnus
Employee Alumnus
‎2023-04-09 03:43 AM
In response to svori
Jump to solution

Hello 

 

In general it is another process that will run few tests and close itself, during the runtime it might take few system resources  as any other task you run on the system.  

 

You can either run the hcp as following:

1) execute all HCP tests and get a full report :  hcp -r all     ( this command will take more system resources ) 

2) execute only Threat Prevention tests  and get TP report :   hcp -r "Threat Prevention"    (this command will take less resources that the previous one ) 

 

Hope i succeeded to help 🙂

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top