This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SDE_License_Acc
Participant
‎2018-06-15 03:11 AM

IPS questions

Hi every one. I am putting together some documentation to train the new starters on checkpoint IPS just an over view and some tasty in depth details sort of thing. I have a couple of questions that I am trying to find answers to.

The first one is a generic question over load on the firewall. Obviously switching on IPS will increase load on the gateway and this over all load will vary depending on the type and volume of traffic traversing the firewall. Can any one suggest a rough % increase as a ball park figure so for instance you would expect to see a 5% increase in CPU load on the firewall just fow switching on the IPS module. Do not worry about flagging the whole PXL (medium path) impact on secure XL I am going to be flagging that in a separate section as a heads up I am just looking for a ball park figure expected load increase on un-accelerated traffic. 

The second question is around the order of processing when traffic is passed to the streaming engine for deep inspection. Looking through the documentation I have found all the wonderful marketing listing some of the components such as:

Passive streaming Libary

Protocol Parsers

Context Management Infastucture

Pattern Matcher 

And others

What I was wondering is if checkpoint can comment on the order in which these engines are called so I can let students know that when it hits this engine these processes are going to be called and we can expect to see them called in this order?

Any input would be greatly appreciated.

5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-06-15 03:51 AM

There is a lot of existing documentation concerning your questions:

sk95193: ATRG: IPS gives insight into the IPS Blade and how it works

sk103657: Best Practices - IPS

sk98348 Best Practices - Security Gateway Performance both contain help for IPS optimization

Also interesting to read are:

sk92527 - Traffic rate through Security Gateway is decreased significantly when assigning any IPS pr...

sk43733 - How to measure CPU time consumed by IPS protections

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Huseyin_Rencber
Collaborator
‎2018-06-16 02:33 PM

Short summary of IPS architecture;

PSL (passive streaming layer) > Verify tcp retransmission, reassemble packets into a protcol segment, prevent tcp spoofing

USL (Unified Streaming Library) > This is the connector between PSL and protocol parsers. USL will decide which protocol parser will be used to retrieve information from packet.

SPII (Stateful Protocol Inspection Infrastructure ) > This will verify that the packet is RFC compliant and headers correspond to expected state.

CMI (Context Management ) > Recieves contexts from parsers, decides and runs active protections on relevant contexts, decides the final action to be performed on the packet. Core of the IPS 

PM (Pattern Matcher) > Enables protections to be more accurate. Decreases the development time of new protections.

Works in two tiers to improve performance.

ASPII (Accelerated Stateful Protocol Infrastructure ) > This manages which protection will run on which connection. 

Performance > IPS blade will definitely increase the load on gateway but depends on your protections in profile and vary traffic characteristic. Perhaps check mates may give the percentage of the IPS blade activation impact.

There is a script collects (get_ips_statistics.sh) and analyse data for showing which matched IPS protections cause a high load on the CPU. sk43733

Debug >  fw ctl zdebug + aspii spii cmi machine  | for knowing which protections actually run on a certain conn. 

#ips debug -e <filter > -o <output file>

flags >

-m fw + vm drop spii cmi aspii advp ips

Tomer_Sole
Mentor
Mentor
‎2018-06-16 10:20 PM

this guide contains deployment from beginner to advanced along with performance measuring tools: https://community.checkpoint.com/message/13840-r8010-ips-best-practices-guide 

0 Kudos
Huseyin_Rencber
Collaborator
‎2018-06-17 02:26 AM
In response to Tomer_Sole

In the related practices guide I could not find information about the asked questions, Is there more detailed doc for IPS blade

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-17 02:30 AM
In response to Huseyin_Rencber

Pages 17-18 discuss performance tuning, did you find that information useful?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events