This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fabz
Contributor
‎2023-09-14 11:35 PM

Threat Prevention Utilization

Checkmates,

Right now, utilization on the FW with VSLS roughly 50% with URL+App Control+VPN enabled. We have a plan to enable the security feature gradually to maintain the FW utilization and minimize the impact in the production.

Question :

  1. From all security features except URL Filtering,  what is the feature that make a big impact to the FW resources? We plan to enable the feature that have biggest impact to the FW first then monitoring it.
  2. After enabled the feature and creating Detect Mode, do this mode have lowest impact to the resource comparing to Prevent Mode?
  3. If the utiilization alrrady spike until 90%, what is the best approach? create exclusion on TP policies/disable feature/limit the concurrent connection?
  4. What happens if utilization reach 100% in CP FW? Do FW will automatically drop new traffic? Thank you...
0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend
‎2023-09-15 12:37 AM

1. See: https://support.checkpoint.com/results/sk/sk98348

2. Detect Mode & Prevent Mode have the same impact / resource use

3. Should nerver be, so do the sizing corectly

4. FW could freeze

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-15 08:08 AM

Once you enable anything other than Firewall, VPN, and Mobile Access Blade, you’ll be using features that involve Medium Path.
The exact impact will depend on the policy, but they have a similar overall impact.

Detect Mode may actually be heavier than Drop because you’re ultimately doing the same work, but the additional traffic allowed by the Detect action may continue to have a performance impact.

Before you start disabling features due to load, it’s important to make sure you rule out other configuration issues that can cause performance issues.
This usually means reviewing things like the Super Seven output: https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-09-15 01:40 PM

1.  Top 3 blades in descending order of performance impact: HTTPS Inspection, IPS, Anti-Virus; although the amount of impact is heavily influenced by how these blades are configured

2. Inactive obviously has the lowest overhead, followed by Prevent.  Detect causes the highest overhead and should be avoided long-term if possible, especially on Protections/Signatures with a Performance Impact rating of Critical or High.

3. If you are already around 90%, I'd recommend against enabling any more blades, especially the 3 blades I mentioned above.  The correct approach would be to attempt optimization of your firewall's existing configuration or add new CPU cores to hopefully lower the overall CPU usage to a point where there is sufficient headroom to enable new features, 50% would be ideal if possible.

4. In general if CPU utilization reaches 100%, latency will begin to increase.  If it gets high enough packet loss can begin to occur at various points while attempting to traverse the firewall.  If memory utilization reaches 100% new connections may be denied for lack of resources and there are likely to be many other issues as well.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events