Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fabz
Contributor

Threat Prevention Utilization

Checkmates,

Right now, utilization on the FW with VSLS roughly 50% with URL+App Control+VPN enabled. We have a plan to enable the security feature gradually to maintain the FW utilization and minimize the impact in the production.

Question :

  1. From all security features except URL Filtering,  what is the feature that make a big impact to the FW resources? We plan to enable the feature that have biggest impact to the FW first then monitoring it.
  2. After enabled the feature and creating Detect Mode, do this mode have lowest impact to the resource comparing to Prevent Mode?
  3. If the utiilization alrrady spike until 90%, what is the best approach? create exclusion on TP policies/disable feature/limit the concurrent connection?
  4. What happens if utilization reach 100% in CP FW? Do FW will automatically drop new traffic? Thank you...
0 Kudos
3 Replies
G_W_Albrecht
Legend
Legend

1. See: https://support.checkpoint.com/results/sk/sk98348

2. Detect Mode & Prevent Mode have the same impact / resource use

3. Should nerver be, so do the sizing corectly

4. FW could freeze

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Once you enable anything other than Firewall, VPN, and Mobile Access Blade, you’ll be using features that involve Medium Path.
The exact impact will depend on the policy, but they have a similar overall impact.

Detect Mode may actually be heavier than Drop because you’re ultimately doing the same work, but the additional traffic allowed by the Detect action may continue to have a performance impact.

Before you start disabling features due to load, it’s important to make sure you rule out other configuration issues that can cause performance issues.
This usually means reviewing things like the Super Seven output: https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40...

 

0 Kudos
Timothy_Hall
Champion Champion
Champion

1.  Top 3 blades in descending order of performance impact: HTTPS Inspection, IPS, Anti-Virus; although the amount of impact is heavily influenced by how these blades are configured

2. Inactive obviously has the lowest overhead, followed by Prevent.  Detect causes the highest overhead and should be avoided long-term if possible, especially on Protections/Signatures with a Performance Impact rating of Critical or High.

3. If you are already around 90%, I'd recommend against enabling any more blades, especially the 3 blades I mentioned above.  The correct approach would be to attempt optimization of your firewall's existing configuration or add new CPU cores to hopefully lower the overall CPU usage to a point where there is sufficient headroom to enable new features, 50% would be ideal if possible.

4. In general if CPU utilization reaches 100%, latency will begin to increase.  If it gets high enough packet loss can begin to occur at various points while attempting to traverse the firewall.  If memory utilization reaches 100% new connections may be denied for lack of resources and there are likely to be many other issues as well.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Tue 23 Apr 2024 @ 08:00 AM (CDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events