View Full Version : IPS Performance Counters

2010-10-12, 22:44
If you received Check Point's Oct 12th security advisory, you'll notice a section in the middle:

Best Practice: Using IPS Performance Counters

Their provided instructions are a bit wrong, after some guesswork, the actual steps are as follows:

1. Start a zdebug capture, I don't use the & as it will leave the process running in the background needlessly, so instead use this command:
fw ctl zdebug >outputfile.txt
2. Start the statistical capture in another CLI window with this command:
fw ctl sdstat start
3. Generate traffic which triggers specific IPS you want to measure, or just let traffic flow through the gateway, then stop statistics--this will write the statiscal output gathered in the background to the zdebug outfile file:
fw ctl sdstat stop
4. Stop zdebug with Ctrl-C. Copy the output file to the management server and run the script against the policy:
$FWDIR/scripts/sdstat_analyse.csh outputfile.txt R70_policy
The script will automatically add the $FWDIR/conf/ to the policy name.

The output from the zdebug file doesn't differ much from the output of the script, just makes it slightly more readable by translating some numbers of the IPS signatures which are enabled in the policy to signature names. All in all this seems to be an interesting way to measure performance of IPS signatures.

2010-10-15, 16:42
Saw this and tried to run it, but I didn't have the sdstat_analyse.csh file on my MDS.

2010-10-18, 14:21
The sdstat_analyse.csh script is only supported on Splat systems with R70 and above. When using Provider-1 you need to set your env variables to the CMA that you want the output from "mdsenv (cma name)". The script should be located under $FWDIR/scripts. Which then translates to /opt/Cpsuite-R7x/fw1/scripts/sdstat_analyse.csh

- Dan Morris