PDA

View Full Version : Network monitoring on Checkpoint ext interface



oharek
2018-01-29, 16:11
Hello,

My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

any ideas?

Bob_Zimmerman
2018-01-29, 18:25
Hello,

My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

any ideas?

Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.

oharek
2018-01-30, 14:33
Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.

Thanks for the advice. I will try both tcpdump and fw monitor - plus check the cores and cpu stats

blason
2018-01-30, 22:13
I think cp should come with ntop which is an excellent in such scenarios or even cpview would be useful to measure the performance.

Serge17
2018-02-13, 12:41
You can also use netflow for network monitor.

eduardoxmunoz
2018-02-13, 23:21
Hi there.... have you checked you Internet access speed with your ISP? Is the Internet access still slow during non-peak hours? What about testing a direct connection through the firewall (not using prox)

jflemingeds
2018-02-13, 23:49
I think cp should come with ntop which is an excellent in such scenarios or even cpview would be useful to measure the performance.

Nothing stopping you from compiling and running ntop yourself.