CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: Network monitoring on Checkpoint ext interface

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    127
    Rep Power
    13

    Default Network monitoring on Checkpoint ext interface

    Hello,

    My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

    What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

    any ideas?

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: Network monitoring on Checkpoint ext interface

    Quote Originally Posted by oharek View Post
    Hello,

    My Checkpoint 4400 is my external firewall. I have upstream proxys from the dmz that go through this firewall to the internet. Some users are complaining that internet is slow on my corporate LAN but i can see the CPU and resources on the checkpoint is ok at less than 50%

    What network monitoring software could i use to see what traffic is being used going via the Checkpoint firewall. Bear in mind i dont have access to the proxy servers. I need to get my own network monitoring software for the external firewall

    any ideas?
    Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

    For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

    tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

    fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.
    Zimmie

  3. #3
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    127
    Rep Power
    13

    Default Re: Network monitoring on Checkpoint ext interface

    Quote Originally Posted by Bob_Zimmerman View Post
    Keep in mind processor consumption can be measured across all cores, or across a single core. 50% across all cores could be (and often is) 100% of one core. Same for 25% across all cores on a four-core box. When monitoring with 'top', hit the '1' key to show processor consumption per core.

    For actual traffic monitoring, I would use one of two tools: fw monitor, or tcpdump.

    tcpdump is a bit closer to the wire. It also shows MAC addresses, while fw monitor does not. This is my preferred tool for measuring latency on one side of a firewall. You can run many tcpdump captures at once by either backgrounding them or by running them in separate SSH sessions.

    fw monitor, on the other hand, is great for measuring the latency caused by the firewall itself. It shows how long a packet takes to transit the software components inside the firewall with very good precision. It is also good for showing how the firewall changes a packet as it travels. You can see NAT decisions, routing, VPN, and so on. The biggest disadvantages are it doesn't record MAC addresses (you get interface name and network kernel position instead), and you can only run one at a time.
    Thanks for the advice. I will try both tcpdump and fw monitor - plus check the cores and cpu stats

  4. #4
    Join Date
    2012-06-13
    Posts
    365
    Rep Power
    7

    Default Re: Network monitoring on Checkpoint ext interface

    I think cp should come with ntop which is an excellent in such scenarios or even cpview would be useful to measure the performance.

  5. #5
    Join Date
    2017-07-07
    Posts
    21
    Rep Power
    0

    Default Re: Network monitoring on Checkpoint ext interface

    You can also use netflow for network monitor.
    Check Point CCSA/CCSE/CCSE+
    Cisco CCNP/CCSP

  6. #6
    Join Date
    2006-03-21
    Posts
    69
    Rep Power
    13

    Default Re: Network monitoring on Checkpoint ext interface

    Hi there.... have you checked you Internet access speed with your ISP? Is the Internet access still slow during non-peak hours? What about testing a direct connection through the firewall (not using prox)

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,618
    Rep Power
    8

    Default Re: Network monitoring on Checkpoint ext interface

    Quote Originally Posted by blason View Post
    I think cp should come with ntop which is an excellent in such scenarios or even cpview would be useful to measure the performance.
    Nothing stopping you from compiling and running ntop yourself.

Similar Threads

  1. ClusterXL - Remove one interface from monitoring
    By laf_c in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 8
    Last Post: 2014-11-05, 15:56
  2. network traffic monitoring via console
    By avdonzzz in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2013-07-10, 13:46
  3. Interface monitoring for Failover
    By jk5098 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2010-12-13, 18:11
  4. interface monitoring for failover in clusterXL
    By sebastan_bach in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 12
    Last Post: 2010-02-18, 03:05
  5. Options for network monitoring/trending a Nokia appliance?
    By eyunghans in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2006-04-04, 01:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •