CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Policy installation takes long time

  1. #1
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Policy installation takes long time

    Hi Team,

    I'm running my environment with Distributed architecture and managing 2 cluster objects contains 2 firewalls on each cluster.
    The rulebase has nearly 350 rules for each cluster and no of objects are near to 1800.
    After Ransomware attack we started blacklisting IP addresses which is used to given by threat advisory team on daily basis.
    Now the no of objects increased to 5800 and it's growing day by day.
    On initial days it took less than 1.5 minutes for policy saving, verification and installation.
    But now a days it takes almost 2 minutes or sometimes even more for saving the policy itself.
    Verification and installation takes almost more than 5 minutes.
    Am afraid what will happen in future when the no of objects increasing more than 10000 or odd.

    I have 2 queries:
    1.Is there any way to find out objects which never get hits inside the rule which configured long back.
    2. Is there any other way to blacklist the botnet IP addresses

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    7

    Default Re: Policy installation takes long time

    Blocking individual IP addresses is does not help prevent attacks from botnets, since you will never be fast enough to adopt to their dynamics.
    A properly designed security policy combined with the IPS and Antibot-Blade will block the bad guys anyway.
    Ransomware attacks are distributed in most cases by malicious e-mails, and there are the threat emulation/exctraction blades meant for.

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: Policy installation takes long time

    Quote Originally Posted by iamramu92 View Post
    Hi Team,

    I'm running my environment with Distributed architecture and managing 2 cluster objects contains 2 firewalls on each cluster.
    The rulebase has nearly 350 rules for each cluster and no of objects are near to 1800.
    After Ransomware attack we started blacklisting IP addresses which is used to given by threat advisory team on daily basis.
    Now the no of objects increased to 5800 and it's growing day by day.
    On initial days it took less than 1.5 minutes for policy saving, verification and installation.
    But now a days it takes almost 2 minutes or sometimes even more for saving the policy itself.
    Verification and installation takes almost more than 5 minutes.
    Am afraid what will happen in future when the no of objects increasing more than 10000 or odd.

    I have 2 queries:
    1.Is there any way to find out objects which never get hits inside the rule which configured long back.
    2. Is there any other way to blacklist the botnet IP addresses
    Management version? Standalone or distributed? Kind of important in this case ...
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Re: Policy installation takes long time

    Quote Originally Posted by ShadowPeak.com View Post
    Management version? Standalone or distributed? Kind of important in this case ...

    gaia R 77.30
    Distributed

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: Policy installation takes long time

    Quote Originally Posted by iamramu92 View Post
    gaia R 77.30
    Distributed
    On R77.30 management operations are single-threaded so there is not much you can do if the CPU is saturated during a policy verification. R80.10 handles this much better.

    One thing you can do is verify that the SMS is not running low on memory as that will kill the performance of these types of operations, please post the output of free -m

    You can block botnet addresses using the fw samp utility directly on the firewall if SecureXL is enabled and you won't have to create an object at all. Check out sk112454: How to configure Rate Limiting rules for DoS Mitigation.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Re: Policy installation takes long time

    [Expert@******SMTSRV:0]# free -k
    total used free shared buffers cached
    Mem: 7942620 7890624 51996 0 153076 4050300
    -/+ buffers/cache: 3687248 4255372
    Swap: 17824108 909004 16915104

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,231
    Rep Power
    13

    Default Re: Policy installation takes long time

    Quote Originally Posted by iamramu92 View Post
    [Expert@******SMTSRV:0]# free -k
    total used free shared buffers cached
    Mem: 7942620 7890624 51996 0 153076 4050300
    -/+ buffers/cache: 3687248 4255372
    Swap: 17824108 909004 16915104
    You are almost 1GB into swap space, more RAM should help.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: Policy installation takes long time

    Quote Originally Posted by ShadowPeak.com View Post
    You are almost 1GB into swap space, more RAM should help.
    Related to this, if you add more RAM, remember to set the system to 64-bit mode. It won't help with this directly (fwm is still a 32-bit process), but it will let the system as a whole allocate the memory a bit more effectively than 32-bit mode allows.
    Zimmie

Similar Threads

  1. Smart 1-205 Policy installation takes too long
    By bhavinjbhatt in forum R77.20
    Replies: 6
    Last Post: 2016-08-05, 07:04
  2. Replies: 0
    Last Post: 2013-04-14, 10:39
  3. Policy installation takes long on R70
    By vbavbalist in forum SmartDashboard
    Replies: 2
    Last Post: 2012-06-22, 12:40
  4. create object via dbedit takes a long time
    By cciesec2006 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 2
    Last Post: 2010-01-19, 04:19
  5. fw logexport Takes a long time or Crashes
    By Barry J. Stiefel in forum SmartView Tracker
    Replies: 0
    Last Post: 2005-08-13, 13:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •