Policy installation takes long time

[iamramu92]

Hi Team,

I'm running my environment with Distributed architecture and managing 2 cluster objects contains 2 firewalls on each cluster.
The rulebase has nearly 350 rules for each cluster and no of objects are near to 1800.
After Ransomware attack we started blacklisting IP addresses which is used to given by threat advisory team on daily basis.
Now the no of objects increased to 5800 and it's growing day by day.
On initial days it took less than 1.5 minutes for policy saving, verification and installation.
But now a days it takes almost 2 minutes or sometimes even more for saving the policy itself.
Verification and installation takes almost more than 5 minutes.
Am afraid what will happen in future when the no of objects increasing more than 10000 or odd.

I have 2 queries:
1.Is there any way to find out objects which never get hits inside the rule which configured long back.
2. Is there any other way to blacklist the botnet IP addresses

[slowfood27]

Blocking individual IP addresses is does not help prevent attacks from botnets, since you will never be fast enough to adopt to their dynamics.
A properly designed security policy combined with the IPS and Antibot-Blade will block the bad guys anyway.
Ransomware attacks are distributed in most cases by malicious e-mails, and there are the threat emulation/exctraction blades meant for.

[ShadowPeak.com]

Hi Team,

I'm running my environment with Distributed architecture and managing 2 cluster objects contains 2 firewalls on each cluster.
The rulebase has nearly 350 rules for each cluster and no of objects are near to 1800.
After Ransomware attack we started blacklisting IP addresses which is used to given by threat advisory team on daily basis.
Now the no of objects increased to 5800 and it's growing day by day.
On initial days it took less than 1.5 minutes for policy saving, verification and installation.
But now a days it takes almost 2 minutes or sometimes even more for saving the policy itself.
Verification and installation takes almost more than 5 minutes.
Am afraid what will happen in future when the no of objects increasing more than 10000 or odd.

I have 2 queries:
1.Is there any way to find out objects which never get hits inside the rule which configured long back.
2. Is there any other way to blacklist the botnet IP addresses

Management version? Standalone or distributed? Kind of important in this case ...

[iamramu92]

Management version? Standalone or distributed? Kind of important in this case ...

gaia R 77.30
Distributed

[ShadowPeak.com]

gaia R 77.30
Distributed

On R77.30 management operations are single-threaded so there is not much you can do if the CPU is saturated during a policy verification. R80.10 handles this much better.

One thing you can do is verify that the SMS is not running low on memory as that will kill the performance of these types of operations, please post the output of free -m

You can block botnet addresses using the fw samp utility directly on the firewall if SecureXL is enabled and you won't have to create an object at all. Check out sk112454: How to configure Rate Limiting rules for DoS Mitigation.

[iamramu92]

[Expert@******SMTSRV:0]# free -k
total used free shared buffers cached
Mem: 7942620 7890624 51996 0 153076 4050300
-/+ buffers/cache: 3687248 4255372
Swap: 17824108 909004 16915104

[ShadowPeak.com]

[Expert@******SMTSRV:0]# free -k
total used free shared buffers cached
Mem: 7942620 7890624 51996 0 153076 4050300
-/+ buffers/cache: 3687248 4255372
Swap: 17824108 909004 16915104

You are almost 1GB into swap space, more RAM should help.

[Bob_Zimmerman]

You are almost 1GB into swap space, more RAM should help.

Related to this, if you add more RAM, remember to set the system to 64-bit mode. It won't help with this directly (fwm is still a 32-bit process), but it will let the system as a whole allocate the memory a bit more effectively than 32-bit mode allows.