2010 cpug con tobias lachmann best practices for the check point utm 1 appliances
TRANSCRIPT
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
1/45
Best practices for theCheck Point UTM-1 appliances
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
2/45
Agenda
Installation User administration
System administration
System performance
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
3/45
Management HA
The UTM-1 appliances come withNPM blade and the ability tomanage 2 gateways (model 272and higher)
Setup Management on bothmachines during install to get
Management High Availability(available since NGX R65 w/ MS)
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
4/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
5/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
6/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
7/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
8/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
9/45
Managment HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
10/45
Management HA
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
11/45
Disc space
The Secure Platform on the UTM-1appliances uses the Logical VolumeManager (LVM)
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
12/45
Disc space
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
13/45
Disc space
Volume group vg_splat withdifferent logical volumes
[Expert@firewallr70]# lvs
LV VG Attr LSizelv_current vg_splat -wi-ao 10.00G
lv_fcd vg_splat -wi-a- 4.00G
lv_fcd65 vg_splat -wi-a- 4.00G
lv_hfa vg_splat -wi-a- 8.00Glv_log vg_splat -wi-ao 60.00G
lv_upgrade vg_splat -wi-a- 8.00G
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
14/45
Disc space
Logical volumes don‘t have the rightsize for all needs, can be a problemwhile doing in-place upgradeswhere old packets are left on thedisc.
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
15/45
Disc space
[Expert@firewallr65]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
5.0G 1.7G 3.0G 36% /
none 5.0G 1.7G 3.0G 36% /dev/pts
/dev/hda1 145M 13M 125M 10% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log9.9G 33M 9.4G 1% /var/log
[Expert@firewallr70]# df -h
Filesystem Size Used Avail Use% Mounted on/dev/mapper/vg_splat-lv_current
7.9G 2.2G 5.4G 29% /
/dev/hda1 145M 20M 117M 15% /boot
/dev/mapper/vg_splat-lv_log
60G 182M 56G 1% /var/log
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
16/45
Disc space
Logical volumes can be extendedusing lvresize and resize2fs
lvresize can be run any time
Linux kernel 2.4 requires offlineresizing of filesystem, i.e. volumesare not mounted
Linux kernel 2.6 has online resizing(=increasing) of filesystem
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
17/45
Disc space
First we need to figure out howmuch space is left
[Expert@firewallr70]# pvs
PV VG Fmt Attr PSize PFree
/dev/hda2 vg_splat lvm2 a- 157.82G 52.82G
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
18/45
Disc space
How much space is assigned to thelogical volumes?
[Expert@firewallr70]# lvs
LV VG Attr LSize
lv_current vg_splat -wi-ao 10.00G
lv_fcd vg_splat -wi-a- 4.00G
lv_fcd65 vg_splat -wi-a- 4.00G
lv_hfa vg_splat -wi-a- 8.00G
lv_log vg_splat -wi-ao 60.00G
lv_upgrade vg_splat -wi-a- 8.00G
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
19/45
Disc space
Resize logical volume
[Expert@firewallr70]# lvresize -L 70G vg_splat/lv_log
Extending logical volume lv_log to 70.00 GB
Logical volume lv_log successfully resized
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
20/45
Disc space
Resize filesystem
[Expert@firewallr70]# resize2fs /dev/vg_splat/lv_log
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/vg_splat/lv_log is mounted on/var/log; on-line resizing required
Performing an on-line resize of /dev/vg_splat/lv_log
to 18612224 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now
18612224 blocks long.
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
21/45
Disc space
resize2fs: Operation not permitted
While trying to add group #128
[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |grep Journal\ size
Journal size: 32M
[Expert@firewall]# tune2fs -O ^has_journal/dev/vg_splat/lv_log
[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done
[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |grep Journal\ size
Journal size: 128M
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
22/45
Disc space
Resize filesystem (NGX R65)
boot into maintenance mode
unmount before resizing
for resizing lv_current you have to boot fromalternative device(http://blog.lachmann.org/modified_GRML2010.04.iso)
detailed instructions can be found here:http://blog.lachmann.org/2010/06/update-to-r71-enlarging-utm-1-appliance-root-partitions/
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
23/45
Disc space
Resize filesystem (NGX R65)
Delete tmp files, AV/URLF db … etc.
Upgrade to R70 Immediately do online resizing
Start using your firewall
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
24/45
Disc space
Do you really need old factorydefault images?
NGX R62 on NGX R65 appliances
NGX R65 on R70 appliances
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
25/45
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
26/45
Disc space
Modify /boot/grub/grub.conf
Delete section refering to R65
title Reset to factory defaults - NGX_(R65)
confirm This will erase the entire
configuration. Do you wish to continue [no]:root (hd0,0)
kernel /fcd65/vmlinuz roroot=/dev/mapper/vg_splat-lv_fcd65console=CURRENT restore fcd65 single
initrd /fcd65/initrd
Delete boot files in /boot/fcd65
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
27/45
LCD display
http://www.cpug.org/forums/check-point-utm-1-appliances/10248-modifying-utm-1-lcd-display.html
Script provided by board member „banduraj“
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
28/45
Changing the shell
[Expert@firewallr70]# chsh -s /bin/bash admin
Changing shell for admin.
Shell changed.
[Expert@firewallr70]# cat /etc/passwd | grep admin
admin:x:0:0::/home/admin:/bin/bash
[Expert@firewallr70]# chsh -s /bin/cpshell admin
Changing shell for admin.
Shell changed.
[Expert@firewallr70]# cat /etc/passwd | grep admin
admin:x:0:0::/home/admin:/bin/cpshell
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
29/45
Shell Timeout (cpshell)
[Expert@firewallr70]# timed out
waiting for input: auto-logout
[firewallr70]# idle
10 minutes
[firewallr70]# idle 999
[firewallr70]# idle999 minutes
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
30/45
Shell Timeout (bash)
[Expert@firewallr70]# unset TMOUT
[Expert@firewallr70]# cat .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrcfi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
unset USERNAME
unset TMOUT
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
31/45
SCP
create user
change shell to bash
create /etc/scpusers
add user to file
[Expert@firewallr70]# cat /etc/scpusers
admin
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
32/45
NTP and timezone
Configure NTP server in WebUI
You‘re only allowed to specify GMToffset
Daylight Saving Times (DST) arenot considered
Use sysconfig to configure the
timezone and have the correct time
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
33/45
Log file maintenance
[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash/usr/bin/find /var/log/opt/CPsuite-
R71/fw1/*.log* -ctime +217 -print -exec rm -f {} \;
The parameter ctime is the amount ofdays for the logs to keep.
[Expert@fw1]# crontab -l
42 11 * * * /usr/bin/del_logs.sh
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
34/45
Backup file maintenance
[Expert@firewallr70]# cat /usr/bin/del_backup.sh
#!/bin/bash/usr/bin/find /var/CPbackup/backups/*.tgz -ctime
+7 -print -exec rm -f {} \;
The parameter ctime is the amount of
days for the backup to keep.
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
35/45
Delete all ARP entries
#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[0-
9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
36/45
R71
Quote from R71 release notes:
UTM-1 appliances provide enhancedFirewall & IPS performance featuring
patented SecureXL technology availableat no extra cost:
Up to 4 times Firewall Throughputimprovement.
Up to 3 times IPS Throughput improvement.
Up to 4 times connection/sec rateimprovement.
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
37/45
R71
Performance improvement with R71 (official numbers)
UTM-1 450
Intel Celeron M 1.5 GHz 1 GB RAM 80 GB ATA HDD
Firewall Throughput (R65): 400 Mbps VPN Throughput: (R65) 200 Mbps
UTM-1 570
Intel Celeron M 1.5 GHz 1 GB RAM 160 GB ATA HDD Firewall Throughput: 2.5 Gbps VPN Throughput: 300 Mbps IPS Troughput: 1.7 Gbps
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
38/45
Antivirus
Quote from R71 release notes:
New Streaming architecture available withAnti-Virus & URL Filtering Software Blades
provides performance boost for UTMfeatures:
Up to 15 times Anti-Virus Throughputimprovement.
Up to 80 times Anti-Virus & URL Filteringconnection capacity improvement.
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
39/45
Antivirus
My tests with UTM-1 270 appliance
and R71 showed 100% morethroughput with Antivirus scanningusing Stream Detection mode as
with NGX R65 and MessagingSecurity
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
40/45
Antivirus
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
41/45
HTTP connection buffer
sk36090 describes an error where
internet browsing becomes slowuntil internet connectivity fails
Problem: HTTP buffer size to low
Solution: increase buffer
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36090
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
42/45
HTTP connection buffer
Go to Policy -> Global Properties ->
SmartDashboard Customization
Click on Advanced Configuration
Increase http_buffers_size from4096 bytes to 65500 bytes
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
43/45
HTTP connection buffer
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
44/45
Questions?
-
8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances
45/45
Tobias Lachmann
http://blog.lachmann.org
Still got a question?