2010 cpug con tobias lachmann best practices for the check point utm 1 appliances

8/9/2019 2010 CPUG CON Tobias Lachmann Best Practices for the Check Point UTM 1 Appliances

1/45

Best practices for theCheck Point UTM-1 appliances


2/45

Agenda

Installation User administration

System administration

System performance


3/45

Management HA

The UTM-1 appliances come withNPM blade and the ability tomanage 2 gateways (model 272and higher)

Setup Management on bothmachines during install to get

Management High Availability(available since NGX R65 w/ MS)


4/45

Management HA


5/45

Management HA


6/45

Management HA


7/45

Management HA


8/45

Management HA


9/45

Managment HA


10/45

Management HA


11/45

Disc space

The Secure Platform on the UTM-1appliances uses the Logical VolumeManager (LVM)


12/45

Disc space


13/45

Disc space

Volume group vg_splat withdifferent logical volumes

[Expert@firewallr70]# lvs

LV VG Attr LSizelv_current vg_splat -wi-ao 10.00G

lv_fcd vg_splat -wi-a- 4.00G

lv_fcd65 vg_splat -wi-a- 4.00G

lv_hfa vg_splat -wi-a- 8.00Glv_log vg_splat -wi-ao 60.00G

lv_upgrade vg_splat -wi-a- 8.00G


14/45

Disc space

Logical volumes don‘t have the rightsize for all needs, can be a problemwhile doing in-place upgradeswhere old packets are left on thedisc.


15/45

Disc space

[Expert@firewallr65]# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/vg_splat-lv_current

5.0G 1.7G 3.0G 36% /

none 5.0G 1.7G 3.0G 36% /dev/pts

/dev/hda1 145M 13M 125M 10% /boot

none 502M 0 502M 0% /dev/shm

/dev/mapper/vg_splat-lv_log9.9G 33M 9.4G 1% /var/log

[Expert@firewallr70]# df -h

Filesystem Size Used Avail Use% Mounted on/dev/mapper/vg_splat-lv_current

7.9G 2.2G 5.4G 29% /

/dev/hda1 145M 20M 117M 15% /boot

/dev/mapper/vg_splat-lv_log

60G 182M 56G 1% /var/log


16/45

Disc space

Logical volumes can be extendedusing lvresize and resize2fs

lvresize can be run any time

Linux kernel 2.4 requires offlineresizing of filesystem, i.e. volumesare not mounted

Linux kernel 2.6 has online resizing(=increasing) of filesystem


17/45

Disc space

First we need to figure out howmuch space is left

[Expert@firewallr70]# pvs

PV VG Fmt Attr PSize PFree

/dev/hda2 vg_splat lvm2 a- 157.82G 52.82G


18/45

Disc space

How much space is assigned to thelogical volumes?

[Expert@firewallr70]# lvs

LV VG Attr LSize

lv_current vg_splat -wi-ao 10.00G

lv_fcd vg_splat -wi-a- 4.00G

lv_fcd65 vg_splat -wi-a- 4.00G

lv_hfa vg_splat -wi-a- 8.00G

lv_log vg_splat -wi-ao 60.00G

lv_upgrade vg_splat -wi-a- 8.00G


19/45

Disc space

Resize logical volume

[Expert@firewallr70]# lvresize -L 70G vg_splat/lv_log

Extending logical volume lv_log to 70.00 GB

Logical volume lv_log successfully resized


20/45

Disc space

Resize filesystem

[Expert@firewallr70]# resize2fs /dev/vg_splat/lv_log

resize2fs 1.39 (29-May-2006)

Filesystem at /dev/vg_splat/lv_log is mounted on/var/log; on-line resizing required

Performing an on-line resize of /dev/vg_splat/lv_log

to 18612224 (4k) blocks.

The filesystem on /dev/vg_splat/lv_log is now

18612224 blocks long.


21/45

Disc space

resize2fs: Operation not permitted

While trying to add group #128

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |grep Journal\ size

Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal/dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log

Creating journal inode:

done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |grep Journal\ size

Journal size: 128M


22/45

Disc space

Resize filesystem (NGX R65)

boot into maintenance mode

unmount before resizing

for resizing lv_current you have to boot fromalternative device(http://blog.lachmann.org/modified_GRML2010.04.iso)

detailed instructions can be found here:http://blog.lachmann.org/2010/06/update-to-r71-enlarging-utm-1-appliance-root-partitions/


23/45

Disc space

Resize filesystem (NGX R65)

Delete tmp files, AV/URLF db … etc.

Upgrade to R70 Immediately do online resizing

Start using your firewall


24/45

Disc space

Do you really need old factorydefault images?

NGX R62 on NGX R65 appliances

NGX R65 on R70 appliances


25/45


26/45

Disc space

Modify /boot/grub/grub.conf

Delete section refering to R65

title Reset to factory defaults - NGX_(R65)

confirm This will erase the entire

configuration. Do you wish to continue [no]:root (hd0,0)

kernel /fcd65/vmlinuz roroot=/dev/mapper/vg_splat-lv_fcd65console=CURRENT restore fcd65 single

initrd /fcd65/initrd

Delete boot files in /boot/fcd65


27/45

LCD display

http://www.cpug.org/forums/check-point-utm-1-appliances/10248-modifying-utm-1-lcd-display.html

Script provided by board member „banduraj“


28/45

Changing the shell

[Expert@firewallr70]# chsh -s /bin/bash admin

Changing shell for admin.

Shell changed.

[Expert@firewallr70]# cat /etc/passwd | grep admin

admin:x:0:0::/home/admin:/bin/bash

[Expert@firewallr70]# chsh -s /bin/cpshell admin

Changing shell for admin.

Shell changed.

[Expert@firewallr70]# cat /etc/passwd | grep admin

admin:x:0:0::/home/admin:/bin/cpshell


29/45

Shell Timeout (cpshell)

[Expert@firewallr70]# timed out

waiting for input: auto-logout

[firewallr70]# idle

10 minutes

[firewallr70]# idle 999

[firewallr70]# idle999 minutes


30/45

Shell Timeout (bash)

[Expert@firewallr70]# unset TMOUT

[Expert@firewallr70]# cat .bash_profile

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

. ~/.bashrcfi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH

unset USERNAME

unset TMOUT


31/45

SCP

create user

change shell to bash

create /etc/scpusers

add user to file

[Expert@firewallr70]# cat /etc/scpusers

admin


32/45

NTP and timezone

Configure NTP server in WebUI

You‘re only allowed to specify GMToffset

Daylight Saving Times (DST) arenot considered

Use sysconfig to configure the

timezone and have the correct time


33/45

Log file maintenance

[Expert@fw1]# cat /usr/bin/del_logs.sh

#!/bin/bash/usr/bin/find /var/log/opt/CPsuite-

R71/fw1/*.log* -ctime +217 -print -exec rm -f {} \;

The parameter ctime is the amount ofdays for the logs to keep.

[Expert@fw1]# crontab -l

42 11 * * * /usr/bin/del_logs.sh


34/45

Backup file maintenance

[Expert@firewallr70]# cat /usr/bin/del_backup.sh

#!/bin/bash/usr/bin/find /var/CPbackup/backups/*.tgz -ctime

+7 -print -exec rm -f {} \;

The parameter ctime is the amount of

days for the backup to keep.


35/45

Delete all ARP entries

#!/bin/bash

for arpentries in `awk -F ' ' '

{ if ( $1 ~ /[0-9{1,3}].[0-

9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )

print $1 }' /proc/net/arp`

do

arp -d $arpentries

done


36/45

R71

Quote from R71 release notes:

UTM-1 appliances provide enhancedFirewall & IPS performance featuring

patented SecureXL technology availableat no extra cost:

Up to 4 times Firewall Throughputimprovement.

Up to 3 times IPS Throughput improvement.

Up to 4 times connection/sec rateimprovement.


37/45

R71

Performance improvement with R71 (official numbers)

UTM-1 450

Intel Celeron M 1.5 GHz 1 GB RAM 80 GB ATA HDD

Firewall Throughput (R65): 400 Mbps VPN Throughput: (R65) 200 Mbps

UTM-1 570

Intel Celeron M 1.5 GHz 1 GB RAM 160 GB ATA HDD Firewall Throughput: 2.5 Gbps VPN Throughput: 300 Mbps IPS Troughput: 1.7 Gbps


38/45

Antivirus

Quote from R71 release notes:

New Streaming architecture available withAnti-Virus & URL Filtering Software Blades

provides performance boost for UTMfeatures:

Up to 15 times Anti-Virus Throughputimprovement.

Up to 80 times Anti-Virus & URL Filteringconnection capacity improvement.


39/45

Antivirus

My tests with UTM-1 270 appliance

and R71 showed 100% morethroughput with Antivirus scanningusing Stream Detection mode as

with NGX R65 and MessagingSecurity


40/45

Antivirus


41/45

HTTP connection buffer

sk36090 describes an error where

internet browsing becomes slowuntil internet connectivity fails

Problem: HTTP buffer size to low

Solution: increase buffer

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36090


42/45


Go to Policy -> Global Properties ->

SmartDashboard Customization

Click on Advanced Configuration

Increase http_buffers_size from4096 bytes to 65500 bytes


43/45



44/45

Questions?


45/45

Tobias Lachmann

[email protected]

http://blog.lachmann.org

Still got a question?

2010 cpug con tobias lachmann best practices for the check point utm 1 appliances

Documents