Você está na página 1de 45

Best practices for the

Check Point UTM-1 appliances

Agenda
Installation
{ User administration
{ System administration
{ System performance
{

Management HA
{

The UTM-1 appliances come with


NPM blade and the ability to
manage 2 gateways (model 272
and higher)
Setup Management on both
machines during install to get
Management High Availability
(available since NGX R65 w/ MS)

Management HA

Management HA

Management HA

Management HA

Management HA

Managment HA

Management HA

Disc space
{

The Secure Platform on the UTM-1


appliances uses the Logical Volume
Manager (LVM)

Disc space

Disc space
{

Volume group vg_splat with


different logical volumes
[Expert@firewallr70]#
LV
VG
lv_current vg_splat
lv_fcd
vg_splat
lv_fcd65
vg_splat
lv_hfa
vg_splat
lv_log
vg_splat
lv_upgrade vg_splat

lvs
Attr
LSize
-wi-ao 10.00G
-wi-a- 4.00G
-wi-a- 4.00G
-wi-a- 8.00G
-wi-ao 60.00G
-wi-a- 8.00G

Disc space
{

Logical volumes dont have the right


size for all needs, can be a problem
while doing in-place upgrades
where old packets are left on the
disc.

Disc space
[Expert@firewallr65]# df -h
Filesystem
Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
5.0G 1.7G 3.0G 36% /
none
5.0G 1.7G 3.0G 36% /dev/pts
/dev/hda1
145M
13M 125M 10% /boot
none
502M
0 502M
0% /dev/shm
/dev/mapper/vg_splat-lv_log
9.9G
33M 9.4G
1% /var/log

[Expert@firewallr70]# df -h
Filesystem
Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
7.9G 2.2G 5.4G 29% /
/dev/hda1
145M
20M 117M 15% /boot
/dev/mapper/vg_splat-lv_log
60G 182M
56G
1% /var/log

Disc space
{

{
{

Logical volumes can be extended


using lvresize and resize2fs
lvresize can be run any time
Linux kernel 2.4 requires offline
resizing of filesystem, i.e. volumes
are not mounted
Linux kernel 2.6 has online resizing
(=increasing) of filesystem

Disc space
{

First we need to figure out how


much space is left
[Expert@firewallr70]# pvs
PV
VG
Fmt Attr PSize
PFree
/dev/hda2 vg_splat lvm2 a157.82G 52.82G

Disc space
{

How much space is assigned to the


logical volumes?
[Expert@firewallr70]#
LV
VG
lv_current vg_splat
lv_fcd
vg_splat
lv_fcd65
vg_splat
lv_hfa
vg_splat
lv_log
vg_splat
lv_upgrade vg_splat

lvs
Attr
LSize
-wi-ao 10.00G
-wi-a- 4.00G
-wi-a- 4.00G
-wi-a- 8.00G
-wi-ao 60.00G
-wi-a- 8.00G

Disc space
{

Resize logical volume

[Expert@firewallr70]# lvresize -L 70G vg_splat/lv_log


Extending logical volume lv_log to 70.00 GB
Logical volume lv_log successfully resized

Disc space
{

Resize filesystem

[Expert@firewallr70]# resize2fs /dev/vg_splat/lv_log


resize2fs 1.39 (29-May-2006)
Filesystem at /dev/vg_splat/lv_log is mounted on
/var/log; on-line resizing required
Performing an on-line resize of /dev/vg_splat/lv_log
to 18612224 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now
18612224 blocks long.

Disc space
{

resize2fs: Operation not permitted


While trying to add group #128

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |


grep Journal\ size
Journal size: 32M
[Expert@firewall]# tune2fs -O ^has_journal
/dev/vg_splat/lv_log
[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done
[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log |
grep Journal\ size
Journal size: 128M

Disc space
{

Resize filesystem (NGX R65)


z
z
z

boot into maintenance mode


unmount before resizing
for resizing lv_current you have to boot from
alternative device
(http://blog.lachmann.org/modified_GRML2010.04.iso)
detailed instructions can be found here:
http://blog.lachmann.org/2010/06/update-tor71-enlarging-utm-1-appliance-root-partitions/

Disc space
{

Resize filesystem (NGX R65)


z
z
z
z

Delete tmp files, AV/URLF db etc.


Upgrade to R70
Immediately do online resizing
Start using your firewall

Disc space
{

Do you really need old factory


default images?
z
z

NGX R62 on NGX R65 appliances


NGX R65 on R70 appliances

Disc space
[Expert@firewallr70]#
LV
VG
lv_current vg_splat
lv_fcd
vg_splat
lv_fcd65
vg_splat
lv_hfa
vg_splat
lv_log
vg_splat
lv_upgrade vg_splat

lvs
Attr
LSize
-wi-ao 10.00G
-wi-a- 4.00G
-wi-a- 4.00G
-wi-a- 8.00G
-wi-ao 71.00G
-wi-a- 8.00G

[Expert@firewallr70]# lvremove vg_splat/lv_fcd65


Do you really want to remove active logical
volume "lv_fcd65"? [y/n]: y
Logical volume "lv_fcd65" successfully removed

Disc space
{
{

Modify /boot/grub/grub.conf
Delete section refering to R65

title Reset to factory defaults - NGX_(R65)


confirm This will erase the entire
configuration. Do you wish to continue [no]:
root (hd0,0)
kernel /fcd65/vmlinuz ro
root=/dev/mapper/vg_splat-lv_fcd65
console=CURRENT restore fcd65 single
initrd /fcd65/initrd

Delete boot files in /boot/fcd65

LCD display

http://www.cpug.org/forums/check-point-utm-1appliances/10248-modifying-utm-1-lcd-display.html
Script provided by board member banduraj

Changing the shell


[Expert@firewallr70]# chsh -s /bin/bash admin
Changing shell for admin.
Shell changed.
[Expert@firewallr70]# cat /etc/passwd | grep admin
admin:x:0:0::/home/admin:/bin/bash

[Expert@firewallr70]# chsh -s /bin/cpshell admin


Changing shell for admin.
Shell changed.
[Expert@firewallr70]# cat /etc/passwd | grep admin
admin:x:0:0::/home/admin:/bin/cpshell

Shell Timeout (cpshell)


[Expert@firewallr70]# timed out
waiting for input: auto-logout
[firewallr70]# idle
10 minutes
[firewallr70]# idle 999
[firewallr70]# idle
999 minutes

Shell Timeout (bash)


[Expert@firewallr70]# unset TMOUT
[Expert@firewallr70]# cat .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
unset USERNAME
unset TMOUT

SCP
{
{
{
{

create user
change shell to bash
create /etc/scpusers
add user to file

[Expert@firewallr70]# cat /etc/scpusers


admin

NTP and timezone


{
{

Configure NTP server in WebUI


Youre only allowed to specify GMT
offset
Daylight Saving Times (DST) are
not considered
Use sysconfig to configure the
timezone and have the correct time

Log file maintenance


[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuiteR71/fw1/*.log* -ctime +217 -print -exec rm
-f {} \;

The parameter ctime is the amount of


days for the logs to keep.
[Expert@fw1]# crontab -l
42 11 * * * /usr/bin/del_logs.sh

Backup file maintenance


[Expert@firewallr70]# cat /usr/bin/del_backup.sh
#!/bin/bash
/usr/bin/find /var/CPbackup/backups/*.tgz -ctime
+7 -print -exec rm -f {} \;

The parameter ctime is the amount of


days for the backup to keep.

Delete all ARP entries


#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[09{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done

R71
Quote from R71 release notes:
{

UTM-1 appliances provide enhanced


Firewall & IPS performance featuring
patented SecureXL technology available
at no extra cost:
z

z
z

Up to 4 times Firewall Throughput


improvement.
Up to 3 times IPS Throughput improvement.
Up to 4 times connection/sec rate
improvement.

R71
Performance improvement with R71 (official numbers)
UTM-1 450
{
{
{
{
{

Intel Celeron M 1.5 GHz


1 GB RAM
80 GB ATA HDD
Firewall Throughput (R65): 400 Mbps
VPN Throughput: (R65) 200 Mbps

UTM-1 570
{
{
{
{
{
{

Intel Celeron M 1.5 GHz


1 GB RAM
160 GB ATA HDD
Firewall Throughput: 2.5 Gbps
VPN Throughput: 300 Mbps
IPS Troughput: 1.7 Gbps

Antivirus
Quote from R71 release notes:
{

New Streaming architecture available with


Anti-Virus & URL Filtering Software Blades
provides performance boost for UTM
features:
z

Up to 15 times Anti-Virus Throughput


improvement.
Up to 80 times Anti-Virus & URL Filtering
connection capacity improvement.

Antivirus
{

My tests with UTM-1 270 appliance


and R71 showed 100% more
throughput with Antivirus scanning
using Stream Detection mode as
with NGX R65 and Messaging
Security

Antivirus

HTTP connection buffer


{

{
{

sk36090 describes an error where


internet browsing becomes slow
until internet connectivity fails
Problem: HTTP buffer size to low
Solution: increase buffer

https://supportcenter.checkpoint.com/supportcenter/portal?even
tSubmit_doGoviewsolutiondetails=&solutionid=sk36090

HTTP connection buffer


{

{
{

Go to Policy -> Global Properties ->


SmartDashboard Customization
Click on Advanced Configuration
Increase http_buffers_size from
4096 bytes to 65500 bytes

HTTP connection buffer

Questions?

Still got a question?


Tobias Lachmann
tobias@lachmann.org
http://blog.lachmann.org