Watch Video - https://youtu.be/mcSjKRN6WFE
SmartView Monitor is included free
with all SmartCenter Pro licenses. With this product you can receive
up-to-the-minute information about your firewalls and networks due to status
alerts, security threat alerts, and defense capabilities monitored and reported
in SmartView. In addition, SmartView Monitor can assist in long-term decision
making and policy planning due to data mining, trending, and detailed
analytical tools included in SmartView.
To view real-time monitor data from your FP3 SmartCenter, you will need to install the SmartView Monitor on your firewall modules, and check the box labeled SmartView Monitor in the Check Point products list for the relevant Check Point objects defined through SmartDashboard, and then install the security policy. You will also require an additional license for monitoring and reporting per module if you are not running a SmartCenter Pro. SmartView Monitor (a.k.a. Real-Time Monitoring) is very useful for environments where troubleshooting through the firewall is common, and SmartView Monitor can be used in lieu of other monitoring software, thereby saving money.
Log in to the SmartView Monitor from the SMART Clients menu, and you will be presented with a screen similar to the one shown in Figure 1. In this screen, you will need to select the type of session you wish to start. You can select only one firewall or interface to monitor at a time. You are also able to record a session and play it back later.
Figure 1 Session Type
The other tabs listed will depend on your
selections on the Session Type tab. If you choose Real-Time for the Session
Mode, you will be able to monitor Check Point System Counters, Traffic, or a
Virtual Link. From the Settings tab, you can control the monitor rate, which is
set to 2 seconds by default, and you can choose between a line or bar graph.You
may also have the options to choose the type of measurement by Data Transfer
Rate, Packets per Second, Line Utilization (%), Percent, or Milliseconds, and
to set the scale for the graphs that you are viewing. These choices are shown
in Figure 2.
Figure 2 - Session Properties
Settings
Monitoring Check Point System Counters
Check Point System Counters allow you to
monitor and report on system resources and other statistics for your
enforcement points. Figure 3 shows a monitoring session on a cluster that
measures the size of the connection table in FireWall-1. This data can be very
valuable for analyzing the traffic at your site. You could possibly identify a
problem if you see the connections reaching the maximum of 25,000 at any time,
which will give you the opportunity to increase that value to better fit the
needs of your connection.
There are a number of counters categories for you to choose from in the Counters tab in your SmartView Monitor properties window. Choose Basic: FireWall-1 from the pull-down menu to monitor the number of active connections as shown in Figure 3.You could also choose to monitor dropped, rejected, and/or accepted packets, memory and cpu, encryption parameters, security servers, and FloodGate-1 traffic. You don’t have to choose just one setting to monitor either; you can select as many counters as you wish and each one will be displayed on the same graph with a different line color. Don’t get too carried away though, or you won’t be able to read the output.
Figure 3 Monitoring FireWall-1 Active Connections
Monitoring Traffic
Using the SmartView Monitor to
monitor traffic is another way to view the statistics on your firewall. When
choosing Session Type, select Traffic by: and then select from services,
Network Objects (IPs), QoS Rules, or Top Firewall Rules. If you take the
default, services, the Monitor by Services tab will be available in the
SmartView Monitor properties window, and you can select the method that you
would like to view services. You could again take the default of Top 10
Services, as shown in Figure 4, or you can narrow it down to a particular
service that you may wish to monitor.
Monitoring by network objects is similar to monitoring by service, the default is to display the Top 10 Network Objects, or you can select specific objects that you wish to display instead. You can also choose if you want the object monitored in the source, destination, or both. Top Firewall Rules allows you to choose how many (10 is the default) firewall rules you wish to monitor. This feature may help you to better order your rules, since you should attempt to write your policy such that the most frequently used rules are placed closest to the top of the policy for better performance. If you are running FloodGate-1, you can also monitor QoS Rules through the SmartView Monitor. The Monitor by QoS Rules tab in the Session Properties window allows you to choose the rules that you wish to display, and then you can watch how they are utilized.
Figure 4 - Monitoring Top 10 Services
Monitoring a Virtual Link
To monitor a Virtual Link, you must
first define one or more Virtual Links through the SmartDashboard from the
Virtual Links tab in the Objects Tree.You will need to give the link a name and
specify two firewall modules as end points. End point A must be an internal
FireWall-1 module, and end point B may be either internal or external. If you
wish to monitor the link between these modules, you must check the box to
Activate Virtual Link. You can also define SLA parameters from the Virtual Link
Properties window in the SmartDashboard to ensure that the SLA is being met.
Note
Check Point uses the Check Point End-to-End Control
Protocol (E2ECP) service to monitor the link between gateways in a Virtual Link
configuration. You may need a rule to allow the communication for this protocol
on both end points. E2ECP uses UDP port 18241.
Once you have selected the Virtual Link
you wish to monitor in the Session Properties window in SmartView Monitor,
select the Virtual Link Monitoring tab to choose the type of graph you wish to
have displayed. You can choose to view Bandwidth or Bandwidth Loss from point A
to B, B to A, or both directions (as shown in Figure 5), or you can choose
Round Trip Time to monitor the total time it takes for a packet to travel round
trip between the gateways.
Next you will need to select data type: either Application Data or Wire Data. Application Data is monitored as the application would see it in an unencrypted and uncompressed form. Wire Data on the other hand analyzes all data on the wire in its encrypted and compressed form. This method should be selected to compare SLA Guarantees, for example.
Figure 5 - Monitoring a Virtual Link
Running History Reports
You can use the SmartView Monitor to generate
history reports by selecting History Report as the Session Type. As opposed to
Real-Time Monitoring, the History report will show you static data over the
last hour, day, week, and month or since the time of installation.You can run
reports on Check Point counters (see Figure 6 for a monthly report on
FireWall-1 connections) or traffic, however, your choices are somewhat limited
from the options you had in the Real-Time mode. For traffic, your only options
for reports are:
■ Service (bytes per second)
■ Top Destinations (bytes per second)
■ Top Sources (bytes per second)
■ Top FireWall-1 Rules (bytes per
second)
■ Top Services (bytes per second)
Figure 6 Reporting on FireWall-1
Active Connections
No comments:
Post a Comment