Checkpoint Firewall - SmartView Monitor (Firewall Troubleshooting)

Watch Video - https://youtu.be/mcSjKRN6WFE

SmartView Monitor is included free with all SmartCenter Pro licenses. With this product you can receive up-to-the-minute information about your firewalls and networks due to status alerts, security threat alerts, and defense capabilities monitored and reported in SmartView. In addition, SmartView Monitor can assist in long-term decision making and policy planning due to data mining, trending, and detailed analytical tools included in SmartView.

To view real-time monitor data from your FP3 SmartCenter, you will need to install the SmartView Monitor on your firewall modules, and check the box labeled SmartView Monitor in the Check Point products list for the relevant Check Point objects defined through SmartDashboard, and then install the security policy. You will also require an additional license for monitoring and reporting per module if you are not running a SmartCenter Pro. SmartView Monitor (a.k.a. Real-Time Monitoring) is very useful for environments where troubleshooting through the firewall is common, and SmartView Monitor can be used in lieu of other monitoring software, thereby saving money.

Log in to the SmartView Monitor from the SMART Clients menu, and you will be presented with a screen similar to the one shown in Figure 1. In this screen, you will need to select the type of session you wish to start. You can select only one firewall or interface to monitor at a time. You are also able to record a session and play it back later.

Figure 1 Session Type

The other tabs listed will depend on your selections on the Session Type tab. If you choose Real-Time for the Session Mode, you will be able to monitor Check Point System Counters, Traffic, or a Virtual Link. From the Settings tab, you can control the monitor rate, which is set to 2 seconds by default, and you can choose between a line or bar graph.You may also have the options to choose the type of measurement by Data Transfer Rate, Packets per Second, Line Utilization (%), Percent, or Milliseconds, and to set the scale for the graphs that you are viewing. These choices are shown in Figure 2.

Figure 2 - Session Properties Settings

Monitoring Check Point System Counters

Check Point System Counters allow you to monitor and report on system resources and other statistics for your enforcement points. Figure 3 shows a monitoring session on a cluster that measures the size of the connection table in FireWall-1. This data can be very valuable for analyzing the traffic at your site. You could possibly identify a problem if you see the connections reaching the maximum of 25,000 at any time, which will give you the opportunity to increase that value to better fit the needs of your connection.

There are a number of counters categories for you to choose from in the Counters tab in your SmartView Monitor properties window. Choose Basic: FireWall-1 from the pull-down menu to monitor the number of active connections as shown in Figure 3.You could also choose to monitor dropped, rejected, and/or accepted packets, memory and cpu, encryption parameters, security servers, and FloodGate-1 traffic. You don’t have to choose just one setting to monitor either; you can select as many counters as you wish and each one will be displayed on the same graph with a different line color. Don’t get too carried away though, or you won’t be able to read the output. 

Figure 3 Monitoring FireWall-1 Active Connections

Monitoring Traffic

Using the SmartView Monitor to monitor traffic is another way to view the statistics on your firewall. When choosing Session Type, select Traffic by: and then select from services, Network Objects (IPs), QoS Rules, or Top Firewall Rules. If you take the default, services, the Monitor by Services tab will be available in the SmartView Monitor properties window, and you can select the method that you would like to view services. You could again take the default of Top 10 Services, as shown in Figure 4, or you can narrow it down to a particular service that you may wish to monitor.

Monitoring by network objects is similar to monitoring by service, the default is to display the Top 10 Network Objects, or you can select specific objects that you wish to display instead. You can also choose if you want the object monitored in the source, destination, or both. Top Firewall Rules allows you to choose how many (10 is the default) firewall rules you wish to monitor. This feature may help you to better order your rules, since you should attempt to write your policy such that the most frequently used rules are placed closest to the top of the policy for better performance. If you are running FloodGate-1, you can also monitor QoS Rules through the SmartView Monitor. The Monitor by QoS Rules tab in the Session Properties window allows you to choose the rules that you wish to display, and then you can watch how they are utilized.

Figure 4 - Monitoring Top 10 Services

Monitoring a Virtual Link

To monitor a Virtual Link, you must first define one or more Virtual Links through the SmartDashboard from the Virtual Links tab in the Objects Tree.You will need to give the link a name and specify two firewall modules as end points. End point A must be an internal FireWall-1 module, and end point B may be either internal or external. If you wish to monitor the link between these modules, you must check the box to Activate Virtual Link. You can also define SLA parameters from the Virtual Link Properties window in the SmartDashboard to ensure that the SLA is being met.

Note

Check Point uses the Check Point End-to-End Control Protocol (E2ECP) service to monitor the link between gateways in a Virtual Link configuration. You may need a rule to allow the communication for this protocol on both end points. E2ECP uses UDP port 18241.

Once you have selected the Virtual Link you wish to monitor in the Session Properties window in SmartView Monitor, select the Virtual Link Monitoring tab to choose the type of graph you wish to have displayed. You can choose to view Bandwidth or Bandwidth Loss from point A to B, B to A, or both directions (as shown in Figure 5), or you can choose Round Trip Time to monitor the total time it takes for a packet to travel round trip between the gateways.

Next you will need to select data type: either Application Data or Wire Data. Application Data is monitored as the application would see it in an unencrypted and uncompressed form. Wire Data on the other hand analyzes all data on the wire in its encrypted and compressed form. This method should be selected to compare SLA Guarantees, for example.

Figure 5 - Monitoring a Virtual Link

Running History Reports

You can use the SmartView Monitor to generate history reports by selecting History Report as the Session Type. As opposed to Real-Time Monitoring, the History report will show you static data over the last hour, day, week, and month or since the time of installation.You can run reports on Check Point counters (see Figure 6 for a monthly report on FireWall-1 connections) or traffic, however, your choices are somewhat limited from the options you had in the Real-Time mode. For traffic, your only options for reports are:

■ Service (bytes per second)

■ Top Destinations (bytes per second)

■ Top Sources (bytes per second)

■ Top FireWall-1 Rules (bytes per second)

■ Top Services (bytes per second)

Figure 6 Reporting on FireWall-1 Active Connections