| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Console requirements
>Hi,
>Can any one tell me how 'big' must the console equipment be for a good
>performance of the distributed installation?
>For example we have 3 SUN 250, two for the inspections modules and the
other
>one for the console. Is that necesary?, could we have, for instance, a
Netra
>as console?
>
>The console is acting as Stonebeat Console and FW-1 Management Console.
By "console" for the FW-1 Management, I'm assuming you mean "Management
Module" and not just the GUI.
In that case,
For CPU and memory requirements for a Management Console, it depends mainly
on how much logging and policy changes will do...
If you will be running lots of scripts, etc. against the logs, you may want
to have lots of memory and CPU power to get things done quickly. This also
depends on how much logging you will be doing. Some places log a million
records into the log files daily, some just a few hundred.
If you are running reporting tools, especially if on the same box, you need
more memory and CPU power. More memory and faster CPU = happy security
admin(s).
For logs, you will need lots of diskspace. This is because the firewall
modules will send all the logs to the Management Console. In addition, I
would make sure that you make a seperate partition for the firewall logs -
or make sure that the system partition is separate {don't install everything
on the same partition}. As far as a Netra goes: since you need to make sure
you have enough disk space with the ability to do some sort of RAID for
redundancy - that could rule out a Netra T1 unless you use some sort of
network storage device.
Make sure you have some plan in place for switching logs {either hourly,
daily, weekly, monthly, etc. - depending on how much logging you will be
doing.} Smaller log files make searching for things faster and easier in the
event of security incidents or for log analysis.
Don't forget some form of backup system for all the logs.
Also, remember that if the Management Console happens to go offline/become
unavailable, the FW Modules start logging locally (i.e. to the local drives
under $FWDIR/log directory {which is a symbolic link to
/var/opt/CPfw1-41/log}). Make sure you have enough space on each FW module's
/var partition in a situation where the Management Server may be down {since
StoneBeat is only providing HA for the FW modules}. Make sure to have /var
on a seperate partition or redirect logs to another partition via a symbolic
link (see http://www.phoneboy.com/faq/0101.html ).
To HA a Management Console see:
http://support.checkpoint.com/kb/docs/public/firewall1/4_0/pdf/redundant-mgt
-srv.pdf and
http://www.phoneboy.com/faq/0235.html
For StoneBeat, you can direct the StoneBeat logs to the FW-1 logs using
Check Point's ELA/LEA API. {see StoneBeat docs}. Other than that, the
StoneBeat interface/console doesn't really require any major disk space or
CPU power. {You can also use the sbfcconfig command line utility, on each
FW module, or Management Console if you generated the PEM based certs for
the comman line utility}.
Overall, the FW Modules should be fast and have enough memory to pass the
traffic you need. In addition, make sure to use a FULL DUPLEX 100MBS
network segments for the State-sync between the FW Modules. You may want to
use a backup network segment for the State-sync in case the primary segment
goes down.
Good luck,
Amin Tora, CISSP
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
