IPS is a robust solution for protecting your network from threats. Implementing the following recommendations will help maintain optimal security and performance.
During the tuning process, keep in mind that Check Point bases its assessment of performance impact and severity on an industry standard blend of traffic, placing greater weight on protocols such as HTTP, DNS, and SMTP. If your network traffic has high levels of other network protocols, you will need to take that into consideration when assessing inspection impact on the gateway or severity of risk to an attack.
Managing Performance Impact
A Check Point Security Gateway performs many functions in order to secure your network. At times of high network traffic load, these security functions may weigh on the gateway's ability to quickly pass traffic. IPS includes features which balance security needs with the need to maintain high network performance.
Gateway Protection Scope
By default, gateways using the current release inspect inbound and outbound traffic for threats. This behavior not only protects your network from threats that come from outside of your network, but also ensures that you will detect threats that may originate from your network. Changing this setting to only protect internal hosts will improve the performance of your gateway.
Note - Application Control rules are not affected by the Scope setting.
To change the scope of traffic that a gateway inspects:
- Select IPS > Enforcing Gateways.
- Select a gateway and click Edit.
- For Security Gateways, select one of these options in the Protection Scope section:
- Protect internal hosts only:
If you select this option, the gateway protects only the internal network. This does not mean that only internal traffic is inspected. If a network object protected by one of the server-client protections is attacked, IPS inspects the internal to external traffic as well.
- Perform IPS inspection on all traffic: the gateway will inspect all traffic regardless of its origin or destination.
For IPS-1 Sensors, select one of these options in the Topology page:
- lets the IPS-1 Sensor protections react to all traffic with the highest level of inspection. Most organizations will choose not to use this setting because it requires a high level of inspection of traffic even of traffic that does not impact the organization's security.
- lets you specify the group of hosts or networks that the IPS-1 Sensor protects. This reduces the load on the sensor by focusing the sensor's resources on traffic that relates to internal networks.
- does not specify a group of hosts or networks for protection. When no topology is configured, the IPS-1 Sensor inspects all traffic with a lower level of intensity. The IPS-1 Sensor will inspect traffic faster but without the high level of inspection provided by the and settings.
Web Protection Scope
Web Protection Scope is a feature of Web Intelligence protections which allows the administrator to choose only to apply a protection to traffic associated with specific servers. This limits the inspection activities for that protection only to the traffic which is most likely to be subjected to a given attack. For example, HTTP protections should be applied only to servers or clients involved in HTTP traffic. For more information about Web Protection Scope, see Connectivity/Performance Versus Security.
Bypass Under Load
Bypass Under Load allows the administrator to define a gateway resource load level at which IPS inspection will temporarily be suspended until the gateway's resources return to acceptable levels.
IPS inspection can make a difference in connectivity and performance. Usually, the time it takes to inspect packets is not noticeable; however, under heavy loads it may be a critical issue.
You have the option to temporarily stop IPS inspection on a gateway if it comes under heavy load.
See CLI Commands for CLI commands related to Bypass Under Load.
To bypass IPS inspection under heavy load:
- In the IPS tab, select Enforcing Gateways.
- Select a gateway with critical load issues and click Edit. The IPS page of the Gateway Properties window opens.
- Select Bypass IPS inspection when gateway is under heavy load.
- To set logs for activity while IPS is off, in the Track drop-down list, select a tracking method.
- To configure the definition of heavy load, click Advanced.
- In the High fields, provide the percentage of CPU Usage and Memory Usage that defines Heavy Load, at which point IPS inspection will be bypassed.
- In the Low fields, provide the percentage of CPU Usage and Memory Usage that defines a return from Heavy Load to normal load.
- Click OK to close the Gateway Load Thresholds window.
Cluster Failover Management
You can configure how IPS is managed during a cluster failover (when one member of a cluster takes over for another member to provide High Availability).
To configure failover behavior for a cluster:
- In the IPS tab, select Enforcing Gateways.
- Select a cluster object and click Edit.
The IPS page of the Gateway Cluster Properties window opens.
- In the Failover Behavior area, select an option:
- Prefer security - Close connections for which IPS inspection cannot be guaranteed
- Prefer connectivity - Keep connections alive even if IPS inspections cannot be guaranteed
- Click OK.
IPS profiles allow you to apply all of the protections as a group to specific gateways.
Separate Profiles by Segment
It is recommended to create separate profiles for different gateway location types. For example, the group of gateways at the perimeter should have a separate profile than the group of gateways protecting the data centers.
Separate Profiles by Gateway Version
Because this version includes some features that are not supported by older gateways (or have a different effect there), it is recommended to apply different profiles for current gateways and for older gateways.
IPS Policy Settings
The IPS Policy settings allow you to control the entire body of protections by making a few basic decisions. Activating a large number of protections, including those with low severity or a low confidence level, protects against a wide range of attacks, but it can also create a volume of logs and alerts that is difficult to manage. That level of security may be necessary for highly sensitive data and resources; however it may create unintended system resource and log management challenges when applied to data and resources that do not require high security.
It is recommended to adjust the IPS Policy settings to focus the inspection effort in the most efficient manner. Once system performance and log generation reaches a comfortable level, the IPS Policy settings can be changed to include more protections and increase the level of security. Individual protections can be set to override the IPS Policy settings.
For more information on IPS Policy, see Automatically Activating Protections.
Note - A careful risk assessment should be performed before disabling any IPS protections.
Focus on High Severity Protections
IPS protections are categorized according to severity. An administrator may decide that certain attacks present minimal risk to a network environment, also known as low severity attacks. Consider turning on only protections with a higher severity to focus the system resources and logging on defending against attacks that pose greater risk.
Focus on High Confidence Level Protections
Although the IPS protections are designed with advanced methods of detecting attacks, broad protection definitions are required to detect certain attacks that are more elusive. These low confidence protections may inspect and generate logs in response to traffic that are system anomalies or homegrown applications, but not an actual attack. Consider turning on only protections with higher confidence levels to focus on protections that detect attacks with certainty.
IPS Network Exceptions can also be helpful to avoid logging non-threatening traffic.
Focus on Low Performance Impact Protections
IPS is designed to provide analysis of traffic while maintaining multi-gigabit throughput. Some protections may require more system resources to inspect traffic for attacks. Consider turning on only protections with lower impact to reduce the amount system resources used by the gateway.
Enhancing System Performance
Check Point offers Performance Pack to improve gateway performance. For more information on Performance Pack and how to optimize it, see the R76 Performance Tuning Administration Guide.
For SecurePlatform gateways running on multi-core hardware, installing CoreXL on the gateway will allow the gateway to leverage the multiple cores to more efficiently handle network traffic. For more information on CoreXL and optimizing the CoreXL configuration, see the R76 Performance Tuning Administration Guide.