Optimizing IPS

IPS is a robust solution for protecting your network from threats. Implementing the following recommendations will help maintain optimal security and performance.

During the tuning process, keep in mind that Check Point bases its assessment of performance impact and severity on an industry standard blend of traffic, placing greater weight on protocols such as HTTP, DNS, and SMTP. If your network traffic has high levels of other network protocols, you will need to take that into consideration when assessing inspection impact on the gateway or severity of risk to an attack.

Managing Performance Impact

A Check Point Security Gateway performs many functions in order to secure your network. At times of high network traffic load, these security functions may weigh on the gateway's ability to quickly pass traffic. IPS includes features which balance security needs with the need to maintain high network performance.

Gateway Protection Scope

By default, gateways using the current release inspect inbound and outbound traffic for threats. This behavior not only protects your network from threats that come from outside of your network, but also ensures that you will detect threats that may originate from your network. Changing this setting to only protect internal hosts will improve the performance of your gateway.

To change the scope of traffic that a gateway inspects:

1. Select IPS > Enforcing Gateways.
2. Select a gateway and click Edit.
3. For Security Gateways, select one of these options in the Protection Scope section:
   • Protect internal hosts only:

     If you select this option, the gateway protects only the internal network. This does not mean that only internal traffic is inspected. If a network object protected by one of the server-client protections is attacked, IPS inspects the internal to external traffic as well.

   • Perform IPS inspection on all traffic: the gateway will inspect all traffic regardless of its origin or destination.

Web Protection Scope

Web Protection Scope is a feature of Web Intelligence protections which allows the administrator to choose only to apply a protection to traffic associated with specific servers. This limits the inspection activities for that protection only to the traffic which is most likely to be subjected to a given attack. For example, HTTP protections should be applied only to servers or clients involved in HTTP traffic. For more information about Web Protection Scope, see Connectivity/Performance Versus Security.

Bypass Under Load

Bypass Under Load allows the administrator to define a gateway resource load level at which IPS inspection will temporarily be suspended until the gateway's resources return to acceptable levels.

IPS inspection can make a difference in connectivity and performance. Usually, the time it takes to inspect packets is not noticeable; however, under heavy loads it may be a critical issue.

You have the option to temporarily stop IPS inspection on a gateway if it comes under heavy load.

See CLI Commands for CLI commands related to Bypass Under Load.

To bypass IPS inspection under heavy load:

1. In the IPS tab, select Enforcing Gateways.
2. Select a gateway with critical load issues and click Edit. The IPS page of the Gateway Properties window opens.
3. Select Bypass IPS inspection when gateway is under heavy load.
4. To set logs for activity while IPS is off, in the Track drop-down list, select a tracking method.
5. To configure the definition of heavy load, click Advanced.
6. In the High fields, provide the percentage of CPU Usage and Memory Usage that defines Heavy Load, at which point IPS inspection will be bypassed.
7. In the Low fields, provide the percentage of CPU Usage and Memory Usage that defines a return from Heavy Load to normal load.
8. Click OK to close the Gateway Load Thresholds window.

Cluster Failover Management

You can configure how IPS is managed during a cluster failover (when one member of a cluster takes over for another member to provide High Availability).

To configure failover behavior for a cluster:

1. In the IPS tab, select Enforcing Gateways.
2. Select a cluster object and click Edit.

   The IPS page of the Gateway Cluster Properties window opens.

3. In the Failover Behavior area, select an option:
   • Prefer security - Close connections for which IPS inspection cannot be guaranteed
   • Prefer connectivity - Keep connections alive even if IPS inspections cannot be guaranteed
4. Click OK.

Tuning Protections

This section shows you how to tune protections to suit your needs.

Profile Management

IPS profiles allow you to apply all of the protections as a group to specific gateways.

Separate Profiles by Segment

It is recommended to create separate profiles for different gateway location types. For example, the group of gateways at the perimeter should have a separate profile than the group of gateways protecting the data centers.

Separate Profiles by Gateway Version

Because this version includes some features that are not supported by older gateways (or have a different effect there), it is recommended to apply different profiles for current gateways and for older gateways.

IPS Policy Settings

The IPS Policy settings allow you to control the entire body of protections by making a few basic decisions. Activating a large number of protections, including those with low severity or a low confidence level, protects against a wide range of attacks, but it can also create a volume of logs and alerts that is difficult to manage. That level of security may be necessary for highly sensitive data and resources; however it may create unintended system resource and log management challenges when applied to data and resources that do not require high security.

It is recommended to adjust the IPS Policy settings to focus the inspection effort in the most efficient manner. Once system performance and log generation reaches a comfortable level, the IPS Policy settings can be changed to include more protections and increase the level of security. Individual protections can be set to override the IPS Policy settings.

For more information on IPS Policy, see Automatically Activating Protections.

Focus on High Severity Protections

IPS protections are categorized according to severity. An administrator may decide that certain attacks present minimal risk to a network environment, also known as low severity attacks. Consider turning on only protections with a higher severity to focus the system resources and logging on defending against attacks that pose greater risk.

Focus on High Confidence Level Protections

Although the IPS protections are designed with advanced methods of detecting attacks, broad protection definitions are required to detect certain attacks that are more elusive. These low confidence protections may inspect and generate logs in response to traffic that are system anomalies or homegrown applications, but not an actual attack. Consider turning on only protections with higher confidence levels to focus on protections that detect attacks with certainty.

IPS Network Exceptions can also be helpful to avoid logging non-threatening traffic.

Focus on Low Performance Impact Protections

IPS is designed to provide analysis of traffic while maintaining multi-gigabit throughput. Some protections may require more system resources to inspect traffic for attacks. Consider turning on only protections with lower impact to reduce the amount system resources used by the gateway.

Enhancing System Performance

Performance Tuning

Check Point Performance Tuning improves gateway performance. For more information on Performance Tuning and how to optimize it, see the R77Performance Tuning Administration Guide.

CoreXL

For SecurePlatform gateways running on multi-core hardware, installing CoreXL on the gateway will allow the gateway to leverage the multiple cores to more efficiently handle network traffic. For more information on CoreXL and optimizing the CoreXL configuration, see the R77 Performance Tuning Administration Guide.