ES/LS Best Practice Checkpoint Logs
We have the following situation:
ES Appliance <-- 2Mbps VPN --> Checkpoint Firewall Cluster/Mgmt
This was working very well until today.
We've seen that we started to get backlogs and the 2Mbps were full loaded with LEA Client connections.
The time difference of log time enVision and device log time was about 20 minutes.
This started when the Cluster handled more HTTP/DNS traffic and logged more allowed events.
We've seen that we have a lot of DNS requests, we disabled now the logging of dns to not fall into the backlog situation, this works now as a workaround.
Now how can we solve this backlog problem?
Put the ES Appliance to the Checkpoints is not an option.
We have another machine with windows on it. The question is is there any support to install a Remote Collector from a LS configuration to another machine without to setup another appliance?
Would it be possible to control the RC traffic over the 2Mbps VPN WAN Link to decrease the traffic during the day and increase during the night?
I'm interested if anyone got some experience in tuning the LEA Client/Checkpoint Logs to put over WAN Links?
Thank you for any hint.
we have a very similar problem. We collect CheckPoint logs from customer over 256kbps WAN link. Our old solution is some Linux with LEA connector and mySQL database, which is able to collect 20 milions events per day. We should want replace this solution by enVision, but we have problem with it. RSA enVision colect over same link only 3 milions events per day. Problem is TCP communication between Linux CheckPoint management and Windows RSA enVision. At establishing connection isn't used Selective acknowledge and timestamp. A tried change TCP stack in Windows and experiment with size of TCP window, but none speed-up. Today a connect enVision to CP management by "proxy" (SSH tunel from Linux machine) and speed is increased three times, but still not too as on old solution. Maybe with Windows CP management should be TCP communication correct.
We have opened case at RSA, but they unfortunately dissociate from this, that supposedly isn't problem of enVision. But enVision is a appliance with Windows OS, which have a problem with communication wint Linux over slow WAN link
I think, that isn't possible connect to ES appliance Remote connector. You can try same workaround with mediated LEA connection over Linux machine.
A C T I N E T
Our workaround was to disable from some heavy loaded rules the logging but this is only a workaround.
Some tests have showed the same what you describe in your case that the LEA Connection in enVision is creating backlogs over WAN links.
By the time now I found no other solution for this problem.
we unfortunately can't decrease count of logs from CheckPoint. And RSA obviously doesn't intend of solving this with Microsoft, because this is very general problem. If I will have some response from RSA, I let you know.
A C T I N E T
I found solution for our problem today. In our case was problem with missing compression of LEA connection to CheckPoint management. In early version of enVision wasn't possible setting of it. I changed Authentication type in Manage LEA Client from sslca to sslca_comp (compression). Over our 256 kbps link enVision now collecting up to 600 EPS. Unfortunately I don't know when RSA added this option and support isn't able to let me now about it under the opening case.
I hope that this configuration can help you.