RSA Admin

ES/LS Best Practice Checkpoint Logs

Discussion created by RSA Admin Employee on Jan 12, 2010
Latest reply on Feb 25, 2010 by Pavel Bøezina

Hi all

We have the following situation:


ES Appliance <-- 2Mbps VPN --> Checkpoint Firewall Cluster/Mgmt


This was working very well until today.


We've seen that we started to get backlogs and the 2Mbps were full loaded with LEA Client connections.

The time difference of log time enVision and device log time was about 20 minutes.

This started when the Cluster handled more HTTP/DNS traffic and logged more allowed events.


We've seen that we have a lot of DNS requests, we disabled now the logging of dns to not fall into the backlog situation, this works now as a workaround.


Now how can we solve this backlog problem?

Put the ES Appliance to the Checkpoints is not an option.


We have another machine with windows on it. The question is is there any support to install a Remote Collector from a LS configuration to another machine without to setup another appliance?


Would it be possible to control the RC traffic over the 2Mbps VPN WAN Link to decrease the traffic during the day and increase during the night?


I'm interested if anyone got some experience in tuning the LEA Client/Checkpoint Logs to put over WAN Links?


Thank you for any hint.