Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
61626364656667686970
Chapter 7 Troubleshooting Security Servers and Content Security
Resolving Common HTTP Security Server Problems
Advanced Technical Reference Guide 4.1 June 2000 59
2. Installed Solaris 2.6 and harden according to customer specs.
3. Installed VPN-1/FireWall-1 4.1
4. Tuned the parameters including /dev/hme, /dev/tcp, file descriptors, and VPN-1/FireWall-1
parameters described above.
5. Increased the number of instances of the httpss to between 8 and 10.
6. Modify the Rule Base to eliminate the logging of legitimate drops.
7. Set the Excessive Log Grace Period to 30 sec.
8. Run a production test to determine performance during peak load.
Conclusions
Following this test, the following conclusions were drawn. They are presented for the purpose of illustration,
and may be a useful guide for your own environment.
1. The resources required for this environment need to be increased in order to achieve a level of performance
that does not completely exhaust VPN-1/FireWall-1 and OS resources and provides some margin for future
growth.
2. Overall the test was successful, the VPN-1/FireWall-1 product and the httpss transparent security server
processes were stable and as reported periodic lack of resources as they should.
3. The performance of VPN-1/FireWall-1 and the httpss security servers with the enhanced feature of UFP
is better (faster) than an existing proxy technology albeit on a larger and faster platform.
4. At some point, assuming growth in demand for the httpss service, the load will reach the limit of
resources available on an E450/4 CPU machine with 1 GB of memory. Assuming there is no feasibly larger
single box to go to, the only option at this point would be one of load balancing.
Resolving Common HTTP Security Server Problems
This section lists some common problems and solution from the Check Point Technical Services
SecureKnowledge knowledge base http://support.checkpoint.com/kb/index.html.
VPN-1/FireWall-1 Security server and HTTP 1.1
There are two known problematic features in HTTP 1.1, which is not supported by the VPN-1/FireWall-1
HTTP versions 4.0 and 4.1 security server.
Chunk transport encoding with content inspection
The HTTP server can send its response in a chunked mode. That means that the body of the request will include
headers and footers from some of the chunks. The HTTP 1.1 client knows how to parse the body and extract the
data. The security server knows how to parse the body but in VPN-1/FireWall-1 versions 4.0 and 4.1 it does not
know how to clean the body before it passes it to the content inspection modules (e.g. CVP server html
weeding). If the content inspection module is not aware of the headers and the footers, it is possible that it will
not be able to recognize suspicious data patterns, such as virus patterns. In VPN-1/FireWall-1 versions 4.0 and
4.1 the security server will block any chunked responses if the connection was matched on a rule with content
inspection. To allow this connection, some attributes must be added to the objects.C file, the props
section.
:http_cvp_allow_chunked (true).
:http_weeding_allow_chunked (true).
:http_block_java_allow_chunked (true).