Frequently Asked Questions | Check Point NG[s]AI

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1.	Users are complaining that the firewall is slow. How do I know if I need a bigger, better, faster box?
2.	If I block a connection, how long will it last?
3.	How is NG AI different from previous versions with respect to performance?
4.	Why don t I see any security server processes running?
5.	How do I know when my Rule Base is too complex?
6.	How do I get these command-line options to run?	$you must run them from $fwdir\bin. alternatively, you can add $fwdir\bin to your path statement. to add $fwdir/bin to your path statement, perform the following steps: in unix: 1. you must edit the path statements in your .cshrc or .profile files. (remember that these are hidden files.) the file you edit will depend on which shell you use when you log on. 2. if you are editing your .cshrc, add the following line: set path=(. /usr/bin $path etc/fw/bin /usr/etc /etc /local/etc) 3. to activate your change, type the following: source .cshrc 4. now type echo $path to confirm your change. you should see etc/fw/bin in your path statement. in windows nt and windows 2000: 1. select start settings control panel . 2. double-click the system applet, and select the environment tab. 3. select the path variable from the system variables window. 4. verify that the variable field at the bottom of the environment tab shows path , as follows: variable: path value: %systemroot%\system32;%systemroot% 5. add the fw-1 \bin directory path to the current path variable value, in the following manner. for firewall-15.0:%systemroot%\system32;%systemroot%;c:\winnt\fw1\5.4\bin once you ve added the fw-1 \bin directory to the path variable, you can check the value of the path variable by running the following command in the command prompt: set 6. the value of the path variable will be displayed in the following manner: path=c:\winnt\system32;c:\winnt;c:\winnt\fw1\5.4\bin$

Answers

1.	After making sure that the firewall is appropriately tuned and has a good Rule Base, the best way to determine your need for new hardware is to monitor the CPU, memory, and I/O of the firewall.
2.	Blocked connections will persist based on what was specified when the blocking action was performed.
3.	Performance is one of the big improvements in NG AI. One of the new performance enhancements is the consolidation of state tables into one. This speeds up the processing of packets. The overhead of SmartDefense is negligible unless you are invoking the use of security servers.
4.	This is because they haven t been manually invoked in the fwauthd.conf or by a rule that requires authentication or content checking.
5.	That is a difficult question. What is complex in one environment may be very appropriate in another. It appears that a medium- sized organization should have around 20 rules. The fewer the better is the rule, but get the job done first.
6.	You must run them from $FWDIR\bin. Alternatively, you can add $FWDIR\bin to your path statement. To add $FWDIR/bin to your path statement, perform the following steps: In UNIX: You must edit the path statements in your . cshrc or .profile files. (Remember that these are hidden files.) The file you edit will depend on which shell you use when you log on. If you are editing your .cshrc, add the following line: set path=(. /usr/bin $path etc/fw/bin /usr/etc /etc /local/etc) To activate your change, type the following: source .cshrc Now type echo $PATH to confirm your change. You should see etc/fw/bin in your path statement. In Windows NT and Windows 2000: Select Start Settings Control Panel . Double-click the System applet, and select the Environment tab. Select the Path variable from the System Variables window. Verify that the Variable field at the bottom of the Environment tab shows Path , as follows : Variable: Path Value: %SystemRoot%\system32;%SystemRoot% Add the FW-1 \bin directory path to the current Path variable value, in the following manner. For FireWall-1 5.0:%SystemRoot%\system32;%SystemRoot%;C:\winnt\fw1.4\bin Once you ve added the FW-1 \bin directory to the Path variable, you can check the value of the Path variable by running the following command in the command prompt: set The value of the Path variable will be displayed in the following manner: Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\fw1.4\bin