Re: [fw-wiz] NetScreen Logging with NSRP



If a Netscreen is constantly running at 80% on the active and 5% on
the passive you have really high traffic. Usually with Netscreen you
only get these high load if you do IPsec at the limit of the machine.
Do you have an idea how many sessions you have on these machines? Do
you have broadcast storms in that network?

I monitor several netscreens (>200) in different networks but none of
them has such a high load. The highest got about 5% load.

Having a cluster you cannot do logging on the backup machine. It is
enabled on both machines, since the configuration is synchronized
between both machines. Usually logging does not increase the load,
because it is done in hardware. What models are used?

Alternatively you could mirror the ports where the netscreens are
connected and log the traffic with ntop (http://www.ntop.org).

Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen

+41 52 620 26 53
brudy@xxxxxxxxxxxxxxxxxxxxx



On 26.03.2008, at 13:47, Kerry Milestone wrote:
Hello,

I am looking at doing an audit of the policies installed on a HA
passive/active firewall setup with NSRP. The primary is running at
about 80% CPU or so, the backup is about 5%. As such, I am a bit
hesitant (to say the least) about putting policy logging on as it may
kill the firewall.

Is it possible somehow to have logging on just the redundant firewall?
My other, perhaps long way of doing this is to convert the current
policies and, say, parse into snort rules and observe through a port
tap
- the number of 'positive' hits on the IDS.

Does anyone have any other suggestions as to how to achieve what I
want
to do?

Many thanks,
Kerry Milestone


--
Kerry Milestone

Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen

+41 52 620 26 53
peter.bruderer@xxxxxx





_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Connectivity issues with NetScreen Firewalls and Linux/Solaris
    ... a summary posting once the issue is resolved. ... NetScreens filters packets and the manner in which Solaris creates them. ... packet payload to a size greater than the TCP segment. ... all match and a failure causes the firewall to drop the packet. ...
    (SunManagers)
  • Re: Netscreen 5400 configuration problem
    ... network ranges. ... For the firewall to support overlapping ranges you will need to ... I'm trying to configure 2 ports of the 5400 firewall with the same ... NetScreens don't support that configuration. ...
    (comp.security.firewalls)
  • RE: What firewall?
    ... Subject: What firewall? ... One of our clients is pushing 30-40mb/s through ... a HA set of NetScreens and we have nothing but success with these devices. ... VPN using around 10mb/s of traffic. ...
    (Security-Basics)
  • Re: Virus risk via VPN
    ... Netscreens Firewall will look into Java/ActiveX and even URLs if you want. ... > sent from the VPN gateway/firewall that checks the client pc to be sure ... > I know Nortel Contivity will support tunnel guard capability in the near ...
    (comp.security.firewalls)
  • Netscreen 5 VIP problem OS 2.6.1r10.1
    ... PPPOE for its untrusted side. ... to point to different machines on the inside. ... if there was a conflict with the netscreens webui for the untrusted side, ... However ftp should have forwarded and it didnt work. ...
    (comp.security.firewalls)