If a Netscreen is constantly running at 80% on the active and 5% on
the passive you have really high traffic. Usually with Netscreen you
only get these high load if you do IPsec at the limit of the machine.
Do you have an idea how many sessions you have on these machines? Do
you have broadcast storms in that network?
I monitor several netscreens (>200) in different networks but none of
them has such a high load. The highest got about 5% load.
Having a cluster you cannot do logging on the backup machine. It is
enabled on both machines, since the configuration is synchronized
between both machines. Usually logging does not increase the load,
because it is done in hardware. What models are used?
Alternatively you could mirror the ports where the netscreens are
connected and log the traffic with ntop (http://www.ntop.org).
Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen
+41 52 620 26 53
brudy_at_bruderer-research.com
On 26.03.2008, at 13:47, Kerry Milestone wrote:
> Hello,
>
> I am looking at doing an audit of the policies installed on a HA
> passive/active firewall setup with NSRP. The primary is running at
> about 80% CPU or so, the backup is about 5%. As such, I am a bit
> hesitant (to say the least) about putting policy logging on as it may
> kill the firewall.
>
> Is it possible somehow to have logging on just the redundant firewall?
> My other, perhaps long way of doing this is to convert the current
> policies and, say, parse into snort rules and observe through a port
> tap
> - the number of 'positive' hits on the IDS.
>
> Does anyone have any other suggestions as to how to achieve what I
> want
> to do?
>
> Many thanks,
> Kerry Milestone
>
>
> --
> Kerry Milestone
Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen
+41 52 620 26 53
peter.bruderer_at_brg.ch
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Mar 26 2008
Intro
