Lesson 11: Maintenance and Performance Optimization PDF

Summary

This document provides a lesson on network maintenance and performance optimization. It covers topics like system health, performance data, traffic statistics, and the threat suppression engine. The document is intended for a professional audience.

Full Transcript

Lesson 11: Maintenance and Performance Optimization Lesson 11: Maintenance and Performance Optimization Lesson Objectives: After completing this lesson, participants will be able to: Report device health using the SMS Examine traffic flow through the inspection device Report device health using the LSM SMS Health Monitoring Verify System Health The All Devices screen provides a summary of each device that is being managed by the SMS. The system health status indicator provides information about the hardware components of the managed device. You can expand the device details for a particular device. Verify that all Power Supplies are functioning properly. This view also provides a quick glance at System Health including Memory, Temperature, and File System Usage. From here you can also see CPU usage and congestion. Green lights indicate that ports are active. In our example we can see that Module 1 Segment 1 (top left) is active and all slots are populated with various I/O modules. © 2021 Trend Micro Inc. Education 159 Lesson 11: Maintenance and Performance Optimization System Health Details You can see in this example that the Events section allows for a more detailed view of the device. This include System Health being viewed here as well as Performance, Port Health, Traffic, System Log, and Audit Logs. This device currently has only one power supply which is Supply 2. Other device information can be found here including Memory, Fan speeds, and voltage among other things. Highlighting the health stats above allows you to see a history of that health monitoring in graph form. You are able to select the pole interval for the graph which may help you to determine a particular time frame that an incident may occur. Real-time Memory You have the ability to select your Polling intervals in a break out view as well. Here we have a brief capture of Memory usage with a polling interval taking place every 5 seconds. Again, the can be useful for tracking when an incident may be occurring. 160 © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization Performance Data The Packet Statistics section displays the number of packets processed by the device since boot time in the terms displayed in the following table. You can click Reset to reset the counters and Refresh to display current values. The Dropped section is the number of dropped packets and indicates congestion. Additional troubleshooting will need to be performed to find out why you have dropped packets. You may need to check how many Permit + Notify are set. It is possible that it could cause packets to be dropping. Tier Stats We are going to spend a fair amount of time on Tier Stats in the SMS. The information found here can also be gained via the CLI. We will discuss CLI commands later in this lesson but the information here will still apply. Threat Suppression Engine (TSE) Flow The TSE is a custom engine designed to detect and block a broad range of attacks at wire speeds. Traffic flows from left to right. As it enters the system, it flows through a pipeline. The various checks through the pipeline include: Connection Table, where the state of a connection is maintained (eg TCP SYN, SYN-ACK, established). In Model E devices (1200E, 2400E, etc), the Advanced DDoS functionality is implemented here. Blocked and Rate-Limited Streams are maintained here as well. © 2021 Trend Micro Inc. Education 161 Lesson 11: Maintenance and Performance Optimization (2) Header Processing, where fixed header fields are checked. Also, checks to make sure the packet is properly formatted. (3) Content Matching – Check for suspicious patterns or sets of patterns (using logical statements.) (4) Trigger Result – if any previous checks imply suspicion, we may drop a packet immediately or pass it on for further verification. (5) Within Threat Verification, packets/flows are analyzed in detail using protocol decoders and regular expression matching to verify a filter match. The Verification test has one of two outcomes: a) Benign (no attack present, so traffic is sent on its way) or b) Filter Match for flow (dropped, rate-limited or permitted based on policy) (6) Lastly, packets pass out of the device through Flow Control, which may rate limit some traffic based on policy, or just let the traffic exit the device. Filters such as host sweeps, port scans and packet floods use statistical information garnered from the connection table to detect possible threats and block intruders, DoS, or other malicious traffic. 162 © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization Tier 1 View via SMS The Tier Statistics tab provides information on packets and speed by tier: Tier 1 handles inspection bypass and Intrinsic HA L2FB which will prevent traffic from going to the next tier. Tier 1 also handles rate limiter, inspection bypass rules, jumbo packet shunting, and hardware watchdog timer. The first 4 lines in Tier 1 indicate how much traffic is entering the IPS for inspection across all segments. A value in parentheses () represents the high-level watermark and a value in brackets [] represents the low-level watermark since the IPS was powered on or the tier statistics were reset. These stats can be cleared using the CLI command clear np tier-stats. A/B/C Balance displays how well the flows are being balanced between the XLRs. 100% indicates even balance 33/33/33 split, which is ideal. 0% means that all traffic is going to a single XLR. Note that the number of packets going thru the each XLR is flow based, so it is not uncommon to see a slight difference between them. Utilization displays the percentage of rated system throughput and of traffic to next tier. Inspection bypass rules reduce the value of both Utilization and Ratio to next tier. Check for Errors and Discards The Port Health screen displays a summary of port usage statistics in a table, and shows longer-term historical statistics in a series of graphs. When the SMS is configured in a HA cluster, the Port Health screen displays information for both the active and the passive server using a separate tabbed view for each server. © 2021 Trend Micro Inc. Education 163 Lesson 11: Maintenance and Performance Optimization The top portion of the Port Statistics screen displays current port statistics in a table view. For each interface, the table displays the number of bytes incoming and outgoing, the number of packets discarded, and the number of errors, as described in the following table. Interface Network interface, typically shown as primary port or secondary port. Total In: Bytes Total number of bytes that have passed into the port. Total Out: Bytes Total number of bytes that have passed out of the port. Total In: Discards Number of inbound packets discarded, although no errors were detected. Total Out:Discards Number of outbound packets discarded, although no errors were detected. Total In: Errors Sum of all errors that prevented the final transmission of inbound packets. Total Out: Errors Sum of all errors that prevented the final transmission of outbound packets. Historical Graphs This screen shows a visual representation of the Statistics page we looked at previously. It can be useful in quickly spotting traffic patterns. The current setting is by the hour but you can change those polling intervals as needed. Here we can see that Slot 1 Segment 2A and Slot 1 Segment 2B have the same amount of traffic entering and exiting which means that no traffic is being blocked. Below that we have Slot 1 Segment 3A and 3B and we can see that packets are being blocked which is to be expected. 164 © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization Traffic Stats When reviewing traffic stats you will want to check for frame size distribution and small packet counts indicated in red and yellow. Check your frame type for an abundance of broadcast. They will show up as orange in the lower chart. © 2021 Trend Micro Inc. Education 165 Lesson 11: Maintenance and Performance Optimization UDP Packets Check protocol mix and for ARP broadcast count. Typically you will see TCP unless you have too many small UDP packets or fragments. Change low priority events from B+ N to Block. Management Information You use the Management Information page in the Device Configuration wizard to view and update general information about the device. The fields on this page collectively give you a complete view of the management information for a specific device. Go to the device. Click the View LSM or SSH Terminal to access the device from the SMS. 166 © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization LSM At a Glance The time period for the Auto Refresh option available on pages that have dynamic content, such as the System Summary page, Log pages, and Health page. Received: Total number of packets received and scanned by the Threat Suppression Engine. Blocked: Total number of packets that have been blocked by the Threat Suppression Engine. Rate Limited: The number of packets that matched a filter configured to a permit action set. Trusted: The number of packets that were passed as trusted. Dropped: Total number of packets that have been dropped because they are not properly formed or formatted. Packet counters provide a snapshot of network traffic by displaying the number of packets tracked. Dropped packets require further investigation. You can click the links to further research items. In this example we will click on System Log to see why it is in a Critical State. © 2021 Trend Micro Inc. Education 167 Lesson 11: Maintenance and Performance Optimization System Log Here we can see that the Critical State for the System Log is flagging due to a stacking size error. 168 © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization Cleared Log Clearing the Log. Show log system tail Here we have a syslog file with the –tail. This shows the most recent messages on the syslog. vtps-hawk{}show log system tail 2019-08-26 14:50:32.128 [vtps-hawk] [HEALTHCHECKD-WARNING:] "Exiting Performance Protection mode. Alert logging will resume (6472 alerts not logged)" 2019-08-26 16:21:09.200 [vtps-hawk] [XMS-NOTICE:] "AAA:Password changed for user 'SuperMan'" 2019-08-26 16:30:16.022 [vtps-hawk] [TOSPORT-INFO:] "FX: Processing SMS TSR download request, file name /var/records/techsupport/tech_support_VTPS0100-1731_08262019.tar.gz" 2019-08-27 01:00:23.885 [vtps-hawk] [TOSPORT-INFO:] "ÜDM: Completed UDM Update request for action set 'SMS Quarantine Action Set (Hidden)' [08770c6a-feld-lld99d20-0007e9735b7a]" LSM Reports The TPS itself has basic reporting capabilities via the LSM interface. Apart from the top-level display that shows Top 10 Filters, Filters by Severity, Filters by Action, and Filters by Protocol, the reports available on the Reports page, you can also access reporting information on the Dashboard and Monitor pages. The Dashboard provides information in the form of graphs on device performance. The Monitor page provides additional graphical reports on system health. © 2021 Trend Micro Inc. Education 169 Lesson 11: Maintenance and Performance Optimization The following reports are available via the Reports tab on the LSM. Activity - Contain information about network traffic and network activity, including reports on Rate Limiters, Traffic Profile, and SSL Connections. Security - Contain information about the performance and activity for the device, including reports for Adaptive filter control, DDoS, Quarantines, and Top filter matches. The following report is available via the Tools tab on the LSM. Tech Support Report - Use the Technical Support Report page to arrange for the LSM to send you a status report in an email based on the email server settings you configured. Technical Support Report The Tech Support Report collects diagnostic information into a report that the TippingPoint Support can use to debug and troubleshoot system issues. It includes diagnostic commands, log files, and optionally a full system snapshot. The TSR captures the system's current running configuration. Note: If you include a system snapshot with your TSR, the report does not contain the following sensitive information: User names and passwords LDAP and RADIUS server passwords SNMPv3 passphrase Cluster passphrase VPN IPSec keys Keystore After the report is created, you can export the file to your local system. You can then email the TSR file the to the Technical Assistance Center (TAC) for support. Note: Warning: Do not attempt to restore a TSR snapshot to your appliance. All sensitive information including user names and passwords are removed and you will be unable to log in. If you attempt to restore a Tech Support Report snapshot and are unable to log in, then contact the Technical Assistance Center (TAC) for support. Best Practice: 170 Only one report can exist on the device. When you create a new report, the previous report is replaced. © 2021 Trend Micro Inc. Education Lesson 11: Maintenance and Performance Optimization Hands-on Labs Lab 11: Maintenance and Performance Estimated time to complete this lab: 45 minutes © 2021 Trend Micro Inc. Education 171