F5 IPSec Tunnel Causing Traffic Issues

This is a real life sample alert from indeni for F5 Load Balancing Methods

Description:

Some of the F5 IPsec tunnels have multiple security associations negotiated for them. This may result in traffic issues.

Affected Tunnels:

Tunnel to 165.160.15.20

Manual Remediation Steps:

Review SOL14646.

How does this alert work?

indeni uses the various “show /net ipsec” commands to track the IPsec tunnels.

Palo Alto Networks Proxy Session Pool Low

This is a real life sample alert from our indeni alert guide for Palo Alto Networks Firewall.

Description:

The Proxy Session pool is low – of 1024 possible entries, 971 are being used. This is 95%.

Manual Remediation Steps:

Contact your Palo Alto Networks technical support provider to identify what should be done prior to the pool being completely utilized. Also read HTTPS traffic suddenly blocked.

How does this alert work?

indeni regularly runs “debug dataplane pool statistics” regularly and tracks pool usages.

Comparing Check Point’s SmartEvent and SmartReporter vs indeni

Check Point’s SmartEvent and SmartReporter blades have made quite some progress over the last two years. The database used for collecting log data has been made more robust and querying capabilities have been expanded.

As we sometimes get asked how indeni compares with these two software blades, I thought I’d spend the time to share our thoughts.

If you read the product datasheets available at the links above, or use it live in your environment, you will notice that both blades focus on security log data. Essentially: how do you identify when there is a threat, where it is and how to stop it? This is very much in line with what customers have been using tools such as HP’s ArcSight for. These are known as Security Information & Event Management (SIEM) solutions.

indeni is generally not focused on identifying security incidents, threats and attacks. Instead, it is an operational tool focused on ensuring the health of various devices, including enterprise network firewalls such as Check Point firewalls. Utilizing SmartEvent and SmartReporter in tandem with indeni will ensure you have both layers of visibility – the health of your security infrastructure as well as what security risks you are dealing with.

For more information, please read the official Check Point and indeni solution brief. You can also go ahead and set up indeni in your environment, takes just 45 minutes.

Try indenifor free for 15 days and see what lurks in your network.

[ninja_form id=67]

 

Gartner’s Magic Quadrant Enterprise Firewall Comparison

DISCLAIMER: indeni has no specific bias towards one manufacturer or the other, but please keep in mind indeni currently supports firewalls made by Cisco, Check Point, Fortinet, Juniper and Palo Alto Networks.

Gartner has just released its magic quadrant for Enterprise Network Firewalls. Two leaders were identified – Check Point (CHKP) and Palo Alto Networks (PANW) – congratulations to both!! You can access reprints via Check Point’s website as well as Palo Alto Networks’ website.

It is very interesting to read this report as much of it correlates highly with what we’re seeing in the market through indeni Insight as well as our own sales and marketing efforts. Kudos to Gartner, and specifically Adam Hils, Greg Young and Jeremy D’Hoinne, for doing a great job here.

Here are our insights:

  • Cisco is not labeled a leader by Gartner due to execution on the product side but we definitely see it as one of the top three by market share. Almost every customer we interact with has some Cisco ASAs, where some customers are entirely Cisco ASA based. We do see, though, that such customers’ functionality requirement from their firewalls is minimal as they either don’t put much focus on security or they augment the Cisco ASAs with other security products (Sourcefirce, Fireeye, etc.).Cisco has the largest channel and is the most established manufacturer in the market. As a result they have the most leverage and ability to get into specific customers.

 

  • Check Point is indeed one of the leaders on functionality. The set of different security functions that a Check Point firewall has is enormous. Some of these are a result of acquisitions, some developed in-house. There is a lot of effort on Check Point’s side to integrate these functions into a single management interface (and R80 is part of this). However, we do see users getting overwhelmed with the amount of functions and keeping up with their configurations. Almost every single multi-billion-dollar company we speak with, and many smaller organizations, use Check Point across at least part of their network.Price has been mentioned by customers repeatedly as an issue. Price sensitivity is less common in Fortune 500 but more common in smaller organizations or ones outside of the US (the majority of the market). Usually it is coupled with a lesser need for top-notch security. The note Gartner made regarding under-sizing appliances is something we’ve seen as well. Check Point is making efforts to deal with this with tools such as CPsizeme but it looks like undersizing is indeed occurring to reduce price. That is resulting in some frustration with customers.

 

  • Fortinet is a strong vendor in this market too. We see Fortinet a lot more in environments where there is either price-sensitivity or high performance requirements. This means that Fortune 500 (which are all US-based) tend to choose Fortinet less as they aren’t as price sensitive. We do see Fortinet quite a bit in smaller organizations as well as quite heavily outside the US (where price sensitivity is a real issue).Fortinet’s high-performance gear is a big attraction for enterprises with extremely large amounts of traffic. Their larger chassis can support unusually high amounts of traffic, however mostly when a smaller set of features are enabled. This is a great fit for data centers as the most security functions are deployed outside of the core, leaving the Fortinet chassis to focus on firewalling, switching/routing and basic security functions.

 

Download our free ultimate runbook and learn how to stop monitoring your network and start predicting issues to prevent high impact events.

 

  • Juniper has its old line of SSGs/ISGs and the newer SRX line. While we see the SSGs quite often, because in reality they very rarely fail and no one sees a reason to replace them, the SRXs should be the focus of this analysis. JunOS-running SRX are mostly deployed in smaller environments because, in our experience, SRXs are considered as a simpler firewall. Across the board, anyone who has ever used JunOS loves it. It’s easy to use and highly responsive.Customers are showing real concern around Juniper’s roadmap for security devices. While the other vendors are promoting new features increasingly, Juniper is quite silent on these. As a result, customers who are seeking security innovation are looking at alternatives. Moreover, Juniper’s SSL VPN was once the best perceived SSL VPN product, but the recent divestment is causing customers to see the end of the road for it and consider firewalls’ support for SSL VPN as a replacement.

 

  • Palo Alto Networks is the fastest growing vendor in this space. Their marketing machine is the best across the vendors we are familiar with – measured by the number of customers we interact with which are discussing Palo Alto Networks’ offering (even if they are not users yet). With a whole range of features offered, most customers are still at the firewall/App-ID/User-ID level. Wider deployment of the other features isn’t main-stream yet. Customers are generally very positive towards the additional security features provided by Palo Alto Networks’ firewalls.A very interesting situation we’ve noticed is that Palo Alto Networks’ customers love them and show far more appreciation to them as a manufacturer than others. Palo Alto Networks is putting a lot of emphasis on the end-user experience – through their online marketing, field marketing, channel, field sales and support services, in addition to the product itself – and it is paying off. This is resulting in cases where even though multiple solutions were comparable, customers chose Palo Alto Networks as they were drawn to them. Keep in mind that this is supported by a solid security product.

Throughout the report Gartner mentions issues around quality and support services provided by some of the manufacturers. In reality – all of the customers we speak with complain about this across all product lines. They feel that vendors are working day and night to push out new functionality and keep up with their competitors, while at the same time disregarding quality and making the products far more complicated to operate and keep stable. Our recommendation to the vendors is to take this note very carefully and close to heart as the current trend in quality/complexity issues is taking the entire industry in a problematic direction.

Comments are very welcome, please share your thoughts below.

F5 SIP might have issues in the current software version

https://indeni.com/wp-content/uploads/2015/04/download-17.jpg
This is a real life sample alert from indeni

Description:

indeni has determined that SIP profile is being used with 11.1.0 on this device.

Manual Remediation Steps:

Review SOL16411 and consider upgrading.

How does this alert work?

indeni analyzes the configuration to see if SIP profiles are used with the specific software versions that are affected by this issue.

High Memory Usage: FWM Process – Check Point Firewall Alerts

This is a real life sample alert from the indeni Check Point Firewall guide to alerts.

Alert Description:

The memory usage in the operating system is higher than the high threshold. It is now at 92.0%. Review the list of processes below. If possible disable device functions which are not required.
fwm (SmartCenter and Management-related Functionality) with 6.7 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 5.5 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 9.9 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 5.6 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 5.7 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 15.6 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 6.1 percent memory usage.
fwm (SmartCenter and Management-related Functionality) with 9.3 percent memory usage.

Manual Remediation Steps:

It appears there are many “fwm” processes in the list above. Each “fwm” process represents a CMA or domain. Consider upgrading to a device with more RAM.

How does this alert work?

indeni tracks the CPU and memory usage of each process. When there are known patterns, such as multiple fwm processes, the correct manual remediation steps are presented.

Gold Standard Configuration for Network Devices

 

Network and security teams in large enterprises spend quite a bit of time defining their “Gold Standard Configuration” for network devices – a checklist of how all of their devices should be configured. Some of the items on the checklist are operational (what hotfix you have installed) while some are for compliance (which users are defined). Either way, it’s apparently very difficult to stay on top of this checklist without indeni, as we’ve discovered from our customers. Items on the list include things like:

  • Software version in use – enterprises try to standardize on certain versions to reduce unexpected events and increase usability (if all of the devices made by a given manufacturer behave the same, it’s easier to manage them). In some cases, they even standardize on certain hotfixes.
  • OS-level settings: users defined, SNMP monitoring and syslog servers, authentication settings, NTP, etc.
  • Hardening: what ports and services are open/accessible.

So, how do we see organizations enforce their Gold Standard Configuration for their network devices?

  1. They write a long Word or Excel document and share it within the team hoping someone will use it.
  2. They write scripts that test some aspects of the gold config. Usually these scripts are written as a hobby and so aren’t maintained very well.
  3. They use tools like SolarWinds’s Orion NCM or TripWire, spending years of their life tuning those tools to look for certain configurations only to need to re-do all that once the product manufacturer decides to release the next major version.

indeni is here to make your life better:

Our software contains a layer that translates the output of queries into structured data. We call this “measurements” internally, but essentially each setting for each device is represented in a database in a manner that is completely agnostic to how it’s represented in the device’s own config files. So, for example, the settings for which NTP server to use appear similar to this for Cisco, Check Point Firewalls, F5 Load Balancers and Palo Alto Network Firewalls alike:
{measurement: ntp_server, host: pool.ntp.org version: 3}

So, that means that all you need to do is tell indeni what the NTP server needs to be, and indeni will regularly check the configuration 24/7/365 of all of your devices (or a group of them) irrespective of the manufacturer of those devices or the software they’re running. When the configuration doesn’t match your gold config, you’ll get an alert as well as see it on a weekly or monthly report. Saving you weeks of your life, every, single, year.

Achieve 99.9999% 45 minutes.

Try indeni

 

Palo Alto Networks FQDN Resolution Failures

This is a real life sample alert from indeni from our Palo Alto Networks Firewall Alert Guide

Description:

There are certain FQDN’s set but the Palo Alto Networks device cannot successfully resolve them.

 

 

Unresolveable FQDNs:

Manual Remediation Steps:

Review your DNS settings and the reason for the failure in resolution. Review DOC-5943.

How does this alert work?

indeni regularly runs “request system fqdn show” and looks for failures.

Tuesday And Wednesday Are The Busiest For NetOps/SecOps Teams

Network operations and security operations teams generally work around the clock. However, there are days and times they are clearly busier. Below is a graph that analyzes all of the alerts indeni generated for our customers (those connected to indeni Insight) over the course of Mar 9th 2015 to Apr 5th 2015, according to the day of the week they were generated. At the time of writing of this blog post (Apr 7th, 2015), it was clear that Tuesday and Wednesday are the busiest days. It will be interesting to see if this changes over time, which is probably shouldn’t. To get up-to-date results, click on the image itself.

The rationale behind claiming that the days with the most alerts are the busiest, is that a big portion of alerts issued by indeni are ones that are in direct response to a configuration change. Remember – our job is to analyze configurations as they change and alert when we find possible issues in them.