January 2019 – indepthtechnology

Auto scaling makes our environment has desired capacity of EC2 isntances when it is needed.
Autoscale supports only horizontal scaling
If auto scaling finds unhealthy instances it is replaced with new instances by terminating the old instance.
Auto scaling service is free. How ever instances launched by auto scaling is chargeable.
Auto Scaling Group:
1. It is a group of EC2 instances which participates in the auto scaling. This group contains Minimum: Minimum number of isntances this group must contain always. Maximum: Maximum number of isntances that can participate in auto scaling. Desired: Is decided at runtime, based on the scaling policies
Note: We can use auto scaling with fixed group size
Launch Configuration: It is a template used by auto scaling for launching new isntances
Launch configuration contains:
1. AMI
2. Instance Type
3. EBS volume
4. Security Group
5. IAM role
6. SSH key pair.
Note: We cannot update launch configuration, we only can configure new one and attach to Auto scaling group

Checkpoint CoreXL: Part-1

January 13, 2019January 13, 2019 Raghavendra Seshumurthy

CoreXL is a performance-enhancing technology for Security Gateways on platforms with multiple CPU cores.
CoreXL enhances Security Gateway performance by enabling the processing CPU cores to concurrently perform multiple tasks.
CoreXL is introduced first in for the version R65 and Linux kernel 2.6.

Packet process steps before coreXL:
When a packet is coming into the CPU1 , it will run FW code.
The first step is to lock the firewall code
Once firewall code is locked it process the packet through fwchain_do
Once the packet is processed by a firewall it will unlock the CPU and forward the packet
the whole cycle is repeated all over again when another packet comes in.
The concern here is we have only one firewall code and only one packet can be processed by a firewall CPU and to process another packet existing FW code process should complete.
To better understand let’s consider we have two CPU’s as mentioned below.
When the first packet reaches CPU1 FW code gets locked and then firewall process the packet and now if the second packet comes to the CPU0, it will not be able to process it until FW code process complete for CPU1.
To overcome this issue Checkpoint introduced two components.
1. Firewall Kernal instances
2. Dispatcher
As you can see in the above diagram both firewall kernel instances will have the same policy (FW code).
Now two packets can process at the same time by firewall instances.
Checkpoint introduced dispatcher which will take a decision where the packet needs to send whether CPU-1 or CPU-0. A dispatcher will run on a separate CPU instance.
The advantage of CoreXL is parallel cores executing code simultaneously at the same time. An example is mentioned below.
Dispatcher acts as a load balancer to distribute the traffic across multiple firewall instances.
Global dispatch table forwards the traffic to right core instance. If the packet is received by the wrong FW instance then you will see out of state errors.

Gartner magic quadrant for cloud infrastructure as a service:

January 6, 2019 Raghavendra Seshumurthy

Source: Gartner

magic-qua-cloud

Gartner magic quadrant for enterprise network firewalls:

January 6, 2019 Raghavendra Seshumurthy

Source: Gartner (October-2018)

magic-quadrant

Checkpoint Basic Troubleshooting Commands –Part-1

January 6, 2019 Raghavendra Seshumurthy

1.cpstat os — Gives the information about operating system details (Gaia or Splat)
2. cpwd_admin list — To verify checkpoint services
3. cpstat os -f inconfig –> To verify interface details including address, MTU, Mac address etc..

cp-6

4. fw getifs –> To view interace, IP and subnet details

cp-7

5. show configuration interface –> To view interface, IP, Vlan and speed details
6. cp_conf sic state –> verify the sic status

cp-8

7. fw ctl pstat –> Verify the sync interface, connections, Fragments, NAT etc..

cp-9

AWS EC2 Instances

January 5, 2019January 18, 2019 Raghavendra Seshumurthy

EC2 Instances:

On-demand instances
Reserved instances
Spot instances
Dedicated hosts
Scheduled instances

On-demand instances:

These instances are chanrged per hour basis.
When instances are not running, there are no charges.
Even if instance is stopped, bill counts for EBS volumes attached to the instance.
Use this instance type when we need instances for short duration (1 day, 1week, one month.

Reserved Instances:

We can reserve instances either one or three years.
The advantage of reserved instance is we can save up to 70% of the cost when compared with ondemand instances
Once reserved purchase is done, there is no option to terminate the contract, only option is to sell it over AWS marketplace
Reserved instance payment options: All upfront, Partial upfront and no upfront.
AWS billing automatically applies discovered rates when you launch an instance that matches your purchanges RI.
EC2 Reserved instance has three types.
1. Standard
2. Convertible
3. Scheduled.
RI’s can be shared across multiple accounts with in consolidated billing.

Spot Instances:

Amazon EC2 spot instances allow you to bid on spare Amazon EC2 computing capacity for up to 90% off the on-demand price
Spot instances are excess EC2 capacity that AWS tries to sell on an market exchange basis.
Customer defines highest willing to pay for instance. If capacity is constrained and others are willing to pay more, your instance might get terminated or stopped.
For “one time request”, instance is terminated and ephermal data is lost.
For “reqeust and maintain”, instance can be configured to terminate, hybernate or stop until price point can be met again.

Dedicated Hosts:

A dedicated host is a phsyical EC2 server dedicated to your use.
Dedicated hosts can help you reduce costs by allowing you to use your existing server-boud software license, including windows server, SQL server, SUSE linux etc.

Scheduled instances:

We can buy instances based on your schedule.
Example: if you need servers on daily, weekly, monthly basis and in dedicated hours for example: 4 to 5 hours per day, then you can go for scheduled instances.

Checkpoint-Memoryleak-Issues-due to VMalloc

January 5, 2019January 5, 2019 Raghavendra Seshumurthy

Issue: Unable to push policy to Checkpoint firewalls

Cause: memory leak issue

Symptom:

Firewallname> kernel: allocation failed: out of vmalloc space – use vmalloc=<size> to increase size

<Firewallname> kernel: printk: 29 messages suppressed.

<Firewallname> kernel: allocation failed: out of vmalloc space – use vmalloc=<size> to increase size

<Firewallname> kernel: [fw_0];FW-1: h_getvals: fw_kmalloc (92962728) failed

<Firewallname> kernel: [fw_0];FW-1: h_getvals: fw_kmalloc (93068568) failed

Resolution:

Login to standby firewall
Take a backup of /boot/grub/grub.conf
Modify the vmalloc value from 256M to 512M or 768M for normal mode

Using VI editor

Save the file using Esc+Shift+:
Reboot the standby firewall
Once standby firewall is up, verify the cluster status using

Cphaprob stat

If cluster status is in active and standby
Failover the traffic to rebooted device using below command

Clustexl_admin down

Perform same procedure from 1 to 7.
Failover the traffic back to original active device

AWS Security Group Characteristics:

January 4, 2019 Raghavendra Seshumurthy

Security group characteristics:

Every EC2 instance must have at least one security group.
The same security group can be associated with multiple EC2 instances.
Every EC2 instance can have max 5 security groups
A security group has both inbound and outbound rules
Security groups are stateful
If traffic is initiated from the internet, traffic is validated by inbound rules of security groups.
If traffic is initiated from EC2, his traffic is validated by outbound rules of security groups.
When we update rule under security group, it takes effect immediately.
Security group does not have explicit allow/deny, rules we add are allowed and others are implicitly denied.