Support Center > Search Results > SecureKnowledge Details
SmartEvent Performance Tuning Guide
Symptoms
  • SmartEvent UI is slow to respond to queries.
  • Delay in seeing new events in SmartEvent (last 12h/24h queries return few or no new events).
Solution

There are several tuning options available for maximizing your SmartEvent systems performance. The key points of this process:

  1. Making sure your relevant event data is cached and fits in RAM.
  2. Tuning the server to only work on your needs.
  3. Using the latest code and patches available for performance.

For Smart-1 appliances - Before you begin, please read the information in the Smart-1 Appliances page, and make sure your device is properly sized for the scale of the data you generate.

Improvements:

  1. Version - Check Point has made many improvements in SmartEvent performance in R75.40 and R75.45. Make sure you upgrade your SmartEvent server to the latest version available.
    Also note that SmartEvent can be run in a newer version than your Security Management, if not running on the same H/W.
    For R75.40 users - refer to sk74380 for performance updates relating to R75.40.
  2. SmartReporter - The SmartReporter blade consumes a fair amount of system resources and is only needed for creating consolidated Firewall blade log reports. If you use SmartEvent for reporting on non-Firewall blade activity, you should leave SmartReporter off. If you do need to run SmartReporter reports, consider separating H/W between SmartEvent and SmartReporter.
  3. RAM - The first and most important factor in UI responsiveness is the amount of RAM available on your SmartEvent server. More RAM allows for caching more event data, reducing disk access time and significantly speeding up queries.
    Make sure you have 4GB for every 250K events generated per day. For example: If you are generating 1M events daily, we recommend you use 16GB of RAM at least.
    Note that for utilizing your extra RAM, it is recommended to run Gaia OS 64bit.

 

Advanced Tuning:

  1. Deployment (non Multi-Domain): SmartEvent correlation unit runs best when installed on your Log Server machine. In case they are distributed, make sure the SmartEvent correlation unit runs on the Log Server machine (rather than on the SmartEvent server machine):
    1. Open SmartDashboard.
    2. Open your Log Server network object and check the SmartEvent Correlation Unit.
    3. Save.
    4. Open SmartEvent.
    5. In 'Policy tab > Correlation Units', update your Correlation Unit definitions.
    6. Install Event Policy on the new Correlation Unit object.
  2. Scheduled reports: SmartEvent comes pre-configured with several Blade reports on a daily/weekly/monthly schedule. If you do not need any of these, make sure you disable their generation, as even for unused blades, the scheduled reports will consume some system resources. This can be done under the SmartEvent Reports tab: choose the report, click Manage -> Schedule and uncheck the “Active” checkbox.
  3. Overview: The overview information shows diverse information about your events by running continuous data queries. Disable any views you don’t need (by closing specific panes) and/or reduce the timeframe of views to reduce the load on the events database. You will have to run evstop/evstart for changes to your performance to take effect.
  4. Event management:

    1. Identity Awareness - If you have upgraded SmartEvent from a pre-R75.20 version, your Identity Awareness events will have been turned on, by default. Turning them off will greatly speed up your overall event processing rates, and you will still be able to see user names on your other events (this disables login/logout events only).
    2. IPS - Tune your IPS logging by creating exceptions for false-positives, either in SmartDashboard or from the SmartEvent Events tab: Run the IPS -> More -> Exception / Exclusion Candidates query, and for each event group you wish to exclude, right-click and choose "Exclude from event Definition".
    3. Application Control / URL Filtering - Tweaking the update interval for traffic updates on these events, can greatly increase the amount of traffic your SmartEvent server will be able to handle, at the cost of getting delayed traffic information (Byte updates). From the 'SmartEvent Policy tab -> "Applications & URL Filtering" -> Application Activity -> Properties -> Count Logs -> Advanced', change "Update Events Data After" from "0" to "3600". Save as a new event and disable the original one (updates on traffic information will now happen every hour instead of every 10 minutes). Repeat for “Web Browsing” event definition.
    4. Other Events - Disable any events you do not require. In particular any under the "Anomalies" category, as they are resource intensive to generate.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment