Best Practices Guide for Firewall Suite Implementation


This article applies to:

  • Firewall Suite

Information:

Preface:

There are no substitutes for the Firewall Suite product manual. Manuals may be found online at the following address:

https://support.trustwave.com/Firewall-Suite/documentation.asp

The Trustwave Knowledgebase is also a valuable resource:

https://www.trustwave.com/kb

Prior to Installation:

Prior to installation it is recommended that the following items be ready so that the installation and implementation proceeds quickly and smoothly.

  • A dedicated representative from your organization should be identified to be the Firewall Suite administrator. This individual will be dedicated to the implementation and will maintain the system after such implementation.

  • A current copy of Firewall Suite software and serial number license should be obtained. Confirm that the correct version of the software has been received for your operating system.

  • Licenses for the server add-ons should also be obtained, if applicable. This is needed to be able to analyze log files from more than one web server.

  • Recommended hardware is to be configured. Please refer to the Systems Requirements documentation.

  • Determine how log files are to be accessed from the machine upon which Firewall Suite is installed (i.e. via local, FTP, or network access).
    • If log files are to be accessed via FTP, ensure that the FTP server name, as well as user name and password are known.

    • If log files are to be access through a UNC path, a Windows NT service account for Firewall Suite should be created. The account must have access to the log files if stored on the network, they must be part of the local machines administrator group, and the following rights are needed: log on as a service, act as part of the operating system, and log on locally. WebTrends strongly recommends that the account be a domain account.
    • Have access to any needed passwords so that if the Firewall Suiteadministrator is unavailable the box upon which Firewall Suite is to be installed may be rebooted.


System Configuration:

  • It is highly recommended that the Firewall Suite software be installed on a dedicated reporting machine. Log analysis is very resource intensive.

  • Firewall Suite analysis tools are designed to FULLY utilize all system resources. Fast processors and lots of RAM are recommended.

  • By default, Windows NT/2000 will automatically adjust the machine's virtual memory settings to only 11 MB above the physical RAM available. This is done so that the operating system will load faster, not having to cache on the disk. This will work for Windows, but is not efficient for most other memory intensive software. The following formula works very well for most applications:

      RAM x 2 for Minimum Paging File Size

      RAM x 3 for Maximum Paging File Size

    Exceeding the formula indicated above does not seem to have much effect. In fact, it tends to slow processes down as any more than three times the physical RAM seems to only increase the amount of time required to run reports. Having said this, please note that it does not matter to what the virtual memory is set if there is not at least as much space available on the hard drive where the operating system is being asked to swap.


Log Files:

Accessing Log Files:

Firewall Suite can access log files through a number of different methods.

  • UNC - Universal Naming Convention or Uniform Naming Convention, a Windows format for specifying the location of resources on a local area network (LAN). UNC uses the following format:

      \\server_name\shared_resource_pathname

    UNC access is always the best choice. When using UNC file access, log files in an ASCII format can be read directly from the location of the logs. There is no need to transfer the entire log to the WebTrends machine.

    Note: If the log files are in a compressed format (.zip, .gz), the log file will be transferred to the WebTrends machine where the file will be uncompressed and then processed.

  • FTP - Firewall Suite has a built-in FTP client. This allows Firewall Suite to access log files that are from a hosted environment. One downside to accessing log files using FTP is that the entire log file must be transferred to the Firewall Suite machine before analysis can be begin.

    Note: Marshal does not recommend that log files be accessed using an administrative share (example, \\server-name\c$) or through a mapped drive.

    Note: When using wildcards in a log file path, Firewall Suite will open every log file to determine whether or not the log file has already been analyzed. When using compressed logs this will cause longer processing times and will require much more disk space. After all historical data has been collected, it is highly recommended that the log path be modified to use Date Macros. See the following link for details on the use of Date Macros:

      Q10272: How do I configure date macros?


Log File Management:

There are a few things to consider when developing a log file management procedure.

  • Log File Rotation. Marshal  recommends that customers rotate their log files on a daily basis.

  • Log File Storage. The length of time that log files are stored is something that needs to be determined by each hosting company. The main aspect to consider is disk space. Trustwave recommends the following structure:

    \logfiles\OneWeek Stores logs for the current week unzipped.
    \logfiles\OneMonth Stores logs for the current month unzipped.
    \logfiles\SixMonths Stores logs for the last six months zipped.
    \logfiles\Year Stores logs for the current year zipped.

    All compressed log files will be uncompressed within the directory in which Firewall Suite is installed. Make sure that there is plenty of hard disk space available to handle the uncompressed log files.




Simultaneous Analysis:

  • Marshal recommends that one profile per processor be run. If the Firewall Suite system is a 4 or 8 processor machine, then Trustwave recommends reserving one process for the GUI. For example, if the system has 8 processors, set the simultaneous analysis to 7. This will reserve one processor for the interface. Memory (RAM) is also a factor. If the Firewall Suite machine has 2 gigabytes of RAM or less, it is recommended that you limit the number of simultaneous processes to 2.




Notes:

Firewall and proxy analysis is a very complicated process. Understanding who needs the reports, what he or she expects to see, and what it takes to successfully deliver on these needs is something every Firewall Suite customer should have a solid understanding of before committing to the task. The purpose of this document is to provide a few of the "Best Practices" that Firewall Suite customers and support staff have identified and refined along the road to success.

This article was previously published as:
NETIQKB1879

Last Modified 4/13/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10017.aspx