In search of Firewalls KPIs

[Marcin Antkiewicz <firewallwizards () kajtek org>]

> I am in search of the essential KPIs to be monitored for Juniper Netscreen Firewalls. After the identification of 
> these KPIs,
> I want to go ahead for capacity planning & performance optimization of these firewalls. Any piece of advise will help!

Saumitra,

KPIs are metrics. Good metrics should be Specific, Measurable,
Actionable, Relevant, and Timely (SMART people call it).
A simple way of looking at firewall metrics is by placing them into
environmental,operational and strategic categories.

Environmental measurements deal with power/cooling consumption, rack
footprint, cabling/media, location, power sources, etc.

Operational stats deal with capacity
(disk/CPU/states/licenses/interface queues), performance
(pps/drops/sessions/logging),
errors (interface/fw denies/routing), rates of change for rule
management, traffic flows/volume, admin logins, trouble tickets.

Strategic focus on the architecture - environments/rules/objects per
firewall, count and types of environments, capacity to process
traffic and accept new rules (licenses/interfaces), amount of
troubleshooting and rework, sw/hw lifecycle information, etc.

Each of the bins may measure similar information, but the resolution
or ratios may be different. For example, from operational
point of view, I may want to know how many trouble tickets were opened
in last hour, and last 5 minutes. When working on
the strategic plan, I will look for the number of tickets following
scheduled and unscheduled changes, total ticket counts, rework,
time to resolve and no. and type of SMEs required to close tickets.

Once you have the categories full of ideas for metrics, see if they
fit the SMART mantra. For example, the temperature of 30
CPUs is not very useful. A trend is better, but still does not tell
you whether the machine is busy, or overheating. A ratio of
current temperature to baseline is better, especially if connected to
some form of load indicator. High load, cold CPU is not good.
Similarly, hot CPU on idle firewall indicates some kind of work is
being done that you may not be aware of.

Once the metrics look to be specific and actionable and..., find out
5-7 questions that people who want to know what firewalls do
really want answered. These will be simple (no. of sessions) or very
complex (soft and hard cost of rule addition in the X regulated
environment). These will be your KPIs - they are supposed to show your
progress or contribution to the company's strategic goals.

If you are faced in a much simpler case, with a few firewalls and few
environments, the same rules apply.
- measure trivial counters: CPU, memory, states, flows/bytes, denies,
loglines. Establish a baseline.
- classify objects by importance, label according to internal grouping.
- collect data from change control/ticketing system

- ask questions, see if there are numbers required to answer them.
"What is the cost of adding a new network", "at what percentage
of known max are we currently running", "what causes the largest rate
of denied connections", "how often clusters master node changes".
- translate the question in terms of the gathered data.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards