Hi, Before switching to an hardened Linux with iptables, I'll try to ask yet here for a trouble with CP. At now I didn't found answers in internet and on the CheckPoint website there are some, but I have to pay to read them and I dislike that very much.
By the way, there are other advantages in using Linux with iptables vs CP besides the price (Linux and iptables are free [either as a beer and as speach]), the security (Linux and iptables have the sources that I can inspect and also read if I lack docs, like in this case), the performances (iptables doesn't have limitations like this one of the connection table of CP)? I manage a CP-FW-1 FP3 2 nodes with IPSO 3.6-FCS7 releng 1061 04.13.2003-022000 i386. With the default parameters of the limit of 25000 connections, I get in syslog many: Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: FW-1: A new connection has been detected but cannot be added to Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: the connections table. Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: The connection table may be at full capacity. Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: Please increase the connection table limit. At now I changed Policy > Global Properties > Statefull Inspection reducing TCP session timeout from 7200 to 3600 and in Gateway Cluster Properties - gnmccp > Capacity Optimization I increased the concurrent connections from 25000 (default) to 30000; I seen that the Memory pool size has grown from 10 MB to 12 MB and Maximum memory pool size from 40 MB to 48MB. The errors are disappeared from the syslog and then I checked the load and the memory of the active node and it seems that's OK: gnmccp001[admin]# uptime 2:54PM up 287 days, 10:23, 1 user, load averages: 0.61, 0.61, 0.57 gnmccp001[admin]# vmstat 10 10 procs memory page disks faults cpu r b w avm fre flt re pi po fr sr w0 w1 in sy cs us sy id 0 0 0 406728 25948 2 0 0 0 8 3 0 2 159 23 22 3 27 70 0 0 0 401336 25948 1 0 0 0 0 0 0 0 1237 321 16 0 1 98 0 0 0 397616 25948 1 0 0 0 0 0 0 1 1207 461 16 0 2 98 1 0 0 401500 25948 1 0 0 0 1 0 0 0 1239 400 17 0 2 98 0 0 0 401500 25948 1 0 0 0 0 0 0 0 1218 300 15 0 1 99 0 0 0 397616 25948 1 0 0 0 0 0 0 0 1359 308 15 0 3 97 0 0 0 403008 25940 1 0 0 0 10 0 0 0 1255 2526 19 0 3 97 0 0 0 403008 25940 1 0 0 0 0 0 0 0 1243 354 16 0 2 98 0 0 0 403008 25940 1 0 0 0 0 0 0 1 1266 430 16 0 2 98 0 0 0 401500 25940 1 0 0 0 1 0 0 0 1311 455 18 0 2 97 gnmccp001[admin]# swapinfo Device 1K-blocks Used Avail Capacity Type /dev/wd0b 1048576 172672 875840 16% Interleaved There are some other or better thing that I can do and read to understand such trouble? Best regards, Andrea Ferraris ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
