First, sorry for english, then
1/ Working With Connections tables
FireWall-1 NG FP3 & UP 1. Login to the SmartDashboard GUI 2. Edit the FireWall-1 module 3. Select the Capacity Optimization tab and modify the value for Capacity Optimization. The default value is 25000. 4. Install the policy
NOTE: Hashsize calculation is the same as in VPN-1/FireWall-1 4.1.
NOTE: To know when to reboot the FireWall-1 machine after a change related to tables, check if the table has the "keep" attribute using: 'fw tab -t table_name'. The "keep" attribute indicates that the FireWall-1 machine does not need to be rebooted.
2/ Knowing the connections table
fw tab -t connections => show the table fw tab -t connections -s => show the summary for this table
3/ Knowing the connections table (Symlinks)
The connections table in VPN-1/FireWall-1 NG includes two types of entries:
1. A real connection entry used to store connection related information. 2. Connection symbolic link used to point to a real entry. The reason for having two types of connection table entries is to help the FireWall-1 kernel locate a specific entry in the table with a single lookup.
Symbolic links are not included (counted) as entries in the Connections table. A size limit of 25,000 for the Connections table means that the table can hold 25000 "real" connections, plus up to 8 symbolic links per connection.
To view the number of symbolic links entries run: fw tab -s
The SLINK field contains the number of symbolic links for each table
Hope it's help. Regard's Aur�lien.
FERRARIS Andrea Consultant wrote:
Hi,
Before switching to an hardened Linux with iptables, I'll try to ask yet here for a trouble with CP. At now I didn't found answers in internet and on the CheckPoint website there are some, but I have to pay to read them and I dislike that very much.
By the way, there are other advantages in using Linux with iptables vs CP besides the price (Linux and iptables are free [either as a beer and as speach]), the security (Linux and iptables have the sources that I can inspect and also read if I lack docs, like in this case), the performances (iptables doesn't have limitations like this one of the connection table of CP)?
I manage a CP-FW-1 FP3 2 nodes with IPSO 3.6-FCS7 releng 1061 04.13.2003-022000 i386. With the default parameters of the limit of 25000 connections, I get in syslog many:
Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: FW-1: A new connection has been detected but cannot be added to Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: the connections table. Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: The connection table may be at full capacity. Jul 23 01:16:37 gnmccp001 [LOG_CRIT] kernel: Please increase the connection table limit.
At now I changed Policy > Global Properties > Statefull Inspection reducing TCP session timeout from 7200 to 3600 and in Gateway Cluster Properties - gnmccp > Capacity Optimization I increased the concurrent connections from 25000 (default) to 30000; I seen that the Memory pool size has grown from 10 MB to 12 MB and Maximum memory pool size from 40 MB to 48MB. The errors are disappeared from the syslog and then I checked the load and the memory of the active node and it seems that's OK:
gnmccp001[admin]# uptime 2:54PM up 287 days, 10:23, 1 user, load averages: 0.61, 0.61, 0.57 gnmccp001[admin]# vmstat 10 10 procs memory page disks faults cpu r b w avm fre flt re pi po fr sr w0 w1 in sy cs us sy id 0 0 0 406728 25948 2 0 0 0 8 3 0 2 159 23 22 3 27 70 0 0 0 401336 25948 1 0 0 0 0 0 0 0 1237 321 16 0 1 98 0 0 0 397616 25948 1 0 0 0 0 0 0 1 1207 461 16 0 2 98 1 0 0 401500 25948 1 0 0 0 1 0 0 0 1239 400 17 0 2 98 0 0 0 401500 25948 1 0 0 0 0 0 0 0 1218 300 15 0 1 99 0 0 0 397616 25948 1 0 0 0 0 0 0 0 1359 308 15 0 3 97 0 0 0 403008 25940 1 0 0 0 10 0 0 0 1255 2526 19 0 3 97 0 0 0 403008 25940 1 0 0 0 0 0 0 0 1243 354 16 0 2 98 0 0 0 403008 25940 1 0 0 0 0 0 0 1 1266 430 16 0 2 98 0 0 0 401500 25940 1 0 0 0 1 0 0 0 1311 455 18 0 2 97 gnmccp001[admin]# swapinfo Device 1K-blocks Used Avail Capacity Type /dev/wd0b 1048576 172672 875840 16% Interleaved
There are some other or better thing that I can do and read to understand such trouble?
Best regards,
Andrea Ferraris
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
