SecureXL is pretty good, and you should probably turn it on, unless
you've got a specific reason not too....except that there are quite a
few things that will make SecureXL not perform as well as it could,
or not perform at all. Certain types of rules are not accelerated
(e.g. anything terminating on the gateway itself), and certain
services will stop all acceleration below them - e.g. PPTP.
Some SmartDefense options will also disable SecureXL. From memory,
things like network quota, and TTL and IP-ID scrambling.
Have a hunt through the Nokia knowledge base, there's some articles
describing this in more detail.
If your problems only really come up when you are trying to
synchronise connections, then I would suggest a couple of things:
* Double check your synchronisation interfaces, make sure there are
no errors
* Consider carefully if everything needs to be synchronised. You may
be happy to not sync DNS, for example.
* Look at what you're logging - I've seen stuff like DNS logging (for
public DNS servers) cause those sorts of problems, with not being
able to log everything. Consider if everything needs to be logged
45,000 concurrent connections should not be a problem for a 380.
Performance issues are more around rate of new connections, rather
than concurrent connections. How many concurrent connections do you
actually have going through your firewall at any one time?
1220s may help, yes - but you still want to think about the above items.
HTH,
- Lindsay
On 5 Dec 2005, at 19:22, Tom Louis wrote:
i don't have that much turned on under smart deffense,
the problem I am having is when we bring up the
secondary firewall, we start to drop logs, stating
that
====snip==========
Information: sys_message: 10959408 log entries were
not sent to log server xxx.xxx.xxx.xxx because of high
load, but were instead sent to backup.
====un-snip=========
Plus I just was just told to increase our connection
table which we have set at 45,000.
I am supposed to be getting a pair of 1220's this week
to replace our 380's. yes we are throwing money at the
problem instead of solving the issue. But hey if they
want to buy me some IP-1220's I will take them. ;?)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
