If these tcp connections in the table are from malicious or errant hosts, you may want to consider your SynDefender settings. In addition, you may want to enable aggressive state table cleanup. This might help with cleaning up these sporadic stale connections. You have to be on R65 to use this feature.
Frank -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Alex Sent: Friday, October 05, 2007 1:53 PM To: [email protected] Subject: [FW-1] AW: [FW-1] SecureXL and Connection tables getting full The problem I was talking about is, that checkpoint doesn´t remove Tcp connections from the state table even they are closed via fin or rst packets. The connections only get removed when tcp timeout is reached. And this only happens with SecureXL enabled. So the session table grows very fast. We spend a lot of time debugging with checkpoint because of this. Alex -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo van der Kooij Gesendet: Freitag, 5. Oktober 2007 13:56 An: [email protected] Betreff: Re: [FW-1] SecureXL and Connection tables getting full On Fri, 5 Oct 2007, Alex wrote: > theres a bug in checkpoint - we had the same issue (R60) and received a > special hotfix, > which has to be installed on the gateway. > The hotfix should now be included in R65 for ipso, but we didn´t test that > till now. Mind you that connection handling has undergone some other changes as well in R65. You can start dropping connection entries early if the table is filled up. And you can protect the table from pseudo connections (anything but TCP) filling up the table. Hugo. -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
