So you're running an R65 firewall with an R75.20 SmartCenter? I gotta tell you we had a lot of IPS/SmartDefense headaches when we tried that.
I'm assuming you have connections set to rematch on the policy installation, right? I'm assuming that works with a big version mis-match like you have but I wouldn't bet on things being as smooth as advertised given our IPS/SmartDefense problems. Are you actually noticing anything in the performance or just seeing it in the counters? > Date: Tue, 21 Feb 2012 11:49:44 +0530 > From: moham...@fss.co.in > Subject: Re: [FW-1] Connections dropping when pushing policy > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > Dear Ray, > > Ours is a Nokia box hardware and Smart center running in another > separate PC with 4GB RAM > Version: NGX (R65) > OS: IPSO Version: 4.2 > > Avergae CPU - 14% > Active virtual memory - 650MB > Disk free % - 84 > > cpmodule > Version: R75.20 > OS: SecurePlatform > > > Even when disabling logging, we are seeing connections reset when a > policy is pushed. I thought the below information might be useful for > you. If not, please neglect. > > Thanks > > Regards > Mohamed.N > > > > Interface table > ------------------------------------------ > |Name |Dir|Accept |Drop | Reject|Log | > ------------------------------------------ > |re1c0 |in | 324109097| 297534| 15| 887| > |re1c0 |out| 333252079| 1229| 0| 22| > |eth4c0|in | 0| 0| 0| 0| > |eth4c0|out| 0| 0| 0| 0| > |eth3c0|in | 180| 0| 0| 0| > |eth3c0|out| 164| 0| 0| 0| > |re2c0 |in | 332223094| 391575| 0|1787| > |re2c0 |out| 323659116| 74667| 0| 5| > ------------------------------------------ > | | |1313243730| 765005| 15|2701| > ------------------------------------------ > > > > ----------------------- > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f perf fw) > ----------------------- > > Product name: FireWall-1 > hmem - block size: 4096 > hmem - requested bytes: 20971520 > hmem - initial allocated bytes: 20971520 > hmem - initial allocated blocks: 0 > hmem - initial allocated pools: 0 > hmem - current allocated bytes: 20971520 > hmem - current allocated blocks: 5119 > hmem - current allocated pools: 1 > hmem - maximum bytes: 31457280 > hmem - maximum pools: 10 > hmem - bytes used: 8864536 > hmem - blocks used: 3332 > hmem - bytes unused: 12106984 > hmem - blocks unused: 1787 > hmem - bytes peak: 15669876 > hmem - blocks peak: 4430 > hmem - bytes internal use: 70736 > hmem - number of items: 99428 > hmem - alloc operations: 114095822 > hmem - free operations: 113996394 > hmem - failed alloc: 0 > hmem - failed free: 0 > kmem - system physical mem: 0 > kmem - available physical mem: 0 > kmem - aix heap size: 0 > kmem - bytes used: 44883372 > kmem - blocking bytes used: 1404360 > kmem - non blocking bytes used: 43479012 > kmem - bytes unused: 0 > kmem - bytes peak: 54765700 > kmem - blocking bytes peak: 1696556 > kmem - non blocking bytes peak: 53069144 > kmem - bytes internal use: 5192 > kmem - number of items: 649 > kmem - alloc operations: 22074683 > kmem - free operations: 22074034 > kmem - failed alloc: 0 > kmem - failed free: 0 > inspect - packets: 1455110299 > inspect - operations: 3919265977 > inspect - lookups: 884037145 > inspect - record: 0 > inspect - extract: 2384748506 > cookies - total: 1495017859 > cookies - alloc: 0 > cookies - free: 0 > cookies - dup: 5 > cookies - get: 3683290696 > cookies - put: 9252701 > cookies - len: 1495188831 > chains - alloc: 0 > chains - free: 0 > fragments - fragments: 0 > fragments - expired: 0 > fragments - packets: 0 > ufp - % hits ratio: 0 > ufp - total connections: 0 > ufp - hits connections: 0 > ufp - session max: 0 > ufp - session current: 0 > ufp - session count: 0 > ufp - rej session : 0 > ufp - time stamp: > ufp - is alive: 0 > http - pid: 0 > http - proto: 0 > http - port: 0 > http - logical port: 0 > http - max avail socket: 0 > http - socket in use max: 0 > http - socket in use current: 0 > http - socket in use count: 0 > http - session max: 0 > http - session current: 0 > http - session count: 0 > http - auth session max: 0 > http - auth session current: 0 > http - auth session count: 0 > http - accepted session: 0 > http - rejected session: 0 > http - auth failures: 0 > http - opsec cvp session max: 0 > http - opsec cvp session current: 0 > http - opsec cvp session count: 0 > http - opsec cvp rej session : 0 > http - ssl encryp session max: 0 > http - ssl encryp session current: 0 > http - ssl encryp session count: 0 > http - transparent session max: 0 > http - transparent session current: 0 > http - transparent session count: 0 > http - proxied session max: 0 > http - proxied session current: 0 > http - proxied session count: 0 > http - tunneled session max: 0 > http - tunneled session current: 0 > http - tunneled session count: 0 > http - ftp session max: 0 > http - ftp session current: 0 > http - ftp session count: 0 > http - time stamp: > http - is alive: 0 > ftp - pid: 0 > ftp - proto: 0 > ftp - port: 0 > ftp - logical port: 0 > ftp - max avail socket: 0 > ftp - socket in use max: 0 > ftp - socket in use current: 0 > ftp - socket in use count: 0 > ftp - session max: 0 > ftp - session current: 0 > ftp - session count: 0 > ftp - auth session max: 0 > ftp - auth session current: 0 > ftp - auth session count: 0 > ftp - accepted session: 0 > ftp - rejected session: 0 > ftp - auth failures: 0 > ftp - opsec cvp session max: 0 > ftp - opsec cvp session current: 0 > ftp - opsec cvp session count: 0 > ftp - opsec cvp rej session : 0 > ftp - time stamp: > ftp - is alive: 0 > telnet - pid: 0 > telnet - proto: 0 > telnet - port: 0 > telnet - logical port: 0 > telnet - max avail socket: 0 > telnet - socket in use max: 0 > telnet - socket in use current: 0 > telnet - socket in use count: 0 > telnet - session max: 0 > telnet - session current: 0 > telnet - session count: 0 > telnet - auth session max: 0 > telnet - auth session current: 0 > telnet - auth session count: 0 > telnet - accepted session: 0 > telnet - rejected session: 0 > telnet - auth failures: 0 > telnet - time stamp: > telnet - is alive: 0 > rlogin - pid: 0 > rlogin - proto: 0 > rlogin - port: 0 > rlogin - logical port: 0 > rlogin - max avail socket: 0 > rlogin - socket in use max: 0 > rlogin - socket in use current: 0 > rlogin - socket in use count: 0 > rlogin - session max: 0 > rlogin - session current: 0 > rlogin - session count: 0 > rlogin - auth session max: 0 > rlogin - auth session current: 0 > rlogin - auth session count: 0 > rlogin - accepted session: 0 > rlogin - rejected session: 0 > rlogin - auth failures: 0 > rlogin - time stamp: > rlogin - is alive: 0 > smtp - pid: 0 > smtp - proto: 0 > smtp - port: 0 > smtp - logical port: 0 > smtp - max avail socket: 0 > smtp - socket in use max: 0 > smtp - socket in use current: 0 > smtp - socket in use count: 0 > smtp - session max: 0 > smtp - session current: 0 > smtp - session count: 0 > smtp - accepted session: 0 > smtp - rejected session: 0 > smtp - mail max: 0 > smtp - mail curr: 0 > smtp - mail count: 0 > smtp - outgoing mail max: 0 > smtp - outgoing mail curr: 0 > smtp - outgoing mail count: 0 > smtp - max mail on conn: 0 > smtp - total mails : 0 > smtp - time stamp: > smtp - is alive: 0 > sync - configured: Yes > sync - out state: On > sync - in state: On > sync - number of sent packets: 6159304 > sync - number of Kbytes sent: 5345165 > sync - number of packets received: 4871821 > sync - number of Kbytes received: 5597043 > sync - number of retrans requests sent: 4599 > sync - number of retrans requests received: 755 > sync - number of ack packets sent: 100250 > sync - number of ack packets received: 3087169 > sync - number of packets dropped by network: 139 > sync - overall number of table updates to be synced: 54785806 > sync - number of updates filtered by 'non sync': 227 > > > ----------------------- > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f hmem fw) > ----------------------- > > Product name: FireWall-1 > hmem - block size: 4096 > hmem - requested bytes: 20971520 > hmem - initial allocated bytes: 20971520 > hmem - initial allocated blocks: 0 > hmem - initial allocated pools: 0 > hmem - current allocated bytes: 20971520 > hmem - current allocated blocks: 5119 > hmem - current allocated pools: 1 > hmem - maximum bytes: 31457280 > hmem - maximum pools: 10 > hmem - bytes used: 8864536 > hmem - blocks used: 3332 > hmem - bytes unused: 12106984 > hmem - blocks unused: 1787 > hmem - bytes peak: 15669876 > hmem - blocks peak: 4430 > hmem - bytes internal use: 70736 > hmem - number of items: 99428 > hmem - alloc operations: 114095822 > hmem - free operations: 113996394 > hmem - failed alloc: 0 > hmem - failed free: 0 > > > ----------------------- > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f kmem fw) > ----------------------- > > Product name: FireWall-1 > kmem - system physical mem: 0 > kmem - available physical mem: 0 > kmem - aix heap size: 0 > kmem - bytes used: 44883372 > kmem - blocking bytes used: 1404360 > kmem - non blocking bytes used: 43479012 > kmem - bytes unused: 0 > kmem - bytes peak: 54765700 > kmem - blocking bytes peak: 1696556 > kmem - non blocking bytes peak: 53069144 > kmem - bytes internal use: 5192 > kmem - number of items: 649 > kmem - alloc operations: 22074683 > kmem - free operations: 22074034 > kmem - failed alloc: 0 > kmem - failed free: 0 > > > ----------------------- > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f inspect fw) > ----------------------- > > Product name: FireWall-1 > inspect - packets: 1455127417 > inspect - operations: 3920038161 > inspect - lookups: 884053472 > inspect - record: 0 > inspect - extract: 2384993499 > > > ----------------------- > CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f cookies fw) > ----------------------- > > Product name: FireWall-1 > cookies - total: 1495035775 > cookies - alloc: 0 > cookies - free: 0 > cookies - dup: 5 > cookies - get: 3683385478 > cookies - put: 9252851 > cookies - len: 1495206747 > > > > > > 2380 > moham...@fss.co.in > +91 95001 29207 > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Ray > Sent: Tuesday, February 21, 2012 1:18 AM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Connections dropping when pushing policy > > It sounds more like under-powered hardware. What are you using and is > the SmartCenter on the same box as the firewall? > > Ray > > > Date: Mon, 20 Feb 2012 17:33:05 +0530 > > From: moham...@fss.co.in > > Subject: Re: [FW-1] Connections dropping when pushing policy > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > > Dear All, > > > > > > > > We have a nokia and Checkpoint R75.20 is running over it. We have some > > 300 rule bases and enabled logging for all the rules. When put on > > production and the CPU got overloaded and particularly when I push the > > policy, all ongoing connections are dropping. We have disabled the > logs > > and thereafter found a normal behavior. Wonder if enabling logging > > caused the CPU hog.. > > > > > > > > > > > > Regards > > > > > > > > Mohamed.N > > > > > > > > DISCLAIMER: > > > ======================================================================== > ======================================================================== > ==========The information contained in this e-mail message may be > privileged and/or confidential and protected from disclosure under > applicable law. It is intended only for the individual to whom or entity > to which it is addressed as shown at the beginning of the message. If > the reader of this message is not the intended recipient, or if the > employee or agent responsible for delivering the message is not an > employee or agent of the intended recipient, you are hereby notified > that any review, dissemination,distribution, use, or copying of this > message is strictly prohibited. If you have received this message in > error, please notify us immediately by return e-mail and permanently > delete this message and your reply to the extent it includes this > message. Any views or opinions presented in this message or attachments > are those of the author and do not necessarily represent those of the > Company. All e-mails and attachments sent and received are subject to > monitoring, reading, and archival by the > Company.================================================================ > ======================================================================== > ================== > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to lists...@amadeus.us.checkpoint.com > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > fw-1-ow...@ts.checkpoint.com > > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > > > DISCLAIMER: > ==========================================================================================================================================================The > information contained in this e-mail message may be privileged and/or > confidential and protected from disclosure under applicable law. It is > intended only for the individual to whom or entity to which it is addressed > as shown at the beginning of the message. If the reader of this message is > not the intended recipient, or if the employee or agent responsible for > delivering the message is not an employee or agent of the intended recipient, > you are hereby notified that any review, dissemination,distribution, use, or > copying of this message is strictly prohibited. If you have received this > message in error, please notify us immediately by return e-mail and > permanently delete this message and your reply to the extent it includes this > message. Any views or opinions presented in this message or attachments are > those of the aut! > hor and do not necessarily represent those of the Company. All e-mails and > attachments sent and received are subject to monitoring, reading, and > archival by the > Company.========================================================================================================================================================== > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
