Connections terminate on a policy install

[BarryStiefel]

Connections terminate on a policy install

You might notice that on a policy installation, your active connections will terminate. As of FireWall-1 4.1 SP2, FireWall-1 will flush the connections table on a policy load. You might notice that on a policy installation, your active connections will terminate. As of FireWall-1 4.1 SP2, FireWall-1 will flush the connections table on a policy load. How do I keep this from happening?



Answer For NG FP2 and above



This can be resolved by going to the Gateway object in Policy Editor / Smart Dashboard and going to the Advanced Frame, Connection Persistence. There you can define whether connections are saved across policy installs or not.

For 4.1

In FireWall-1 4.1, you can add the 'keep' flag to the connection table definition in $FWDIR/lib/table.def on the management console. It should look like the following (this is from FireWall-1 4.1 SP4): connections = dynamic refresh sync expires TCP_START_TIMEOUT expcall KFUNC_CONN_EXPIRE kbuf 1 #ifdef SECUREMOTE implies userc_verified_connections #else implies ftp_restrictions #endif hashsize 32768 limit 25000;One simply adds 'keep' after the word 'sync' as shown below: connections = dynamic refresh sync keep expires TCP_START_TIMEOUT expcall KFUNC_CONN_EXPIRE kbuf 1 #ifdef SECUREMOTE implies userc_verified_connections #else implies ftp_restrictions #endif hashsize 32768 limit 25000;You will need to reload your security policy for this change to take effect. If you are using an Oracle SQLNetv2 connection, an alternative approach is to configure Oracle to use one specific port with USE_SHARED_SOCKET = TRUE parameter.

Comments

In NG AI, even with connections persistense - keep all connections, I get session drops on a policy install.



Regards,

Bazauas.

-- RobertGraham - 06 Feb 2004

FAQForm FAQs.Class: TroubleshootingFAQs FAQs.OS: FAQs.Version: