Connections tables reaching limits and connections are being dropped?

[Westy]

SPLAT NGX R60 with HF2 applied.

I'm having problems with the connections table reaching it's limits and then the new connections are dropped. I've increased the threshold from the default value of 25,000 to 50,000. The server has 512 mb of ram in it. Do I need to increase the ram?

What are some of the causes for something like this to happen? I've seen a couple of other posts in the forum that state, "internal port scanning" or "trojans" can cause this to happen.

What are some of the fw tab commands with the switches that will help to determine what's in the state tables?

[kva.kva]

You can see "Maximum memory pool size" for connections in Gateway Properties - Capacity Optimization from SmartDashboard.

"fw tab -t connections -s" or "fw tab -t connections" display connections table

[Webcam007]

Another important question that it would be useful to get an answer for on this subject is does it clear the existing table when it increases.

Background:-
If you increase the connection limits in the Gui under the Firewall Node/ capacity optimization/connections table size from 25,000 to 50,000 the effect does not take place until you push the policy. So the question is, when you push the policy and implement the table size increase, does it drop packets going through the firewall module or does it remember them all and is a seamless process. I have done this on other firewalls, but can't quite remember if it was seamless!!! Obviously you wouldn't want to do it in the middle of the day if it drops all existing connections! Help!!

Many thanks in advance

Webcam007

[Lackie]

When you increase the table and push out the policy, it will not drop any connections or clear the table. It will just update the table to be able to hold more.

[kva.kva]

I think connections wouldn't dropped if you will check option Connection Persistence (Keep all connections)

[Webcam007]

Thanks you guys! I'll give it ago and let you all know!! Nothing like physically doing it!!! lol

Webcam007

[Sergej]

Me and my colleague have a theoretical dispute over the following question: "Does policy push resets all current connections?"

My opinion is that all the active connections not denied by a new policy stays active. This is because no state information are deleted from the firewall enforcement point.

My college state that any policy push delete all the state information. All the connections need to be rematched. This leads to a massive reset of all TCP/UDP sessions. This will be unnoticed in HTTP and other short connections. But will reset all long sessions like eBank SSL, FTP and other.

That mean that any policy installs (Smardeface updates, or policy modifications) during work hours will lead to a disruptions in some critical operations (such as eBanking)

My colleague even ask Compendun (official checkpoint training center) teacher for assistance.

Quote:

Hi
If you do not configure anything special connections do not survive policy installation as the connection table is flushed. However you can try to edit a particular service and change the checkbox "keep connections after security policy is installed"
than the connection
table for this particular service will be transferred to a new connection table. Sometimes it even works ;-)

I'm waiting for guru opinions.

[RayPesek]

It's your choice. There's a selection for this ,but I don't remember where. I use "rematch" myself.

Depending on your network, you might want to consider a caching proxy server if a majority of your traffic is outbound and there's a lot of browsing. I use one and it not only reduced my Internet line utilization from 95% - 100% down to barely 60%, it dramatically reduced the number of connections handled by FW-1.

I've got 1,500 employees on the inside and about a hundred more connecting by remote access. My connection table very rarely gets over 1,000 (yes, that's one thousand).

Ray

[kva.kva]

Information from Help. I think this information is correct.

"When a new Policy is installed, existing connections are marked as "old". When a new packet that belongs to an "old" connection is encountered, it is matched against the Policy. If the Policy match result is Accept, the entry will revert back to a normal state and the connection will continue uninterrupted. If the result is Drop or Reject then the packet is dropped and the connection entry is deleted from the table.

Keep all connections - Keep all control and data connections open until the connections have ended. The newly installed Policy will be enforced only for new connections.

Keep Data Connections - Keep all data connections open until the connections have ended. Control connections that are not allowed under the new Policy will be terminated.

Rematch Connections - All connections not allowed under the new Policy will be terminated, unless the Keep connections open after policy has been installed is enabled in the service's Properties window."

[cpcat]

Does anyone know what is the maximum number you can configure for the maximum concurrent connection?

[northlandboy]

It depends how much RAM you have. Nokia has published numbers for the maximum you should configure, for different amounts of RAM. It also depends on if you enable SecureXL on Nokia (this roughly halves the theoretical max).

2GB of RAM, you can easily do 500,000 connections.

[mylove142]

Hi all,

I want to change the maximum connection in SmartDashboard from 15000 to 50000. How can I change? I have find any forum but I can't find any information.

If you know, please answer me early. Thank you very much.

Duy Khang

[mylove142]

Hi all,

I know where I can change the connection limits but I have one more question: I use Crossbeam X40 + Checkpoint VSX NGAI v25 with the Ram 512MB, how many connections Checkpoint can reach?

If you know, please answer me early. Thank you very much.

[abusharif]

Quote:

Originally Posted by mylove142

Hi all,

I want to change the maximum connection in SmartDashboard from 15000 to 50000. How can I change? I have find any forum but I can't find any information.

If you know, please answer me early. Thank you very much.

Duy Khang

Some checkpoint versions, like "old" Express licenses, does not allow you to increase max connections value, it is limited to the default.

[mylove142]

What versions of Checkpoint, I can change the concurrent connection? If you know please answer me early.
Thank you very much.

[NickBrandson]

That is correct, if you have chosen "Check Point Express" when installing the gateway, this option will be hidden, even if you have installed the "Enterprise" with Express license, you'll still have the max connection value limitation. This is only applies to NG and has been removed from the NGX.

Quote:

Originally Posted by abusharif

Some checkpoint versions, like "old" Express licenses, does not allow you to increase max connections value, it is limited to the default.

[lbraid]

We have recently encountered the concurrent connection automatically changing it self, when an issue occurred on firewall. Has anyone ever encountered this, I everything I ready suggest only changing manually?

Regards

Lee