Maximum number of connections ??

[vijayant]

What is the maximum number of connections I can have through a firewall using NAT. CP says 50000, does that mean 50000 per destination server or total connections, including all the destinations servers.

e.g is it 50000 conections to google and 50000 to yahoo or yahoo + google = 50000.

[kva.kva]

What version do you use? You can find parameter nat_limit by guidbedit. For NGX this value is 0 (unlimit I think).
About limit, imho there are concurrent connections. Exactly not concurrent, but this number is number of connections which keeps in cp tables. These tables refresh after fixed time-out.

[vijayant]

Hi KVA

I am using NG AI 54. I havegot firewall and smartcenter server installed on win 2000 server plateform. guidbedit is not working from command prompt.

[kva.kva]

Really, I didn't work a lot with R54, but guidbedit is smartclient. For R55 and later you can find it in directory with other SmartClients (SmartDashboard, etc) ...\CheckPoint\SmartConsole\R55\PROGRAM (for R55).

[Sergej]

Sorry, this is not about nat, but anyway

You can set a Max Concurrent connections individually per gateway: "Right Click on Check Point Gateway Cluster object > Edit > Capacity Optimization"

Checkpoint Firewall will reserve memory and prepare connection hash tables based on this value. Gui prompts that the value should be between 1.000 and 10.000.000. You can see automatically calculated memory size needed.

[Sergej]

For the nat there is the formula:
(some guidbedit can be set here) Global Properties > SmartDashboard Customization > Advanced Configuration > Firewall-1 > NAT

hide_max_high_port (def) 60.000
hide_min_high_port (def) 10.000

Looks like it is the upper and lover ports to use for HideNAT. That mean that Checkpoint can HideNAT (PAT) 60.000-10.000=50.000 TCP sessions behind 1 IP address (I guess the same settings applied for TCP)

Do not forget that the same NAT sessions should by stored in hash tables (my earlier post)