View Full Version : Increasing number of connections allowed

Barry J. Stiefel
2005-08-13, 16:29
Increasing number of connections allowed

There is a limit to the number of connections that FireWall-1 can handle.

In NG FP2 and later, you can go to the gateway object in question, select "Performance Tuning" and specify the maximum number of connections allowed and/or tweak parameters. You can also do this in dbedit on the management console: after exiting all GUIs: modify properties firewall_properties connections_limit 50000modify properties firewall_properties connections_hashsize 65536update properties firewall_propertiesquitIn FireWall-1 4.1 and earlier, it can be increased by editing $FWDIR/lib/tables.def on your management console in FireWall-1 4.1 and earlier. Look for the definition of the "connections" table:

#if LIVE_CONNS == 1connections = dynamic refresh sync expires TCP_START_TIMEOUT expcall KFUNC_CONN_EXPIRE implies tracked kbuf 1 intrap ADD_CONN outrap DEL_CONN hashsize 8192;#elseconnections = dynamic refresh sync expires TCP_START_TIMEOUT expcall KFUNC_CONN_EXPIRE implies tracked kbuf 1 hashsize 8192;#endifNote the "hashsize" parameter. You will need to modify it so that it is the power of 2 closest to the number of connections you wish to allow. You will also need to add the "limit" parameter to set the actual limit. If you wanted to increase the connections limit to 50,000 connections, you would change "hashsize 8192" to "hashsize 65536 limit 50000" (this increases the hash size for the connections table and the limit to the number of connections accordingly).

Note that it is also recommended that you increase the amount of FireWall-1 kernel memory to compensate for the extra connections. See the following FAQ for details: fw: halloc: memory exhausted

Note that if you are performing address translation, you will also need to increase the number of entries allowed in the NAT table. In FireWall-1 3.x, this is hardcoded to 25,000. Paul Wernau from Sun forwarded me Sunsolve article SRDB 20435 which details how this can be done on a Solaris box (it may work on other Unix platforms as well). On the Nokia/VPN-1 Appliance, you can do this with a special kernel module. You will need to contact your support provider to get the necessary information.

In FireWall-1 4.x on all platforms, you can modify this by modifying objects.C. Close any remote GUIs and add the following lines under the :props ( line: :nat_limit (50000) :nat_hashsize (65536)Note the numbers correspond to the limit and hashsize parameters mentioned above.

Once you've made these changes, re-install the security policy.

Re-install the security policy. Note that the firewall may require a reboot for the change to take effect.

-- PhoneBoy (http://www.phoneboy.com/bin/view.pl/Main/PhoneBoy) - 11 Jan 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: MiscellaneousFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/MiscellaneousFAQs) FAQs.OS: FAQs.Version: