Check Point Forums : Formula how to increase connection table ...

https://forums.checkpoint.com/forums/message.jspa?messageID=24156

Home > Check Point Forums Blades

> Software Blades and Gateways

> Firewall & VPN

Thread: Formula how to increase connection table

Welcome, [email protected]
Your Control Panel

This question is not answered. Helpful answers available: 2. Correct answers available: 1.

Reply to this Thread

Search Forum

Watch this Thread

Back to Thread List

Replies: 7 - Pages: 1 - Last Post: Aug 11, 2009 9:35 PM by: Omar Mckenzie

Legend Expert: 751 + pts Advanced: 301 - 750 pts

NetworkHPMS
Posts: 3 Registered: 11/14/07

Formula how to increase connection table

Posted: Dec 10, 2008 2:10 PM

Reply

Enthusiast: 101 - 300 pts Novice: 0 - 100 pts Check Point

Hello, we have CheckPoint firewall at work. NOKIAFW[admin]# fw ver This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R62) - Build 120 We have setup max. connection limit to 600000 connections, but the connection table is almost all the time full at 80% and above. Is there any formula, which i can use to calculate max size of connection table and max count of connections depending on amount of memory, or any other hardware limits? Second question is, how can i check in CLI, how many half-open sessions are established from specific IP. Third question is about limit of connections from one IP. Is there any limitation on Checkpoint, which limits number of current connections from one IP?

Helpful Answer (5 pts) Correct Answer (10 pts)

Dominik Zanolari
Posts: 39 Registered: 10/6/08

Re: Formula how to increase connection table

Posted: Dec 16, 2008 12:39 PM in response to: NetworkHPMS

Reply

1 of 5

3/3/2012 11:45 PM

Check Point Forums : Formula how to increase connection table ...

https://forums.checkpoint.com/forums/message.jspa?messageID=24156

Hi, for your first question: Nokia gave a statement on this some time ago. Quote: The memory required depends on the kind of connections used: * For simple connections (accept), overhead_per_connection is ~325 bytes * For NAT'ed connections: overhead_per_connection is ~542 bytes * For Resources: overhead_per_connection is ~401 bytes * For VPN: overhead_per connection is ~399 bytes * For general overhead: 6mb

Assuming the worst case scenario (NAT): fwhmem = 6mb + 542 * connections_limit For 100000 connections it is: 6144*1024 + 542*100000 = 60491456 (57.6 MB) Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.

Hugo van der Ko...

Posts: 210 Registered: 11/26/07

Re: Formula how to increase connection table

Posted: Jan 22, 2009 2:00 PM in response to: Dominik Zanolari

Reply

Mind you. These tables are predefined bits of memory that are sticky. So you will not get into problems by having table bits swapped out to disk. Message was edited by: Hugo van der Kooij

Jason Ingram
Posts: 42 Registered: 11/29/07

Re: Formula how to increase connection table

Posted: Jan 22, 2009 5:37 PM in response to: NetworkHPMS

Reply

2 of 5

3/3/2012 11:45 PM

Check Point Forums : Formula how to increase connection table ...

https://forums.checkpoint.com/forums/message.jspa?messageID=24156

Also keep in mind that Check Point now automatically calculates memory pool requirements based on the connections table size in the Capacity Optimization section on the gateway object itself. This will remain automatic as long as you do not manually enter values. Now with a 600k max connections table size, the max memory pool size would be close to 1Gig (961Mb to be exact) I would not try this on an appliance that only has 1Gig of memory. In regards to your second question, I would use the following command: #netstat -na | grep SYN-SENT | grep <IP ADDRESS> This will show you all half open TCP connections for a specific IP address. As far as your 3rd question, in theory each connection to a destination port/ IP address can make connection requests to 65K source ports on the local PC. Now, if your asking if there are limitations on NAT behind the FW yes its 25K connections as far as I recall. Jason

achim dreyer
Posts: 85 Registered: 12/4/07

Re: Formula how to increase connection table

Posted: Aug 10, 2009 12:02 PM in response to: Jason Ingram

Reply

> In regards to your second question, I would use the following command: > > #netstat -na | grep SYN-SENT | grep <IP ADDRESS> > > This will show you all half open TCP connections for a specific IP address. This command sequence will only show the TCP connections to and from the gateway (or the system where it is run), not the status of the connections through the gateway. Achim

3 of 5

3/3/2012 11:45 PM

Check Point Forums : Formula how to increase connection table ...

https://forums.checkpoint.com/forums/message.jspa?messageID=24156

Omar Mckenzie
Posts: 7 Registered: 11/21/07

Re: Formula how to increase connection table

Posted: Aug 10, 2009 4:54 PM in response to: NetworkHPMS

Reply

Regarding checking the number of half-open connections, you can use the following command to check the number of connections that have not completed the 3-way hande-shake: fw tab -t connections -u -c |grep -v -e "->" |grep '[1-2][1-5]/25>' | wc -l

achim dreyer
Posts: 85 Registered: 12/4/07

Re: Formula how to increase connection table

Posted: Aug 11, 2009 11:44 AM in response to: Omar Mckenzie

Reply

Hi Omar, > fw tab -t connections -u -c |grep -v -e "->" |grep '[1-2][1-5]/25>' | wc -l Actually I wouldn't use this command string as it only looks for connections with a maximum time limit of 25 seconds - it does not look for the connection flags at all.

You should evaluate the R_CTYPE field (7th column, the first one after the first semicolon) for the connection status. The fifth hexadecimal digit (k) is a composite of status flags: Value of k - Explanation 1 - src FIN seen on TCP connection 2 - dst FIN seen on TCP connection 4 - TCP/UDP established connection 8 - SYNACK seen on TCP connection The connection state is incremental, meaning that if a TCP connection has been established and finished but not yet timed out in the table, the value in this field will be: SYNACK + established + src FIN + dst FIN = 8+4+2+1=15=0xf Commonly seen are: 0, c, f To count the number of connections in the different states you can use: fw tab -t connections -u -c | tail +4 | grep -v -e '->' | grep -v '^$' | sed -e 's/^[^;]*; *//' -e 's/^....\(.\).*$/\1/' |sort | uniq -c

4 of 5

3/3/2012 11:45 PM

Check Point Forums : Formula how to increase connection table ...

https://forums.checkpoint.com/forums/message.jspa?messageID=24156

Depending on your requirements you might also want to evaluate the R_CFLAGS field (the 8th). Regards, Achim Message was edited by: achim dreyer

Omar Mckenzie
Posts: 7 Registered: 11/21/07

Re: Formula how to increase connection table

Posted: Aug 11, 2009 9:35 PM in response to: NetworkHPMS

Reply

Achim, Thanks for the info. Using the CTYPE and CFLAG in scripts have proven to be very slow. Additionally, since the default TCP timeout is 25 seconds for completing the 3-way handshake, I assume that whatever is in that STATE have not been aknowledged thus halfopen.

Pages: 1

Back to Thread List

New content since your last visit Updated content since your last visit

2003-2008 Check Point Software Technologies Ltd. All rights reserved.

5 of 5

3/3/2012 11:45 PM