Check Point Forums - Formula How To Increase Connection Table ...
Check Point Forums - Formula How To Increase Connection Table ...
https://forums.checkpoint.com/forums/message.jspa?messageID=24156
Welcome, [email protected]
Your Control Panel
This question is not answered. Helpful answers available: 2. Correct answers available: 1.
Search Forum
Replies: 7 - Pages: 1 - Last Post: Aug 11, 2009 9:35 PM by: Omar Mckenzie
NetworkHPMS
Posts: 3 Registered: 11/14/07
Reply
Hello, we have CheckPoint firewall at work. NOKIAFW[admin]# fw ver This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R62) - Build 120 We have setup max. connection limit to 600000 connections, but the connection table is almost all the time full at 80% and above. Is there any formula, which i can use to calculate max size of connection table and max count of connections depending on amount of memory, or any other hardware limits? Second question is, how can i check in CLI, how many half-open sessions are established from specific IP. Third question is about limit of connections from one IP. Is there any limitation on Checkpoint, which limits number of current connections from one IP?
Dominik Zanolari
Posts: 39 Registered: 10/6/08
Reply
1 of 5
3/3/2012 11:45 PM
https://forums.checkpoint.com/forums/message.jspa?messageID=24156
Hi, for your first question: Nokia gave a statement on this some time ago. Quote: The memory required depends on the kind of connections used: * For simple connections (accept), overhead_per_connection is ~325 bytes * For NAT'ed connections: overhead_per_connection is ~542 bytes * For Resources: overhead_per_connection is ~401 bytes * For VPN: overhead_per connection is ~399 bytes * For general overhead: 6mb
Assuming the worst case scenario (NAT): fwhmem = 6mb + 542 * connections_limit For 100000 connections it is: 6144*1024 + 542*100000 = 60491456 (57.6 MB) Keep in mind that FireWall-1 doesn't actually release the memory used for a TCP connection until about a minute after the connection ends. You should take this into account when planning how many connections you expect to handle.
Reply
Mind you. These tables are predefined bits of memory that are sticky. So you will not get into problems by having table bits swapped out to disk. Message was edited by: Hugo van der Kooij
Jason Ingram
Posts: 42 Registered: 11/29/07
Reply
2 of 5
3/3/2012 11:45 PM
https://forums.checkpoint.com/forums/message.jspa?messageID=24156
Also keep in mind that Check Point now automatically calculates memory pool requirements based on the connections table size in the Capacity Optimization section on the gateway object itself. This will remain automatic as long as you do not manually enter values. Now with a 600k max connections table size, the max memory pool size would be close to 1Gig (961Mb to be exact) I would not try this on an appliance that only has 1Gig of memory. In regards to your second question, I would use the following command: #netstat -na | grep SYN-SENT | grep <IP ADDRESS> This will show you all half open TCP connections for a specific IP address. As far as your 3rd question, in theory each connection to a destination port/ IP address can make connection requests to 65K source ports on the local PC. Now, if your asking if there are limitations on NAT behind the FW yes its 25K connections as far as I recall. Jason
achim dreyer
Posts: 85 Registered: 12/4/07
Reply
> In regards to your second question, I would use the following command: > > #netstat -na | grep SYN-SENT | grep <IP ADDRESS> > > This will show you all half open TCP connections for a specific IP address. This command sequence will only show the TCP connections to and from the gateway (or the system where it is run), not the status of the connections through the gateway. Achim
3 of 5
3/3/2012 11:45 PM
https://forums.checkpoint.com/forums/message.jspa?messageID=24156
Omar Mckenzie
Posts: 7 Registered: 11/21/07
Reply
Regarding checking the number of half-open connections, you can use the following command to check the number of connections that have not completed the 3-way hande-shake: fw tab -t connections -u -c |grep -v -e "->" |grep '[1-2][1-5]/25>' | wc -l
achim dreyer
Posts: 85 Registered: 12/4/07
Reply
Hi Omar, > fw tab -t connections -u -c |grep -v -e "->" |grep '[1-2][1-5]/25>' | wc -l Actually I wouldn't use this command string as it only looks for connections with a maximum time limit of 25 seconds - it does not look for the connection flags at all.
You should evaluate the R_CTYPE field (7th column, the first one after the first semicolon) for the connection status. The fifth hexadecimal digit (k) is a composite of status flags: Value of k - Explanation 1 - src FIN seen on TCP connection 2 - dst FIN seen on TCP connection 4 - TCP/UDP established connection 8 - SYNACK seen on TCP connection The connection state is incremental, meaning that if a TCP connection has been established and finished but not yet timed out in the table, the value in this field will be: SYNACK + established + src FIN + dst FIN = 8+4+2+1=15=0xf Commonly seen are: 0, c, f To count the number of connections in the different states you can use: fw tab -t connections -u -c | tail +4 | grep -v -e '->' | grep -v '^$' | sed -e 's/^[^;]*; *//' -e 's/^....\(.\).*$/\1/' |sort | uniq -c
4 of 5
3/3/2012 11:45 PM
https://forums.checkpoint.com/forums/message.jspa?messageID=24156
Depending on your requirements you might also want to evaluate the R_CFLAGS field (the 8th). Regards, Achim Message was edited by: achim dreyer
Omar Mckenzie
Posts: 7 Registered: 11/21/07
Reply
Achim, Thanks for the info. Using the CTYPE and CFLAG in scripts have proven to be very slow. Additionally, since the default TCP timeout is 25 seconds for completing the 3-way handshake, I assume that whatever is in that STATE have not been aknowledged thus halfopen.
Pages: 1
New content since your last visit Updated content since your last visit
5 of 5
3/3/2012 11:45 PM