topic Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780 in Firewall and Security Management

heavy connection Elephant Flows on VSX use tool connstat - sk85780

RoyA — Tue, 02 Feb 2021 09:06:10 GMT

hello Checkmates

yesterday my end customer complain on have connection flow

i use some of tool to try investigation the traffic that make that Elephant flow with some success to rich the problem i have to tell

my question is when i use

connstat - sk85780

i see a lot of hits on rule 604 and i want to recommend to my customer to move that rule to lower number on the access rules

to ‏reduce cpu load

now how can i be sure that rule is been accelerated or not by use these tool

and how can i know that rule belong to the relevant VS * i use these commend from the VS-DMZ tcpdump -i any -w /var/log/capture.cap

thank you all!

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

PhoneBoy — Tue, 02 Feb 2021 21:15:22 GMT

It would help if you share a screenshot of the relevant rule with version/JHF level.
Also, what blades are active?
If the issue is truly an elephant flow, moving the rule won’t necessarily solve the issue, but it could mitigate the risk.

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

RoyA — Wed, 03 Feb 2021 07:15:04 GMT

Rule number 602 have hits of 13936, and i would like to recommend to my end customer to remove it to lower number on the access rule layer

version R80.30 VSX gaia user space FW

connstat - sk85780

screenshot :

how can i be sure that rule is been accelerated or not by use these tool ?

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

Chris_Atkinson — Wed, 03 Feb 2021 07:47:00 GMT

CLI commands such as the following will assist you in determining where in the policy acceleration stops:

[Expert@FW]# fwaccel stat

Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #179

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

Christian_Koehl — Wed, 03 Feb 2021 08:58:01 GMT

Dear RoyA,

you wrote "...and i want to recommend to my customer to move that rule to lower number on the access rules to ‏reduce cpu load..".

As far as I know, moving the most used rules to top is no more necessary since R80.x (due to the new column based matching).

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

RoyA — Wed, 03 Feb 2021 12:30:35 GMT

hello Chris

in case these rule is been accelerated and i disabled by FW i think it could be lead to Impact

There is another way to know?

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

RoyA — Wed, 03 Feb 2021 12:33:27 GMT

hello Christian

i think it is dependent if the rule is been accelerated if yes then no necessary to remove to the Top of the access layer

Re: heavy connection Elephant Flows on VSX use tool connstat - sk85780

Chris_Atkinson — Wed, 03 Feb 2021 12:36:18 GMT

You can review the policy logic against that described in sk32578.

For example rules with RPC / DCOM / DCE services would be a give away.