topic Re: what is the limit for the concurrent connections in Firewall and Security Management

what is the limit for the concurrent connections

tavi0906 — Wed, 11 Oct 2023 10:54:50 GMT

what is the limit or default value of concurrent connections ?

will the command fw ctl pstat will also include any expired sessions in the value ?

how to check any expired connections where present in the concurrent connections when we run the fw ctl pstat ?

Re: what is the limit for the concurrent connections

PhoneBoy — Wed, 11 Oct 2023 15:13:25 GMT

Unless you've explicitly set a limit, the limit is available memory, and depends on the features enabled.
The datasheet for the relevant appliance will tell you what is supported in this regard.

The connections table only includes active connections.
Once a connection terminates, expires, or is removed due to "aggressive aging" (an IPS protection), they are removed from the connections table.

Re: what is the limit for the concurrent connections

the_rock — Wed, 11 Oct 2023 16:39:50 GMT

@PhoneBoy explained it perfectly, thats your answer.

Andy

Re: what is the limit for the concurrent connections

tavi0906 — Thu, 12 Oct 2023 04:35:40 GMT

for 15600 appliance in datasheet what the limit ? and there are 4 VS

Re: what is the limit for the concurrent connections

G_W_Albrecht — Thu, 12 Oct 2023 07:20:38 GMT

Datasheet has:

5 to 10 million concurrent connections, 64 byte response (performance measured with default/maximum memory)

Re: what is the limit for the concurrent connections

Chris_Atkinson — Thu, 12 Oct 2023 12:06:15 GMT

In VSX the limit is manually set / configured per VS.

You should review it on a needs basis considering expected traffic & available memory capacity.

Re: what is the limit for the concurrent connections

Bob_Zimmerman — Thu, 12 Oct 2023 14:36:20 GMT

Depends on how much RAM you have. Check the output of 'free -h'. Subtract 3 GB for the OS. For just firewalling, 500k per gigabyte remaining is reasonable. For firewalling plus IPS plus threat emulation plus whatever else, expect more like 200k connections per gigabyte.

With VSX, the above gives you the total capacity of the box, which you then manually split between VSs. Even with a base 15600 with four VSs, you should be able to get over half a million connections per VS without going to extreme lengths.

Re: what is the limit for the concurrent connections

the_rock — Thu, 12 Oct 2023 14:39:02 GMT

Thats interesting. Just curious, does such calculation apply to ANY cp setup, regardless if its physical appliance or VM/open server?

Andy

Re: what is the limit for the concurrent connections

Bob_Zimmerman — Thu, 12 Oct 2023 15:31:07 GMT

Absolutely. Check Point's branded boxes are just open servers with weird PCIe slots. Take a look at the datasheets for the 15600, 16200, QLS250, etc. Very roughly, they say 16 GB supports ~6M connections, 32 GB supports 8-12M, 64 GB supports 16-25M, and 128 GB supports ~32M. Newer datasheets revise the connections per gigabyte down as new features consume some RAM.

The important thing to keep in mind is that the OS consumes some amount (generally fairly constant, and generally goes up a little with each major version), and the features you enable consume some amount per instance of the feature (i.e, per VS with it enabled).

RAM is cheap. If you're building a firewall for a given connection capacity, go with the 200k per gigabyte (or even 150k per gigabyte), give yourself an extra 25%, and round up to the next stick you need for optimal bank interleaving.

Re: what is the limit for the concurrent connections

the_rock — Thu, 12 Oct 2023 15:37:33 GMT

That makes sense. I will say though that like most fw vendors, those data sheets represent PERFECT scenario, which literally never happens, and take into an account single rule any any allow, thats it. They dont really represent any customer's actual live environment.

Andy

Re: what is the limit for the concurrent connections

Bob_Zimmerman — Thu, 12 Oct 2023 18:33:00 GMT

Connection capacity is much less sensitive to the environment than throughput is. The only real way to reduce it is enabling the deep inspection features which consume more baseline RAM, leaving less space for connections. Without those, you can actually get much higher connection counts than the datasheets suggest for a given amount of RAM.

Re: what is the limit for the concurrent connections

tavi0906 — Fri, 13 Oct 2023 05:30:20 GMT

is there any way that we can set an alerts messages in smart console or any where, when the concurrent connection reach to 80% ?

Re: what is the limit for the concurrent connections

PhoneBoy — Fri, 13 Oct 2023 15:07:32 GMT

The only way to get those alerts in SmartConsole is to enable Aggressive Aging.
However, it will be based on overall memory usage, not percentage of the connections table being full: https://support.checkpoint.com/results/sk/sk122154
Otherwise, it will need to be monitored with SNMP, Skyline, or something else.

Re: what is the limit for the concurrent connections

tavi0906 — Mon, 16 Oct 2023 04:46:01 GMT

can explain how we get an get an alert if we enable AA and how does it will works ?

and also any command to delete the TCP connections

Re: what is the limit for the concurrent connections

PhoneBoy — Mon, 16 Oct 2023 14:55:24 GMT

Aggressive Aging will generate specific logs when it is activated.
If you have SmartEvent, you should be able to run a report/trigger an alert on one of these logs.

While it is possible to remove entries from the firewall tables (including connections) using fw tab -x (with correct arguments), this is not recommended.
Refer to the docs: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CLIG/FWG/fw-tab.htm

Re: what is the limit for the concurrent connections

tavi0906 — Fri, 20 Oct 2023 04:57:34 GMT

when AA is enabled what logs will generate ?

when we have smart event on what logs we can run report/tigger report ?

if possible can explain more ?

Re: what is the limit for the concurrent connections

Chris_Atkinson — Fri, 20 Oct 2023 06:39:14 GMT

Here's an example:

Source: https://community.checkpoint.com/t5/Security-Gateways/Aggressive-Aging/td-p/49209

Re: what is the limit for the concurrent connections

tavi0906 — Mon, 05 Feb 2024 07:14:06 GMT

can we set the concurrent connection limit for specific rule which have small gruop of users ?

if yes how can get this configuration.

Re: what is the limit for the concurrent connections

the_rock — Mon, 05 Feb 2024 10:31:22 GMT

Never heard of that, but would be really useful if it can be done. Closest I can think of something like that would be QoS.

Andy

Re: what is the limit for the concurrent connections

Timothy_Hall — Mon, 05 Feb 2024 14:35:52 GMT

Sort of, check out the concurrent-conns and concurrent-conns-ratio options to fwaccel dos: sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher) You can also limit new connection rates as well.

However this mechanism is implemented in SecureXL and thus can only match IP addresses/ranges/networks and/or port numbers for enforcement; it cannot leverage user identity/group information to my knowledge.