topic Re: SecureXL Connections Table in General Topics

SecureXL Connections Table

Roy_Smith — Mon, 17 Dec 2018 12:41:53 GMT

What is the relationship, if any, between the Connections table and the SecureXL connections table? Are these different kernel tables?

I notice if I run fw ctl pstat I get

Concurrent Connections: 35% (17793 out of 49900) - below watermark

and If I run fwaccel conns -s I get

There are 48695 connections in SecureXL connections table

I know the connections table max is set in the optimizations in Smartconsole but what is the max size of the SecureXL connections table

Thanks in advance

Roy

Re: SecureXL Connections Table

Timothy_Hall — Mon, 17 Dec 2018 13:30:45 GMT

They are different tables, implemented in two different kernel drivers. The following applies to R80.10 and earlier gateway.

SecureXL uses one instance of the simmod (SecureXL Implementation Module) driver, and connections are tracked through the cphwd_db table maintained in SecureXL. There are several other individual tables SecureXL maintains as part of its overall state table, which are documented in section 7 here: sk98722: ATRG: SecureXL

Firewall Workers have one instance of the fw_X kernel driver (sometimes called INSPECT driver/engine) per defined worker/kernel instance, and tracks connections through the shared "connections" table which is only one component of the overall state table. Best description of the contents of the connections table is here: sk65133: Connections Table Format

Initially all new connections arrive at the SecureXL driver inbound, then go through the Firewall Path (F2F) for an initial Firewall policy lookup, and if they are accepted an entry is added to the "connections" state table. When the packet leaves the INSPECT driver on the outbound side, the accepted packet passes through SecureXL and a connection entry is created in the cphwd_db table for future tracking.

The maximum size of the SecureXL cpwd_db table matches the maximum set for the connections table (FW Object...Optimizations...Capacity Optimization...Calculate the maximum limit for concurrent connections), but note that each individual connection is tracked as at least two separate flows of packets (c2s/outbound, s2c/inbound) and if the connection is NATted there are four separate flows being tracked (c2s/outbound pre-NAT, c2s/outbound post-NAT, s2c/inbound pre-NAT, s2c/inbound post-NAT). This is why the reported number of connections (actually "flows") by fwaccel conns (SecureXL) or fw tab -t connections (INSPECT) may appear to be much higher than the number of "connections".

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: SecureXL Connections Table

Roy_Smith — Mon, 17 Dec 2018 17:06:16 GMT

Timothy

Really helpful reply and thanks for the links.

So, when setting the maximum for the connections table, I need to consider the number of connections being seen by fwaccel conns, which could be up to 4 times the number of connections set via Smartconsole. Would that be correct?

Roy

Re: SecureXL Connections Table

Timothy_Hall — Mon, 17 Dec 2018 19:50:43 GMT

No, you don't need to account for connections vs. flows when setting maximum number of connections in the SmartConsole. The fact that there are many flows being tracked as the same "connection" is already included in the resulting kernel memory allocations derived from the max connections number. I was just explaining why you might see far more connections (flows) than you might otherwise expect when running the various commands. All the flows of a connections are symbolically linked with SLINKs to each other.

Unless you are using SecurePlatform or IPSO, you should just set maximum connections to "Automatically" anyway and the only limiting factor to the number of concurrent connections at the point will be available kernel memory.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: SecureXL Connections Table

Roy_Smith — Tue, 18 Dec 2018 08:21:36 GMT

Everything I read says to leave connections to "Automatically" but I am using a VSX cluster. You can set the connections to automatic on the VSX object but not on the VS level. From hard experience, the default setting of 15000 is not enough. I have increased it which has improved things but I am still looking at various things to improve performance further.

Re: SecureXL Connections Table

Timothy_Hall — Tue, 18 Dec 2018 13:17:01 GMT

My book and TechTalk presentation (TechTalk: Security Gateway Performance Optimization with Tim Hall ) do not specifically cover VSX but the general optimization principles still hold true. Kaspars Zibarts‌ did put together this nice post specifically covering VSX though:

Security Gateway Performance Optimization - VSX

And or course Michael Endrizzi's aging but still relevant presentation here:

VSX & CoreXL Training- You’ll love the price | DreezSecurityBlog

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com