This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sorin_Gogean
Advisor
‎2021-11-16 03:10 AM
Jump to solution

Aggressive Aging and pre-determined behavior

Hello guys,

 

Lately I started to get some strange complains, of connections being dropped randomly, and while investigating, we determined that the main reason was HIGM Memory usage - like 90 - 95% - of a cluster member. (15600 GW with HPP [32Gb memory]) 

Doing some reading on this, I understood that HIGH Memory utilization, triggers "Aggressive Aging" and while that mechanism is active, random connections that are idle, get dropped.

 

Quick fix, was to move over to the next cluster member, and all problems went away, but still....

 

Now in order to prevent this, I thought of some ways, that we could apply so certain traffic will not be impacted by "Aggressive Aging" . 

First, we opted to add the affected application port and we Disabled the "Aggressive Aging" , would this do the trick? or when "Aggressive Aging" gets triggered, doesn't matter what we set on some ports ? 

Secondly, we were thinking, since it's a known traffic, we could add "SecureXL Fast Accelerator" rules, and that would not be affected by the "Aggressive Aging" ? Is that statement/logic correct, or ?

 

So, did any of you encounter similar issues and if so, how did you handle them?

Also, any hint on how we can monitor memory utilization per blades ? (If that is possible)

 

Thank you for sharing your ideas,

 

PS: we're currently with R80.30 on the GW's but in 2 weeks we'll upgrade to R81 .

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-11-16 04:48 AM
In response to Sorin_Gogean
Jump to solution

I do not believe it is possible.

View solution in original post

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2021-11-16 03:58 AM
Jump to solution

Aggressive Aging is also used in IPS profiles as a DDOS protection mechanism.

Screenshot 2021-11-16 at 12.53.30.png

One of the triggers is indeed a memory consumption, together with CPU utilization (by default)

Check what you have there. Just in case you do not remember how to het there, quoting from sk112241:

In SmartConsole R8X:

  1. On the Navigation Toolbar, click on the MANAGE & SETTINGS app.

  2. Click on the Blades.

  3. In General section, click on the Inspection Settings... button.

  4. In left tree, click on the General.

  5. Search for Aggressive Aging.

  6. Right-click on the Aggressive Aging - click on the Edit....

  7. Select the relevant IPS profile - click on the Edit (pencil) button.

  8. In the left tree, click on the General Properties - select Override with Action - select Drop.

  9. In the left tree, click on the Advanced - click on the Configure... button - configure the following values - click on OK:

    Timeout Value Description
    Tcp start timeout 5 A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
    Tcp session timeout 600 Length of time an idle connection will remain in the Security Gateway connections table.
    Tcp end timeout 3 A TCP connection will only terminate TCP end timeout seconds after two TCP [FIN] packets (one in each direction: client-to-server, and server-to-client) or a TCP [RST] packet.
    When a TCP connection ends ([FIN] packets sent or connection reset) the Check Point Security Gateway will keep the connection in the Connections table for another TCP end timeout seconds, to allow for stray TCP [ACK] packets of the connection that arrive late.
    UDP virtual session timeout 15 Specifies the amount of time a UDP reply channel may remain open without any packets being returned.
    ICMP virtual session timeout 3 An ICMP virtual session will be considered to have timed out after this time period.

  10. Configure desired threshold when to enforce the Aggressive Aging Timeouts.

  11. Click on OK to close the "Aggressive Aging" properties window.

  12. Click on the "Close" button to close the "Aggressive Aging" properties window with IPS profiles.

  13. Close the "Inspection Settings" window.

  14. Install the Access Policy on Security Gateway.

Mind, you may want to set it to "Inactive" on all profiles you use. That said, it is is triggered, there might be a bigger problem.

 

0 Kudos
Sorin_Gogean
Advisor
‎2021-11-16 04:37 AM
In response to _Val_
Jump to solution

Hello Val, 

 

We have it enabled on the IPS profile and it's with default settings and I'm not thinking to remove/disable it - yet.

What we were after, is a "kind of" workaround for specific ports (in case of the first option we thought) of network ranges with SecureXL rule. 

Also while reading about this, we found a 3rd option, to enable "the firewall to send a TCP RST packet to both participants of a connection that has been idled out " with "fw_rst_expired_conn" and that would also make the "aggressive aging" smoother to conenctions.

Thank you,

0 Kudos
_Val_
Admin
Admin
‎2021-11-16 04:48 AM
In response to Sorin_Gogean
Jump to solution

I do not believe it is possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events