This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Ivo_Marques
Contributor
‎2018-01-30 03:49 AM

Connections Peak/Limit

Hi all,

I have two question about this subject:

  • Is there a way to clear the PEAK connection value?
  • When I reach the connection limit, where the firewall logs this information?

I think I read a SK article to send this information to /var/log/messages or $FWDIR/log/*.elg but I can't find it anymore.

Thanks in advance.

Ivo

0 Kudos
Reply
10 Replies
Gaurav_Pandya
Advisor
‎2018-01-30 05:08 AM

Hi Ivo,

You can reset connection details with following command but it will remove whole connection table.

fw tab -t connections -x

Another option is to reboot the gateway.

You can check the peak connection limit with below commands.

fw tab -t connections -s

fw ctl pstat

Reply
Ivo_Marques
Contributor
‎2018-01-30 06:00 AM
In response to Gaurav_Pandya

Hi Gaurav,

Thanks for your reply, but delete all connections or reboot the gateway it's a bit overkill.

The easist way is to upper change the connection limit, still it's not a great solution.

Ivo

0 Kudos
Reply
Gaurav_Pandya
Advisor
‎2018-01-31 04:32 AM
In response to Ivo_Marques

Hi,

But for reset the statistics those are the only options I think.

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2018-01-30 05:33 AM

As long as the maximum connection limit is set to "Automatically" on the firewall/cluster (sk105504: Traffic is dropped with "dropped by fwconn_memory_check Reason: full connections table" er... ) you should never bump into any kind of limit for the connections table, unless the system itself is low on free memory which will introduce a bunch of other problems.  The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS.

However if you have somehow reached the limit, the error message shown in the SK above will appear in the firewall logs sent to the SMS, and I think it will also be dumped into the syslog (/var/log/messages) on the firewall itself.  The Inspection Setting Aggressive Aging can be leveraged to send a "canary in the coal mine" notification that the connections table is almost full.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Reply
Ivo_Marques
Contributor
‎2018-01-30 06:05 AM
In response to Timothy_Hall

Hi Tim,

Ok, my enviroment is VSX! It's not possible to set "Automatically". I beleive the "reach the limit" it's not sent, by default, to /var/log/message neither to SMS Log. (As I told, I think there is an SK to do that but I can´t find it anymore.)

Aggressive Aging it's, maybe, a good solution because, for sure, it's logged on SMS logs.

Thanks for your response

0 Kudos
Reply
Maria_Pologova
Collaborator
‎2018-11-08 09:11 AM
In response to Timothy_Hall

Would this be theoretically possible having Automatic calculation, that in case of, let's say, ddos attack, large amount of connections would eat up all memory and we'd lose management connection to the box or encounter another problems?

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2018-11-09 05:16 AM
In response to Maria_Pologova

Sure that is possible, but hitting the connections limit will deny new connections from starting through the firewall and cause problems that are noticeable to your users.  As long as Aggressive Aging is enabled (which I'm pretty sure it is by default under Inspection Settings) the firewall shouldn't get to the point of having management problems in this situation.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Maria_Pologova
Collaborator
‎2018-11-12 01:44 AM
In response to Timothy_Hall

As per my understanding, in order to have Aggressive Aging enabled in R77.30 Management server, IPS profile has to be applied, otherwise we got this:

 

System Capacity Summary:
Memory used: 8% (501 MB out of 5687 MB) - below watermark
Concurrent Connections: 1% (2976 out of 249900) - below watermark
Aggressive Aging is disabled

 

On the gateway with enforces Default IPS profile (with inactive contract):

 

System Capacity Summary:
Memory used: 20% (267 MB out of 1318 MB) - below watermark
Concurrent Connections: 35% (17846 out of 49900) - below watermark
Aggressive Aging is not active

 

However, in R80.10 under Inspection settings Default IPS profile is applied by default on all gateways, that's why Aggressive Aging is enabled everywhere.

 

So, taking this into account, I believe, that it is not worth to go with automatic connections calculation if you have Management on 77.30.

Reply
Luis_Miguel_Mig
Specialist
‎2018-01-30 06:19 AM

Not sure if it is what you are looking for but you can generate alerts monitoring the number of connections with snmp 1.3.6.1.4.1.2620.1.1.25.3

0 Kudos
Reply
Vincent_Bacher
Advisor
‎2018-01-30 01:10 PM

I think you just want to reset the statistics.

Never found any way either.

Best regards

Vince

and now to something completely different
0 Kudos
Reply