This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ivo_Marques
Contributor
‎2018-01-30 03:49 AM

Connections Peak/Limit

Hi all,

I have two question about this subject:

  • Is there a way to clear the PEAK connection value?
  • When I reach the connection limit, where the firewall logs this information?

I think I read a SK article to send this information to /var/log/messages or $FWDIR/log/*.elg but I can't find it anymore.

Thanks in advance.

Ivo

0 Kudos
10 Replies
Gaurav_Pandya
Advisor
‎2018-01-30 05:08 AM

Hi Ivo,

You can reset connection details with following command but it will remove whole connection table.

fw tab -t connections -x

Another option is to reboot the gateway.

You can check the peak connection limit with below commands.

fw tab -t connections -s

fw ctl pstat

Ivo_Marques
Contributor
‎2018-01-30 06:00 AM
In response to Gaurav_Pandya

Hi Gaurav,

Thanks for your reply, but delete all connections or reboot the gateway it's a bit overkill.

The easist way is to upper change the connection limit, still it's not a great solution.

Ivo

0 Kudos
Gaurav_Pandya
Advisor
‎2018-01-31 04:32 AM
In response to Ivo_Marques

Hi,

But for reset the statistics those are the only options I think.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-01-30 05:33 AM

As long as the maximum connection limit is set to "Automatically" on the firewall/cluster (sk105504: Traffic is dropped with "dropped by fwconn_memory_check Reason: full connections table" er... ) you should never bump into any kind of limit for the connections table, unless the system itself is low on free memory which will introduce a bunch of other problems.  The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS.

However if you have somehow reached the limit, the error message shown in the SK above will appear in the firewall logs sent to the SMS, and I think it will also be dumped into the syslog (/var/log/messages) on the firewall itself.  The Inspection Setting Aggressive Aging can be leveraged to send a "canary in the coal mine" notification that the connections table is almost full.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Ivo_Marques
Contributor
‎2018-01-30 06:05 AM
In response to Timothy_Hall

Hi Tim,

Ok, my enviroment is VSX! It's not possible to set "Automatically". I beleive the "reach the limit" it's not sent, by default, to /var/log/message neither to SMS Log. (As I told, I think there is an SK to do that but I can´t find it anymore.)

Aggressive Aging it's, maybe, a good solution because, for sure, it's logged on SMS logs.

Thanks for your response

0 Kudos
Maria_Pologova
Collaborator
‎2018-11-08 09:11 AM
In response to Timothy_Hall

Would this be theoretically possible having Automatic calculation, that in case of, let's say, ddos attack, large amount of connections would eat up all memory and we'd lose management connection to the box or encounter another problems?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-11-09 05:16 AM
In response to Maria_Pologova

Sure that is possible, but hitting the connections limit will deny new connections from starting through the firewall and cause problems that are noticeable to your users.  As long as Aggressive Aging is enabled (which I'm pretty sure it is by default under Inspection Settings) the firewall shouldn't get to the point of having management problems in this situation.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Maria_Pologova
Collaborator
‎2018-11-12 01:44 AM
In response to Timothy_Hall

As per my understanding, in order to have Aggressive Aging enabled in R77.30 Management server, IPS profile has to be applied, otherwise we got this:

 

System Capacity Summary:
Memory used: 8% (501 MB out of 5687 MB) - below watermark
Concurrent Connections: 1% (2976 out of 249900) - below watermark
Aggressive Aging is disabled

 

On the gateway with enforces Default IPS profile (with inactive contract):

 

System Capacity Summary:
Memory used: 20% (267 MB out of 1318 MB) - below watermark
Concurrent Connections: 35% (17846 out of 49900) - below watermark
Aggressive Aging is not active

 

However, in R80.10 under Inspection settings Default IPS profile is applied by default on all gateways, that's why Aggressive Aging is enabled everywhere.

 

So, taking this into account, I believe, that it is not worth to go with automatic connections calculation if you have Management on 77.30.

Luis_Miguel_Mig
Advisor
‎2018-01-30 06:19 AM

Not sure if it is what you are looking for but you can generate alerts monitoring the number of connections with snmp 1.3.6.1.4.1.2620.1.1.25.3

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-01-30 01:10 PM

I think you just want to reset the statistics.

Never found any way either.

Best regards

Vince

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top