Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LuisSP
Collaborator

How to modify urlf cache size on smb 1490 locally managed?

Hello everybody. 

Users report that websites that they usually use during the day, from time to time a block appears because the WEB BROWSING category is not allowed, but after a few seconds it allows them to navigate to the requested site.

Same case for non-allowed sites, it seems like a blocking by WEB BROWSINNG not allowed, and then the block appears for the most specific category in which the site is belong it.

 

I think that is a problem with cache URLF, I read SK90422 How to modify URL Filtering cache size?, in  such document refer that cache size its 20,000, but if I running at my FW...

watch -n 20 fw tab -t urlf_cache_tbl -s

I find cache size its 2,000, reseting every 70minutes approximatly. So I wish to increase cache size...but how I can do it?

 

If you think issue is raised by other factor,  I'm open to listen recommendations.

 

Thanks.

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

The SK90422 is not valid for GAiA Embedded, and when you read: The URL Filtering cache limit default value is 20 000, which is usually enough for a Security Gateway holding 1000 users, you will know that this is could not be valid for 1490 SMB GWs 😉

So i would suggest to contact TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LuisSP
Collaborator

Ok, Thanks for the reply and constructive criticism. I'm going with the TAC
0 Kudos
HristoGrigorov

How many users do you have behind the gateway ? I am not sure increasing table size will solve the problem. 20K is quite a lot already and there must be another reasons for the table to be overflowed. 

0 Kudos
LuisSP
Collaborator

Hi Hristo. My FW don't reach 20K, only until 2K. Because covid pandemic, there are no much people, a few 10 I guess, however, there are many device working, I think 30 devices (servers, desktops, IoT), and frequently user open many browser tabs at same time, opening more websites.

Do you think that above numbers is not very much to require change cache size?
0 Kudos
HristoGrigorov

A little known fact is that URL categorization happens in CheckPoint Cloud. If that is a slow process (for whatever reason) you may start experiencing what you do - URLs are initially blocked because they cannot be categorized on time. When centrally managed there is a way to configure URL inspection to happen in background allowing connections while categorization completes. Don't know if that is possible when appliance is locally managed.

When cache is full it shall auto-clear itself. I really don't think problem is in the cache table itself and increasing its size will only postpone the problem by some time.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

In fact, locally managed SMB appliances have a couple of Advanced Settings to configure URLF (setting /type/default/details):

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LuisSP
Collaborator

I know some of this settings.  By the way, Application Control and URL Filtering - Custom App over HTTPS was useless to deal with SNI certificates cloudflare(subject=sni.cloudflaressl.com), however, in thie same window setting comment that such setting can o not can work.

 

How do you deal with sni certificates? I did this question here in checkmates time ago, recommendations I received was to upgrade to R80.X (new appliance) or bypass https insppection by destination  ip address.

0 Kudos
LuisSP
Collaborator

I've url inspection in backgroud. Furthermore, recently  I did monitor urlf_cache by order

[Expert@gwradsys]# fw tab -t urlf_cache_tbl -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost urlf_cache_tbl 197 1553 0 0

 

When VALS reach 2000, cache is empty. But VALS decrease too in some circunstances because TTL of website registered on such table. So, I wish  to enlarge such table to a value less probable to reach limit of VALS, or at less frequently. 

I did contact TAC. Later will share results.

 

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events