This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
starmen2000
Collaborator
Collaborator
‎2023-08-02 10:46 AM
Jump to solution

Connection peak exceeded on vsx

Hi mates

 

I'm getting a 'Vsx firewall peak connection exceeded' warning. It has given me this warning twice in two days. The limit is set to 24,000. How can we increase this limit on VSX?

 

Thanks 

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2023-08-03 07:54 AM
In response to Alex-
Jump to solution

I would bump it to 250k or more. The point of the hard connections table limit is to protect other VSs on the system from resource exhaustion attacks against one VS. That is, if someone tries to fill up the connections table of your Internet VS, they won't also take down your interior VSs or the VS handling a second Internet connection. Ever since R67 (the first version to move to the 2.6 kernel), the connections table has been able to use many gigabytes of space, so the practical limit for the whole box is generally in the tens of millions of connections.

Unless you're running a hundred VSs on a box, or you're running with very little RAM, tiny tables don't protect you from anything. Instead, they just shoot you in the foot like this over and over as load increases.

View solution in original post

(1)
6 Replies
Alex-
Leader Leader
Leader
‎2023-08-02 12:52 PM
Jump to solution

You can modify the maximum number of connections in a VS by editing the VS, selecting Optimizations and entering the desired number.

Press OK, then install the policy.

the_rock
Legend
Legend
‎2023-08-02 04:05 PM
Jump to solution

Below is what @Alex- is referring to. I would strongly suggest you choose automatic option, as gateway itself calculates the amount handles based on cpu/memory.

Andy

 

Screenshot_1.png

0 Kudos
Alex-
Leader Leader
Leader
‎2023-08-02 10:49 PM
In response to the_rock
Jump to solution

On VSX, this option is grayed out and you need a manual entry, So if 24K peaks every now and then you could go to 30 or 40K and monitor with either HCP or vsx stat -l.

0 Kudos
the_rock
Legend
Legend
‎2023-08-03 04:59 AM
In response to Alex-
Jump to solution

Ah yes, right, I totally forgot about that : - (. I recall back in R77.30, was the same way, pretty sure.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-08-03 07:54 AM
In response to Alex-
Jump to solution

I would bump it to 250k or more. The point of the hard connections table limit is to protect other VSs on the system from resource exhaustion attacks against one VS. That is, if someone tries to fill up the connections table of your Internet VS, they won't also take down your interior VSs or the VS handling a second Internet connection. Ever since R67 (the first version to move to the 2.6 kernel), the connections table has been able to use many gigabytes of space, so the practical limit for the whole box is generally in the tens of millions of connections.

Unless you're running a hundred VSs on a box, or you're running with very little RAM, tiny tables don't protect you from anything. Instead, they just shoot you in the foot like this over and over as load increases.

(1)
genisis__
Leader Leader
Leader
‎2023-08-03 01:44 PM
In response to Alex-
Jump to solution

The easiest way to monitor is via SNMP.

I've setup a table which combines Connection Limit, Current connections & Peak Connections.  In this way you can monitor over time.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events