sk35990:
Aggressive Aging is activated in IPS profile, or new connections may be dropped for the reason that the Connections Table is full when a given CoreXL Firewall instance has far fewer connection entries than the Connections Table limit, or the 80% threshold to activate Aggressive Aging as seen in the output of 'fw ctl multik stat' command. It is enabled by default in R80.10 and above.
sk167358:
High (90% to 100%) CPU use on SND cores after a Security Gateway upgrade from R77.x to R80.x (with the same load and same configurations). The protection impacts SecureXL performance because it works in FW and requires SecureXL to calculate timeouts per packet and to update the FW instance every few packets. This may result in an added load on the system.
We can choose between CPU and connection tabel dead😀.
I had some problems with AA in the past. I also observed that with heavy AA usage the CPU loaded is approximately 10% higher. I this cases I usually turn it off.
It would be nice if there would be a SK that describes which mode (AA on/off) would be better in which situation.
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips