This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Young_Wook_Choi
Contributor
‎2020-12-28 06:24 PM

R80.40 (Take 89) Gateway Session Count Issue

Hi,

I recently upgraded the gateway.
(R80.10 to R80.40 with HFA 89)

The management server of this gateway is version R80.20.
(The R80.20 management server can manage the R80.40 gateway.)

There are issues after upgrade.

1. The count of sessions has been increased.
In almost the same traffic environment, the number of counts has increased compared to the previous version (R80.10).

If I type the command "cpstat -f policy fw | grep conn" 10 times at 1 second intervals it keeps the same count. (This should be changed in real time.) But if I type CPview or "fw tab -t connections -s" command, it changes in real time.

Global setting of Session Timeout is the same as before. (R80.10)

Are there any changes to the mechanism for counting sessions in R80.40?

2. The fw_full process is too busy.

The gateway model is the CPAP 23800 model.
1) 1.5 ~ 2 Gbps
2) 2,500 ~ 3,000 CPS
3) 200,000 ~ 250,000 PPS
4) 250,000 ~ 300,000 Sessions

The fw_full process shows 100% usage every 10-20 seconds.
This gateway uses IPS and FW blades.

0 Kudos
4 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-12-29 01:23 AM

Apart from the different counts, what is the current issue - is the total load on GW higher now as before ? Is traffic dropped ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Young_Wook_Choi
Contributor
‎2020-12-29 02:29 AM
In response to G_W_Albrecht

There is nothing other than the issue of storing a lot of session tables.
There is no problem with the service.

0 Kudos
Young_Wook_Choi
Contributor
‎2020-12-29 01:35 AM

I have found the cause of this issue.

In R80.10 version, "Timeout setting" is properly applied and working.
(Global Properties "Stateful Inspection" setting)

However, in R80.40 this setting does not work properly.
Therefore, the gateway has many session tables.

HFA 91 (Ongoing) reported that the following issues were resolved.

1.jpg

2.jpg

3.jpg

4.jpg

5.jpg

6.jpg

Below is the setting in R80.40 and the session table timeout. 

11.jpg

12.jpg

13.jpg

14.jpg

15.jpg

Young_Wook_Choi
Contributor
‎2020-12-29 05:32 PM

I installed the R80.40 HFA Take91.
However, the timeout setting value of the "Stateful Inspection" setting is not applied.

The timeout of BOTH_FIN is different for each session, not 3600.
SRC_FIN or DST_FIN is the same symptom.

They are not all the same as in versions prior to R80.10.
(It is not the same as the setting value of "Stateful Inspection".)

I did see  sk110672 that when SecureXL works, it adds 5 seconds.

Is there any change in the session timeout mechanism of the connection table in R80.40?

21.jpg

22.jpg

Preview file
419 KB
Preview file
35 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events