This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Legend Legend
Legend
Monday

R82 VSXNext Capacity Optimization - Automatically?

So it would appear that R82 Virtual Systems created under VSXNext now support the setting "Automatically" under Capacity Optimization...Calculate the maximum limit for concurrent connections.  In traditional VSX only the setting Manually was allowed, and the administrator had to set a hard limit on the number of connections for that VS.  My impression was this was to ensure that a single VS could not get blasted with a huge number of connections (DoS or something) and consume all available memory on the VSX appliance, thus impacting the other VS's on the same appliance.

So now that it appears Automatically is allowed in R82 VSXNext, is there some built-in mechanism to avoid this situation?  Some kind of fair memory allocation strategy to VS's for the connections table?  There doesn't seem to be any documentation about this.  Thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
Monday

I suspect this is a side effect of the fact there isn't a distinction between "regular gateways" and "virtual systems" with VSnext, i.e. because they use the same type of gateway object now.
How it handles memory allocation in this situation...can't say.

0 Kudos
ShaiF
Employee
Employee
Monday

Hi @Timothy_Hall,

There is no hiding restriction in VSNext. By default each VS get unlimited connections.

Customers who would like to restrict connections limit for VS in VSNext can easily do it as it was SGW (Same UX). Go to the VS object under "optimizations" and move from Automatically to their preferred number.

The reason for change is that looking on our past customers incidents we saw many cases where customers faced outages due to the fact connections limit were not adjusted to the grow of the company.

Our DDos protections make sure no connections will be open for the suspected tuples.

Regards,

Shai.

 

 

Preview file
22 KB
Timothy_Hall
Legend Legend
Legend
Tuesday
In response to ShaiF

Got it, thank you!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Legend Legend
Legend
15 hours ago
In response to ShaiF

Hi @ShaiF can you please elaborate on this statement:

"Our DDos protections make sure no connections will be open for the suspected tuples."

So if in a R82 VSNext environment if all VS's are set to "Automatically" and a connection-oriented DoS attack is launched against one of the VS's, what is to keep that VS from consuming an excessive amount of memory thus affecting other VS's on the same system? 

You mentioned DDoS protections (I assume you mean fwaccel dos), are these enabled by default in a VSNext environment?  What would be the best practices for a VSNext environment where some or all VS's are set automatically?  I would assume minimally making sure Aggressive Aging is enabled, but how should the Advanced settings for this protection be optimized for this kind of environment?  Any recommendations for fwaccel dos settings beyond the defaults in an "automatically" VSXNext environment?  Thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
JozkoMrkvicka
Authority
Authority
12 hours ago
In response to ShaiF

Was something changed in R82 in regards of CoreXL for VS ? By default, 1 IPv4 and 1 IPv6 core is assigned for each VS.

Kind regards,
Jozko Mrkvicka
0 Kudos
Chris_Atkinson
Employee Employee
Employee
7 hours ago
In response to JozkoMrkvicka

It's not discussed here if it was:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RN/Content/Topics-RN/Software-Chan...

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events