This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RoyA
Explorer
‎2021-02-02 01:06 AM

heavy connection Elephant Flows on VSX use tool connstat - sk85780

hello Checkmates

yesterday my end customer complain on have connection flow 

i use some of tool to try investigation the traffic that make that Elephant flow with some success to rich the problem i have to tell 

my question is when i use 

i see  a lot of hits on rule 604 and i want to recommend to my customer to move that rule to lower number on the access rules 

to ‏reduce cpu load 

now how can i be sure that rule is been accelerated or not by use these tool  

and how can i know that rule belong to the relevant VS * i use these commend from the VS-DMZ  tcpdump -i  any -w /var/log/capture.cap

 

thank you all! 

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-02-02 01:15 PM

It would help if you share a screenshot of the relevant rule with version/JHF level.
Also, what blades are active?
If the issue is truly an elephant flow, moving the rule won’t necessarily solve the issue, but it could mitigate the risk.

0 Kudos
RoyA
Explorer
‎2021-02-02 11:15 PM
In response to PhoneBoy

hi 

Rule number 602 have hits of 13936, and i would like to recommend to my end customer to remove it to lower number on the access rule layer 

version R80.30 VSX gaia user space FW 

 

screenshot :

 

how can i be sure that rule is been accelerated or not by use these tool  ?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-02-02 11:47 PM
In response to RoyA

CLI commands such as the following will assist you in determining where in the policy acceleration stops:

[Expert@FW]# fwaccel stat

Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #179

CCSM R77/R80/ELITE
0 Kudos
Christian_Koehl
Collaborator
Collaborator
‎2021-02-03 12:58 AM
In response to Chris_Atkinson

Dear RoyA,

you wrote "...and i want to recommend to my customer to move that rule to lower number on the access rules to ‏reduce cpu load..".

As far as I know, moving the most used rules to top is no more necessary since R80.x (due to the new column based matching).

0 Kudos
RoyA
Explorer
‎2021-02-03 04:33 AM
In response to Christian_Koehl

hello Christian 

i think it is dependent if the rule is been accelerated if yes then no necessary to remove to the Top of the access layer

0 Kudos
RoyA
Explorer
‎2021-02-03 04:30 AM
In response to Chris_Atkinson

hello Chris 

in case these rule is been accelerated  and i disabled by FW i think it could be lead to Impact 

There is another way to know? 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-02-03 04:36 AM
In response to RoyA

You can review the policy logic against that  described in sk32578.

For example rules with RPC / DCOM / DCE services would be a give away.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top