AnsweredAssumed Answered

Firewall state table optimization

Question asked by Nikhil Patil on Nov 5, 2018

How can we achieve below requirement in Checkpoint firewall.

 

 

1

State Table
1.1The solution should be a stateful firewall and must allow granular control of the state table
1.2On a per-rule basis:
a. Limit simultaneous client connections
b. Limit states per host
c. Limit new connections per second
d. Define state timeout
e. Define state type
1.3State types - the solution shall offer multiple options for state handling:
 a. Keep state - Works with all protocols. Default for all rules.
b. Sloppy state – shall work with all protocols. Less strict state tracking to support asymmetric routing.
c. Synproxy state - Proxies incoming TCP connections to protect servers from spoofed TCP SYN floods. Must include the option to keep state and modulate state combined.
1.4State table optimization options – at minimum table optimization shall have the options to:
a. Normal - the default algorithm
b. High latency - Useful for high latency links, such as satellite connections. Expires idle connections later than normal.
c. Aggressive - Expires idle connections more quickly. More efficient use of hardware resources, but can drop legitimate connections.
d. Conservative - Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization

Outcomes