Luis Miguel Miguel

FWX_CACHE, ICMP and fw_allow_simultaneous_ping

Discussion created by Luis Miguel Miguel on Nov 7, 2017
Latest reply on Nov 7, 2017 by Luis Miguel Miguel

Conclusions

**************

fw_allow_simultaneous_ping set to 1 creates an entry in the fwx_cache for every icmp request - in my environment accounted for the 30% of the fwx_cache

Background

****************

My fwx_cache was full. The fwx_cache limit is 10k (as by default) and I have 3 cores so   my fwx_cache limit is 3(nr of cores ) X 10k = 30k.
Looking more in detail  at fwx_cache I could see that aprox 13k/30k=43% of the fwx_cache entries were generated by ICMP traffic while looking at the connections database 9k/29k=31% of the connections were icmp.

 

Digging deeper in the  fwx_cache I could see the top sources, the top destinations and the top conversations and none of them were hitting any NAT configuration (I checked the connections database, smartview or smartlog)

 

So I have aprox 43% of my fwx_cache taken by ICMP traffic that didn't have NAT configuration whatsoever.

 

This is just a test that I run to show the problem more clearly:

 

I pinged IP-A from IP-B

 

 

 

# ./showtable.sh all global list:10:sdfcrnlm:IP-B

 

****** connections.log ******
TOP SOURCES
     40 IP-A;  
TOP DESTINATIONS
     40 IP-B;  
TOP CONVERSATIONS
     40 IP-A;     IP-B;
TOP FLOWS (ICMP=1;TCP=6;UDP=11;ICMPv6=58;)
      1 IP-A;  IP-B;  20468;  icmp;  1;
      1 IP-A;  IP-B;  20467;  icmp;  1;
      1 IP-A;  IP-B;  20466;  icmp;  1;
      1 IP-A;  IP-B;  20465;  icmp;  1;
      1 IP-A;  IP-B;  20464;  icmp;  1;
      1 IP-A;  IP-B;  20463;  icmp;  1;
      1 IP-A;  IP-B;  20462;  icmp;  1;
      1 IP-A;  IP-B;  20461;  icmp;  1;
      1 IP-A;  IP-B;  20460;  icmp;  1;
      1 IP-A;  IP-B;  20459;  icmp;  1;
TOP RULES
     40 1;  
TOP NATS

 


****** fwx_cache.log ******
TOP SOURCES
    202 IP-A
TOP DESTINATIONS
    202 IP-B
TOP CONVERSATIONS
    202 IP-A     IP-B
TOP FLOWS (ICMP=1;TCP=6;UDP=11;ICMPv6=58;)
      1 IP-A      IP-B    20475   00000001
      1 IP-A      IP-B    20474   00000001
      1 IP-A      IP-B    20473   00000001
      1 IP-A      IP-B    20472   00000001
      1 IP-A      IP-B    20471   00000001
      1 IP-A      IP-B    20470   00000001
      1 IP-A      IP-B    20469   00000001
      1 IP-A      IP-B    20468   00000001
      1 IP-A      IP-B    20467   00000001
      1 IP-A      IP-B    20466   00000001

 

****** fwx_alloc.log ******
TOP SOURCES
TOP DESTINATIONS
TOP CONVERSATIONS
TOP FLOWS (ICMP=1;TCP=6;UDP=11;ICMPv6=58;)

 

 

 

So just a simple ping that didn't require any NAT (see database and fwx_alloc output)   generated 202 entries in my fwx_cache in a couple of minutes.

 

Why? It doesn't make any sense at all.

 

I noticed that one my checkpoint cluster didn't have this problem, so I compared the configuration and I found out that this checkpoint cluster had  fw_allow_simultaneous_ping set to 0.

 

So I set fw_allow_simultaneous_ping  to 0 in a couple of checkpoint gateways and I could see straight away how the fwx_cache freed  up of the ICMP entries.

 

I am wondering if this is a bug or a known behavior but anyway as a result of fw_allow_simultaneous_ping set to 1 more than 30% of my fwx_cache was taken by ICMP traffic that didn't require any NAT.

 

 

By the way I could share the script if there is interest

 


echo "****** Syntax ******************************************************************************************************"
echo "showtable.sh (TABLE:connections|fwx_cache|fwx_alloc|sam_blocked_ips|all) (CPU:global|core) (OPERATION:summary|list,<nr>,sdcfplm,<pattern>)"
echo "example1: showtable.sh all global summary"
echo "example2: showtable.sh connections core list"
echo "TABLE: connections, fwx_cache, fwx_alloc, sam_blocked_ips or all tables"
echo "CPU: global or core, data globally or per core"
echo "OPERATION: summary or list/detailed information; <nr> number of iles; FLAGS: s(source), d(destination), c(conversations), f(flow), p(protocol), l(local with the latest fetched data),m(filter pattern); <pattern to filter>"
echo "************************************************************************************************************************"

Outcomes