Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tavi0906
Contributor
Jump to solution

what is the limit for the concurrent connections

what is the limit or default value of concurrent connections ?

will the command fw ctl pstat will also include any expired sessions in the value ?

how to check any  expired connections where present in the concurrent connections when we run the fw ctl pstat ?

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Unless you've explicitly set a limit, the limit is available memory, and depends on the features enabled.
The datasheet for the relevant appliance will tell you what is supported in this regard.

The connections table only includes active connections.
Once a connection terminates, expires, or is removed due to "aggressive aging" (an IPS protection), they are removed from the connections table.

View solution in original post

20 Replies
PhoneBoy
Admin
Admin

Unless you've explicitly set a limit, the limit is available memory, and depends on the features enabled.
The datasheet for the relevant appliance will tell you what is supported in this regard.

The connections table only includes active connections.
Once a connection terminates, expires, or is removed due to "aggressive aging" (an IPS protection), they are removed from the connections table.

tavi0906
Contributor

for 15600 appliance in datasheet what the limit ? and there are 4 VS

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Datasheet has:

5 to 10 million concurrent connections, 64 byte response (performance measured with default/maximum memory)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

In VSX the limit is manually set / configured per VS. 

You should review it on a needs basis considering expected traffic & available memory capacity.

CCSM R77/R80/ELITE
0 Kudos
Bob_Zimmerman
Authority
Authority

Depends on how much RAM you have. Check the output of 'free -h'. Subtract 3 GB for the OS. For just firewalling, 500k per gigabyte remaining is reasonable. For firewalling plus IPS plus threat emulation plus whatever else, expect more like 200k connections per gigabyte.

With VSX, the above gives you the total capacity of the box, which you then manually split between VSs. Even with a base 15600 with four VSs, you should be able to get over half a million connections per VS without going to extreme lengths.

0 Kudos
the_rock
Legend
Legend

Thats interesting. Just curious, does such calculation apply to ANY cp setup, regardless if its physical appliance or VM/open server?

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Absolutely. Check Point's branded boxes are just open servers with weird PCIe slots. Take a look at the datasheets for the 15600, 16200, QLS250, etc. Very roughly, they say 16 GB supports ~6M connections, 32 GB supports 8-12M, 64 GB supports 16-25M, and 128 GB supports ~32M. Newer datasheets revise the connections per gigabyte down as new features consume some RAM.

The important thing to keep in mind is that the OS consumes some amount (generally fairly constant, and generally goes up a little with each major version), and the features you enable consume some amount per instance of the feature (i.e, per VS with it enabled).

RAM is cheap. If you're building a firewall for a given connection capacity, go with the 200k per gigabyte (or even 150k per gigabyte), give yourself an extra 25%, and round up to the next stick you need for optimal bank interleaving.

the_rock
Legend
Legend

That makes sense. I will say though that like most fw vendors, those data sheets represent PERFECT scenario, which literally never happens, and take into an account single rule any any allow, thats it. They dont really represent any customer's actual live environment.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Connection capacity is much less sensitive to the environment than throughput is. The only real way to reduce it is enabling the deep inspection features which consume more baseline RAM, leaving less space for connections. Without those, you can actually get much higher connection counts than the datasheets suggest for a given amount of RAM.

0 Kudos
tavi0906
Contributor

is there any way that we can set an alerts messages in smart console or any where, when the concurrent connection reach to 80%  ?

0 Kudos
PhoneBoy
Admin
Admin

The only way to get those alerts in SmartConsole is to enable Aggressive Aging.
However, it will be based on overall memory usage, not percentage of the connections table being full: https://support.checkpoint.com/results/sk/sk122154 
Otherwise, it will need to be monitored with SNMP, Skyline, or something else.

0 Kudos
tavi0906
Contributor

can explain how we get an get an alert if we enable AA and how does it will works ?

and also any command to delete the TCP connections

 

0 Kudos
PhoneBoy
Admin
Admin

Aggressive Aging will generate specific logs when it is activated.
If you have SmartEvent, you should be able to run a report/trigger an alert on one of these logs.

While it is possible to remove entries from the firewall tables (including connections) using fw tab -x (with correct arguments), this is not recommended.
Refer to the docs: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CLI_ReferenceGuide/Topics-CL... 

0 Kudos
tavi0906
Contributor

when AA is enabled what logs will generate ? 

when we have smart event on what logs we can run report/tigger report ?

if possible can explain more ?

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Here's an example:

aa.png

Source: https://community.checkpoint.com/t5/Security-Gateways/Aggressive-Aging/td-p/49209 

 

 

CCSM R77/R80/ELITE
0 Kudos
tavi0906
Contributor

can we set the concurrent connection limit for specific rule which have small gruop of users ?

if yes how can get this configuration.

0 Kudos
the_rock
Legend
Legend

Never heard of that, but would be really useful if it can be done. Closest I can think of something like that would be QoS.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

Sort of, check out the concurrent-conns and concurrent-conns-ratio options to fwaccel dos:  sk112454: How to configure Rate Limiting rules for DoS Mitigation (R80.20 and higher)    You can also limit new connection rates as well.

However this mechanism is implemented in SecureXL and thus can only match IP addresses/ranges/networks and/or port numbers for enforcement; it cannot leverage user identity/group information to my knowledge.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

Not that I'm aware of.

0 Kudos
the_rock
Legend
Legend

@PhoneBoy explained it perfectly, thats your answer.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events