hmmm... even more amazed... I'm having troubles handling 500-800'000 log
entries in a single file, so I've scheduled a logswitch twice a day... maybe
it's a CPU power issue, since I'm using an old server, but if I had as many
entries as you have, Ive considered using a DB such as Oracle to handle my
logs.
Additional rule number is something I never understood... anybody out there
can shed light on what it is?
For the "sequential NAT/PAT overload" a' la Cisco, nothing to do. Checkpoint
deals with Hide or Static NAT only.
If you are having such problems, maybe the solution could be tweaking
timeouts, to prevent having stale entries in the connection tables.
NA
----- Original Message -----
From: "James Lee Bell" <nuclear-cowboy AT COX DOT NET>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Thursday, March 25, 2004 10:03 AM
Subject: Re: [FW-1] Checkpoint NG FP3 on Sun - Nat HIDE Failure
> *snicker* NA, we get over that many log entries before breakfast. He's
> just got a high throughput site. Although I do find that 2 billion
> number for NAT additional rule number intriguing.
>
> As for message, if you are hide nat'ing you have a total of 65536-1024 =
> 64512 ports available on that hide nat address. If you have 64512
> simultaneous connections in the state table, the next one gets this
> message. Can one do sequential PAT's in Checkpoint like one can in
> Cisco, i.e. maybe a pool nat with overload? For example, we do the
> NAT'ing on a cisco device that uses 3 consecutive PAT/NAT's, *.*.*.252,
> .253, .254. If .252 is all used up, next connections spill over to start
> using the 65k ports of .253, and so on. Does that exist in CP?
>
> FYI, I don't know of any specific nat related timeout, but it will
> obviously be contingent upon the timeout settings in global
> properties/stateful inspection, where regular idle timeouts, half-open
> timeouts, etc. are configured. So long as the connection is considered
> statefully correct, the nat entry will exist.
>
> Not Available wrote:
> > Woah! look at Number... you are having more than 4 million log
entries...
> > don't you feel the urge of a log switch?
> > :-)
> >
> > When you are having lots of Hide NAT connections simultaneously, maybe
the
> > firewall could simply run out of available ports. Maybe lots of these
> > connections are already closed, but still in the NAT table because of
grace
> > periods and timeouts. I remember having read of reducing this timeout
but
> > couldn't find, so I can't be more specific.
> >
> > Maybe a cpstop/cpstart would reset the tables... does it happen to help?
You
> > could try, if you can afford a brief service disruption...
> >
> > Hope this helps
> >
> > NA
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
