This depends on a number of things as to why you are having this issue:
1) what type of connections are going through the firewall? Checkpoint does
not
handle short and burst connections very well. One of the customers that I
managed
had a similar issue that you described. CPU and memory on the firewall is
very low
(less than 20%) but connections between Web and DB Servers, going across the
firewall between VLANs, is very slow. What happened is that because the
connections were so fast, checkpoint can not release the connections fast
enough and it just fills up the connections table. Checkpoint came back and
admitted
that this is an issue with the firewall.
2) Try to reduce the "tcp timeout" in the global properties from a default of
50 seconds
to around 1 seconds or may be 0 seconds (you need to use dbedit or gui-dbedit
to
change the value to 0) and see if it will help in your situation.
3) Try to measure how many Connections Per Second your firewall can handle.
It
could be the issue.
4) Are you running this on Nokia or SPLAT?
5) perform "fw tab -s -t connections" and see how many connections you have
in the
connections table.
If you can reproduce the problem in the lab, I would strongly suggest that
you replace
the checkpoint firewall with Cisco Pix and see if this will solve your
problem. My
feeling is that it will because our customer replaced the Checkpoint firewall
with Cisco
Pix and this similar sympton goes away. Pix is a pain in the ass to manage
but it
may be your only option. The other option is to go with Juniper/NetScreen.
my 2c.
cisco4ng
CCIE Security, CCSE-NG
Ramki Security <ramki.security AT GMAIL DOT COM> wrote:
May be there is some attack going in your network. I had seen such
behavior earlier.
Ramki
CCNA, CCSE-NGAI
Mike Smith wrote:
> The Checkpoint NGX R60 HFA02 system I support recently exhusted all of the
> Concurrent Connections (the checkpoint log eas showing dropped connections).
> I increased the value of Maximum concurrent Connections on the Capacity
> Optimization property screen of the cluster object definition. The Calculate
> connection hash table size and memory pool option is set to Automatic.
>
> There has been a very hard to explain slowdown during the afternoon. I have
> satisfied myself that the performance problem is within the Firewall.
> Memory/processor utilization is less than 25% of the machine.
>
> Are there any options, related to the concurrent connections value, which
> should be adjusted or reviewed?
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
