Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Firewall slowdown?

from Mike Smith [Permanent Link]
Subject: Re: [FW-1] Firewall slowdown?
From: Mike Smith <mike6733 AT COMCAST DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 17 Jul 2006 17:52:34 +0000 
A little more information:

The Concurrent connections problem occured when SmartDefense starting using 
Active Streaming to perform layer 7 probes.  My understanding is that Active 
Streaming causes two half-session entries to be created in the connection 
table.  So you start to drop packets when the number of connections (invoking 
Active Streaming) reaches 50% of maximum connections.

The platform is splat.

I also noticed last week that interfaces on the gateway were recording dropped 
and overrun packets as shown by a ifconfig eth_ command.  This only happens 
when SmartDefense is enabled.  On Friday I used the ethtool -G rx #### tx #### 
command to increase the number of Receive and Transmit descriptors available to 
the interface.  The dropped and overrun packets counters have not changed since 
the # of buffers were increased.

I had a difficult time finding the information regarding the tuning of the 
ethernet interfaces.  Can someone direct me to a FAQ or cookbook?

TIA  

Mike Smith wrote:> The Checkpoint NGX R60 HFA02 system I support recently 
exhusted all of the Concurrent Connections (the checkpoint log was showing 
dropped connections). I increased the value of Maximum concurrent Connections 
on the Capacity Optimization property screen of the cluster object definition. 
The Calculate connection hash table size and memory pool option is set to 
Automatic.
> 
> There has been a very hard to explain slowdown during the afternoon. I have 
> satisfied myself that the performance problem is within the Firewall. 
> Memory/processor utilization is less than 25% of the machine.
> 
> Are there any options, related to the concurrent connections value, which 
> should be adjusted or reviewed?
> 
> 
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Problem to acces to the owa using User Author, Matthias Leu
Next by Date:  Re: [FW-1] Web intellegence, fwguru
Previous by Thread:  Re: [FW-1] Firewall slowdown?, Ray
Next by Thread:  Re: [FW-1] Firewall slowdown?, fwguru
Indexes:  [Date] [Thread] [Top] [All Lists]