The Active Streaming Mechanism is used in the following:
• Error concealment
• Header spoofing
• Directory listing
• ASCII only response
• "Send Error Page" checked (R60/R55W)
Any defense that sends an HTML error page to the client uses ASM. The
main difference between ASM and PSM (Passive Streaming Mechanism) is
that ASM will analyze the entire request and response header before
sending it to the server and client. ASM uses much more overhead than
PSM.
I miss the days of the plain-old statefull firewall. But that type of
protection today is not enough. If you want to have very limited
application checks, inferior VPNs, vendor hardware lock-in, and the
worst management of them all, then take the advice and go with PIX.
Are you really surpassing the 25,000 connections mark? If so, is it
legit traffic? Maybe marketing did some kinda campaign or promo and
didn't notify the security team to except a huge increase in traffic?
Consider going to a diskless system?
Has the slowdown been resolved since you made the change using ethtool?
Regards,
Neil Delacruz
On 7/17/06, Mike Smith <mike6733 AT comcast DOT net> wrote:
A little more information:
The Concurrent connections problem occured when SmartDefense starting using
Active Streaming to perform layer 7 probes. My understanding is that Active
Streaming causes two half-session entries to be created in the connection
table. So you start to drop packets when the number of connections (invoking
Active Streaming) reaches 50% of maximum connections.
The platform is splat.
I also noticed last week that interfaces on the gateway were recording dropped
and overrun packets as shown by a ifconfig eth_ command. This only happens
when SmartDefense is enabled. On Friday I used the ethtool -G rx #### tx ####
command to increase the number of Receive and Transmit descriptors available to
the interface. The dropped and overrun packets counters have not changed since
the # of buffers were increased.
I had a difficult time finding the information regarding the tuning of the
ethernet interfaces. Can someone direct me to a FAQ or cookbook?
TIA
Mike Smith wrote:> The Checkpoint NGX R60 HFA02 system I support recently
exhusted all of the Concurrent Connections (the checkpoint log was showing dropped
connections). I increased the value of Maximum concurrent Connections on the
Capacity Optimization property screen of the cluster object definition. The
Calculate connection hash table size and memory pool option is set to Automatic.
>
> There has been a very hard to explain slowdown during the afternoon. I have
satisfied myself that the performance problem is within the Firewall.
Memory/processor utilization is less than 25% of the machine.
>
> Are there any options, related to the concurrent connections value, which
should be adjusted or reviewed?
>
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
