>The Active Streaming Mechanism is used in the following:
>? Error concealment
>? Header spoofing
>? Directory listing
>? ASCII only response
>? "Send Error Page" checked (R60/R55W)
>
>Any defense that sends an HTML error page to the client uses ASM. The
>main difference between ASM and PSM (Passive Streaming Mechanism) is
>that ASM will analyze the entire request and response header before
>sending it to the server and client. ASM uses much more overhead than
>PSM.
>
>I miss the days of the plain-old statefull firewall. But that type of
>protection today is not enough. If you want to have very limited
>application checks, inferior VPNs, vendor hardware lock-in, and the
>worst management of them all, then take the advice and go with PIX.
>
>Are you really surpassing the 25,000 connections mark? If so, is it
>legit traffic? Maybe marketing did some kinda campaign or promo and
>didn't notify the security team to except a huge increase in traffic?
>Consider going to a diskless system?
No, but according to the Checkpoint SE this number is inaccurate when ASM is
invoked. A value of 25,000 actually means 12,500 ASM sessions.
Most of the traffic is inbound, how would a diskless system help?
>
>Has the slowdown been resolved since you made the change using ethtool?
No, the slowdowns are still occurring with SmartDefense enabled.
>
>Regards,
>Neil Delacruz
>>On 7/17/06, Mike Smith <mike6733 AT comcast DOT net> wrote:
>> A little more information:
>>
>> The Concurrent connections problem occured when SmartDefense starting using
>>Active Streaming to perform layer 7 probes. My understanding is that Active
>>Streaming causes two half-session entries to be created in the connection
>>table.
>>So you start to drop packets when the number of connections (invoking Active
>>Streaming) reaches 50% of maximum connections.
>>
>> The platform is splat.
>>
>> I also noticed last week that interfaces on the gateway were recording
>> dropped
>>and overrun packets as shown by a ifconfig eth_ command. This only happens
>>when
>>SmartDefense is enabled. On Friday I used the ethtool -G rx #### tx ####
>>command to increase the number of Receive and Transmit descriptors available
>>to
>>the interface. The dropped and overrun packets counters have not changed
>>since
>>the # of buffers were increased.
>>
>> I had a difficult time finding the information regarding the tuning of the
>>ethernet interfaces. Can someone direct me to a FAQ or cookbook?
>>
>> TIA
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
