The diskless systems have fewer moving parts. That makes disk
activities, like swap file and logging, perform faster for eitherbound
traffic.
The 25,000 connection limit leaves 50% for TCP connections. that's
why only 12,500 connections are seen by ASM. This is a DoS risk
mitigation tactic. You can change this in SMDF under Network Security
--> Denial of Service --> Non TCP Flooding. Default is 50%.
Are you running Floodgate on that firewall? with SMDF completely off,
the slow down goes away?
Regards,
Neil Delacruz
On 7/18/06, Mike Smith <mike6733 AT comcast DOT net> wrote:
>The Active Streaming Mechanism is used in the following:
>• Error concealment
>• Header spoofing
>• Directory listing
>• ASCII only response
>• "Send Error Page" checked (R60/R55W)
>
>Any defense that sends an HTML error page to the client uses ASM. The
>main difference between ASM and PSM (Passive Streaming Mechanism) is
>that ASM will analyze the entire request and response header before
>sending it to the server and client. ASM uses much more overhead than
>PSM.
>
>I miss the days of the plain-old statefull firewall. But that type of
>protection today is not enough. If you want to have very limited
>application checks, inferior VPNs, vendor hardware lock-in, and the
>worst management of them all, then take the advice and go with PIX.
>
>Are you really surpassing the 25,000 connections mark? If so, is it
>legit traffic? Maybe marketing did some kinda campaign or promo and
>didn't notify the security team to except a huge increase in traffic?
>Consider going to a diskless system?
No, but according to the Checkpoint SE this number is inaccurate when ASM is
invoked. A value of 25,000 actually means 12,500 ASM sessions.
Most of the traffic is inbound, how would a diskless system help?
>
>Has the slowdown been resolved since you made the change using ethtool?
No, the slowdowns are still occurring with SmartDefense enabled.
>
>Regards,
>Neil Delacruz
>>On 7/17/06, Mike Smith <mike6733 AT comcast DOT net> wrote:
>> A little more information:
>>
>> The Concurrent connections problem occured when SmartDefense starting using
>>Active Streaming to perform layer 7 probes. My understanding is that Active
>>Streaming causes two half-session entries to be created in the connection
table.
>>So you start to drop packets when the number of connections (invoking Active
>>Streaming) reaches 50% of maximum connections.
>>
>> The platform is splat.
>>
>> I also noticed last week that interfaces on the gateway were recording
dropped
>>and overrun packets as shown by a ifconfig eth_ command. This only happens
when
>>SmartDefense is enabled. On Friday I used the ethtool -G rx #### tx ####
>>command to increase the number of Receive and Transmit descriptors available
to
>>the interface. The dropped and overrun packets counters have not changed
since
>>the # of buffers were increased.
>>
>> I had a difficult time finding the information regarding the tuning of the
>>ethernet interfaces. Can someone direct me to a FAQ or cookbook?
>>
>> TIA
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
