Througput problem in Firewall XL

Hello Everybody,

I am running a Firewall Cluster XL, just one node active the
another one is in standby. The issue is the suddenly the
Firewall started to drop packets by the SmartDefense since
there were many connection which exceeded the number of
connections per second permited (SmartDefense -> Network
Quota option). The issue is that it doesn't seems to be one
attack since all the connectios are valid ones, for my
understanding the clients are asking more information than
before since all the packes droped are going from the
clients to the oracle server (port 1521/tcp).

My question is:

1.- How can I measure or know the amount of concurrent
connections at one specific time, maybe they are more than
the 25000 which the default. ?

2.- How can I configure the cluster XL so that it can
perform load balancing (both modules working) instead of
active/standby (just one module working) feature.

Thanks a lot for your time,

Regards

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

hi,

At 13:27 18.10.2007, you wrote:
>Hello Everybody,
>
>I am running a Firewall Cluster XL, just one node active
the another 
>one is in standby. The issue is the suddenly the
Firewall started to 
>drop packets by the SmartDefense since there were many
connection 
>which exceeded the number of connections per second
permited 
>(SmartDefense -> Network Quota option). The issue is
that it doesn't 
>seems to be one attack since all the connectios are
valid ones, for 
>my understanding the clients are asking more information
than before 
>since all the packes droped are going from the clients
to the oracle 
>server (port 1521/tcp).
>
>My question is:
>
>1.- How can I measure or know the amount of concurrent
connections 
>at one specific time, maybe they are more than the 25000
which the default. ?

fw tab -t connections -s

but futher more you can have a look at the syslogs of your
firewall - 
you will see error-messages there if your table-buffers
(session or 
nat) are full.

>2.- How can I configure the cluster XL so that it can
perform load 
>balancing (both modules working) instead of
active/standby (just one 
>module working) feature.

in the cluster-objekt you can change that.

fyi: for active-active clusterXL you need a license ...

br
reinhard

-- 
Reinhard Stich          r.stichinternet-security.at
Internet Security AG,      1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edouard Zorrilla wrote:

> I am running a Firewall Cluster XL, just one node
active the another one is in standby. The issue is the
suddenly the Firewall started to drop packets by the
SmartDefense since there were many connection which exceeded
the number of connections per second permited (SmartDefense
-> Network Quota option). The issue is that it doesn't
seems to be one attack since all the connectios are valid
ones, for my understanding the clients are asking more
information than before since all the packes droped are
going from the clients to the oracle server (port
1521/tcp).

It may also be an indication of a problem. It could be an
attack on the
website that will result in heavy traffic to the backend
database. But
for that one needs to know a lot more about the exact
topology.

But I would guess that a serious amount of sessions for
Oracle would
also mean a serious resource consumption on the database
server.

> 1.- How can I measure or know the amount of concurrent
connections at one specific time, maybe they are more than
the 25000 which the default. ?

The smartdefense settings are quite different from this
limit. So verify
what sort of traffic you should expect on that application
and adjust
your smartdefense settings accordingly.

Consult with the Oracle people to learn how many sessions
they can
handle. No point in allowing 2000 new sessions per second if
100 new
sessions per second will be the limit for your database.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHF02LBvzDRVjxmYERAtHCAJ9lYfJb5FwT00n13GN8YyhVzQTinQCe
INzZ
xLmMxjfhCL2OrWKMs8mjoZ8=
=NJP6
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Excuse me, what is the meaning of VALS and PEEKS ?

Regards

----- Original Message ----- 
From: "Marius Banica" <shpapyGMAIL.COM>
To: <FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
Sent: Thursday, October 18, 2007 6:43 AM
Subject: Re: [FW-1] Througput problem in Firewall XL


>1 - fw tab -t connections -s , look for the VALS and
PEEKS
> 2 - you need license for this issue, if you got it or
eval just switch on
> the cluster properties to work as activeactive
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Edouard
> Zorrilla
> Sent: Thursday, October 18, 2007 13:28 PM
> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
> Subject: [FW-1] Througput problem in Firewall XL
>
> Hello Everybody,
>
> I am running a Firewall Cluster XL, just one node
active the another one 
> is
> in standby. The issue is the suddenly the Firewall
started to drop packets
> by the SmartDefense since there were many connection
which exceeded the
> number of connections per second permited (SmartDefense
-> Network Quota
> option). The issue is that it doesn't seems to be one
attack since all the
> connectios are valid ones, for my understanding the
clients are asking 
> more
> information than before since all the packes droped are
going from the
> clients to the oracle server (port 1521/tcp).
>
> My question is:
>
> 1.- How can I measure or know the amount of concurrent
connections at one
> specific time, maybe they are more than the 25000 which
the default. ?
>
> 2.- How can I configure the cluster XL so that it can
perform load 
> balancing
> (both modules working) instead of active/standby (just
one module working)
> feature.
>
> Thanks a lot for your time,
>
> Regards
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edouard Zorrilla wrote:
> Excuse me, what is the meaning of VALS and PEEKS ?

Common sense would guess that they would be:
 - Values
 - Peek values.

But memory might not be too good today 

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHF3c/BvzDRVjxmYERAtWPAJ47f9Uv/AZZRXjsIXAB1luhoSGMNQCf
cfhh
dTXxhzkSkg2WCZr/39cTs7k=
=VeB7
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================