Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: occupied connection table behavior

From: Jim MacLeod <jmacleod () hotpop com>
Date: Wed, 22 May 2002 12:32:00 -0700
Hello Emek,
CheckPoint FW-1 certainly reacts poorly when its connection table fills - the rate of new connection creation drops by a factor of 5 or more. I believe that it prunes old connections from its table, but don't have evidence to corroborate this. However, as of 4.1 it was possible to create new sessions, even with a full table.
Fortunately it's also possible to tweak the config files and increase the size of the table. As of 4.1, there were 60 bytes per connection table entry, plus an additional 120 bytes per NAT table entry. 

Regards,
-Jim MacLeod

At 11:44 PM 5/20/2002, Sadot, Emek (Emek) wrote:

Hello,
Does any one know how FW-1 and PIX are reacting when connection table become full ? 
- Drooping new sessions ?
- Deleting existent ones and accepting the new sessions ? in case deleting is it done based on "oldest" sessions, session priority or simply deleting random sessions ? 
- immediately executing aging process ?
- other ?

thanks in advance,

Emek
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: