 |
|
Re: [FW-1] Connections dropping when pushing policy
Dear Ray,
Ours is a Nokia box hardware and Smart center running in another separate PC with 4GB RAM Version: NGX (R65) OS: IPSO Version: 4.2 Avergae CPU - 14% Active virtual memory - 650MB Disk free % - 84 cpmodule Version: R75.20 OS: SecurePlatform Even when disabling logging, we are seeing connections reset when a policy is pushed. I thought the below information might be useful for you. If not, please neglect. Thanks Regards Mohamed.N Interface table ------------------------------------------ |Name |Dir|Accept |Drop | Reject|Log | ------------------------------------------ |re1c0 |in | 324109097| 297534| 15| 887| |re1c0 |out| 333252079| 1229| 0| 22| |eth4c0|in | 0| 0| 0| 0| |eth4c0|out| 0| 0| 0| 0| |eth3c0|in | 180| 0| 0| 0| |eth3c0|out| 164| 0| 0| 0| |re2c0 |in | 332223094| 391575| 0|1787| |re2c0 |out| 323659116| 74667| 0| 5| ------------------------------------------ | | |1313243730| 765005| 15|2701| ------------------------------------------ ----------------------- CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f perf fw) ----------------------- Product name: FireWall-1 hmem - block size: 4096 hmem - requested bytes: 20971520 hmem - initial allocated bytes: 20971520 hmem - initial allocated blocks: 0 hmem - initial allocated pools: 0 hmem - current allocated bytes: 20971520 hmem - current allocated blocks: 5119 hmem - current allocated pools: 1 hmem - maximum bytes: 31457280 hmem - maximum pools: 10 hmem - bytes used: 8864536 hmem - blocks used: 3332 hmem - bytes unused: 12106984 hmem - blocks unused: 1787 hmem - bytes peak: 15669876 hmem - blocks peak: 4430 hmem - bytes internal use: 70736 hmem - number of items: 99428 hmem - alloc operations: 114095822 hmem - free operations: 113996394 hmem - failed alloc: 0 hmem - failed free: 0 kmem - system physical mem: 0 kmem - available physical mem: 0 kmem - aix heap size: 0 kmem - bytes used: 44883372 kmem - blocking bytes used: 1404360 kmem - non blocking bytes used: 43479012 kmem - bytes unused: 0 kmem - bytes peak: 54765700 kmem - blocking bytes peak: 1696556 kmem - non blocking bytes peak: 53069144 kmem - bytes internal use: 5192 kmem - number of items: 649 kmem - alloc operations: 22074683 kmem - free operations: 22074034 kmem - failed alloc: 0 kmem - failed free: 0 inspect - packets: 1455110299 inspect - operations: 3919265977 inspect - lookups: 884037145 inspect - record: 0 inspect - extract: 2384748506 cookies - total: 1495017859 cookies - alloc: 0 cookies - free: 0 cookies - dup: 5 cookies - get: 3683290696 cookies - put: 9252701 cookies - len: 1495188831 chains - alloc: 0 chains - free: 0 fragments - fragments: 0 fragments - expired: 0 fragments - packets: 0 ufp - % hits ratio: 0 ufp - total connections: 0 ufp - hits connections: 0 ufp - session max: 0 ufp - session current: 0 ufp - session count: 0 ufp - rej session : 0 ufp - time stamp: ufp - is alive: 0 http - pid: 0 http - proto: 0 http - port: 0 http - logical port: 0 http - max avail socket: 0 http - socket in use max: 0 http - socket in use current: 0 http - socket in use count: 0 http - session max: 0 http - session current: 0 http - session count: 0 http - auth session max: 0 http - auth session current: 0 http - auth session count: 0 http - accepted session: 0 http - rejected session: 0 http - auth failures: 0 http - opsec cvp session max: 0 http - opsec cvp session current: 0 http - opsec cvp session count: 0 http - opsec cvp rej session : 0 http - ssl encryp session max: 0 http - ssl encryp session current: 0 http - ssl encryp session count: 0 http - transparent session max: 0 http - transparent session current: 0 http - transparent session count: 0 http - proxied session max: 0 http - proxied session current: 0 http - proxied session count: 0 http - tunneled session max: 0 http - tunneled session current: 0 http - tunneled session count: 0 http - ftp session max: 0 http - ftp session current: 0 http - ftp session count: 0 http - time stamp: http - is alive: 0 ftp - pid: 0 ftp - proto: 0 ftp - port: 0 ftp - logical port: 0 ftp - max avail socket: 0 ftp - socket in use max: 0 ftp - socket in use current: 0 ftp - socket in use count: 0 ftp - session max: 0 ftp - session current: 0 ftp - session count: 0 ftp - auth session max: 0 ftp - auth session current: 0 ftp - auth session count: 0 ftp - accepted session: 0 ftp - rejected session: 0 ftp - auth failures: 0 ftp - opsec cvp session max: 0 ftp - opsec cvp session current: 0 ftp - opsec cvp session count: 0 ftp - opsec cvp rej session : 0 ftp - time stamp: ftp - is alive: 0 telnet - pid: 0 telnet - proto: 0 telnet - port: 0 telnet - logical port: 0 telnet - max avail socket: 0 telnet - socket in use max: 0 telnet - socket in use current: 0 telnet - socket in use count: 0 telnet - session max: 0 telnet - session current: 0 telnet - session count: 0 telnet - auth session max: 0 telnet - auth session current: 0 telnet - auth session count: 0 telnet - accepted session: 0 telnet - rejected session: 0 telnet - auth failures: 0 telnet - time stamp: telnet - is alive: 0 rlogin - pid: 0 rlogin - proto: 0 rlogin - port: 0 rlogin - logical port: 0 rlogin - max avail socket: 0 rlogin - socket in use max: 0 rlogin - socket in use current: 0 rlogin - socket in use count: 0 rlogin - session max: 0 rlogin - session current: 0 rlogin - session count: 0 rlogin - auth session max: 0 rlogin - auth session current: 0 rlogin - auth session count: 0 rlogin - accepted session: 0 rlogin - rejected session: 0 rlogin - auth failures: 0 rlogin - time stamp: rlogin - is alive: 0 smtp - pid: 0 smtp - proto: 0 smtp - port: 0 smtp - logical port: 0 smtp - max avail socket: 0 smtp - socket in use max: 0 smtp - socket in use current: 0 smtp - socket in use count: 0 smtp - session max: 0 smtp - session current: 0 smtp - session count: 0 smtp - accepted session: 0 smtp - rejected session: 0 smtp - mail max: 0 smtp - mail curr: 0 smtp - mail count: 0 smtp - outgoing mail max: 0 smtp - outgoing mail curr: 0 smtp - outgoing mail count: 0 smtp - max mail on conn: 0 smtp - total mails : 0 smtp - time stamp: smtp - is alive: 0 sync - configured: Yes sync - out state: On sync - in state: On sync - number of sent packets: 6159304 sync - number of Kbytes sent: 5345165 sync - number of packets received: 4871821 sync - number of Kbytes received: 5597043 sync - number of retrans requests sent: 4599 sync - number of retrans requests received: 755 sync - number of ack packets sent: 100250 sync - number of ack packets received: 3087169 sync - number of packets dropped by network: 139 sync - overall number of table updates to be synced: 54785806 sync - number of updates filtered by 'non sync': 227 ----------------------- CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f hmem fw) ----------------------- Product name: FireWall-1 hmem - block size: 4096 hmem - requested bytes: 20971520 hmem - initial allocated bytes: 20971520 hmem - initial allocated blocks: 0 hmem - initial allocated pools: 0 hmem - current allocated bytes: 20971520 hmem - current allocated blocks: 5119 hmem - current allocated pools: 1 hmem - maximum bytes: 31457280 hmem - maximum pools: 10 hmem - bytes used: 8864536 hmem - blocks used: 3332 hmem - bytes unused: 12106984 hmem - blocks unused: 1787 hmem - bytes peak: 15669876 hmem - blocks peak: 4430 hmem - bytes internal use: 70736 hmem - number of items: 99428 hmem - alloc operations: 114095822 hmem - free operations: 113996394 hmem - failed alloc: 0 hmem - failed free: 0 ----------------------- CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f kmem fw) ----------------------- Product name: FireWall-1 kmem - system physical mem: 0 kmem - available physical mem: 0 kmem - aix heap size: 0 kmem - bytes used: 44883372 kmem - blocking bytes used: 1404360 kmem - non blocking bytes used: 43479012 kmem - bytes unused: 0 kmem - bytes peak: 54765700 kmem - blocking bytes peak: 1696556 kmem - non blocking bytes peak: 53069144 kmem - bytes internal use: 5192 kmem - number of items: 649 kmem - alloc operations: 22074683 kmem - free operations: 22074034 kmem - failed alloc: 0 kmem - failed free: 0 ----------------------- CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f inspect fw) ----------------------- Product name: FireWall-1 inspect - packets: 1455127417 inspect - operations: 3920038161 inspect - lookups: 884053472 inspect - record: 0 inspect - extract: 2384993499 ----------------------- CP Status - FW (/opt/CPsuite-R65/svn/bin/cpstat -f cookies fw) ----------------------- Product name: FireWall-1 cookies - total: 1495035775 cookies - alloc: 0 cookies - free: 0 cookies - dup: 5 cookies - get: 3683385478 cookies - put: 9252851 cookies - len: 1495206747 2380 mohamedn@fss.... +91 95001 29207 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMAD...] On Behalf Of Ray Sent: Tuesday, February 21, 2012 1:18 AM To: FW-1-MAILINGLIST@AMAD... Subject: Re: [FW-1] Connections dropping when pushing policy It sounds more like under-powered hardware. What are you using and is the SmartCenter on the same box as the firewall? Ray > Date: Mon, 20 Feb 2012 17:33:05 +0530 > From: mohamedn@FSS.... > Subject: Re: [FW-1] Connections dropping when pushing policy > To: FW-1-MAILINGLIST@AMAD... > > Dear All, > > > > We have a nokia and Checkpoint R75.20 is running over it. We have some > 300 rule bases and enabled logging for all the rules. When put on > production and the CPU got overloaded and particularly when I push the > policy, all ongoing connections are dropping. We have disabled the logs > and thereafter found a normal behavior. Wonder if enabling logging > caused the CPU hog.. > > > > > > Regards > > > > Mohamed.N > > > > DISCLAIMER: > ======================================================================== ======================================================================== ==========The information contained in this e-mail message may be privileged and/or confidential and protected from disclosure under applicable law. It is intended only for the individual to whom or entity to which it is addressed as shown at the beginning of the message. If the reader of this message is not the intended recipient, or if the employee or agent responsible for delivering the message is not an employee or agent of the intended recipient, you are hereby notified that any review, dissemination,distribution, use, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and permanently delete this message and your reply to the extent it includes this message. Any views or opinions presented in this message or attachments are those of the author and do not necessarily represent those of the Company. All e-mails and attachments sent and received are subject to monitoring, reading, and archival by the Company.================================================================ ======================================================================== ================== > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to LISTSERV@amad... > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-owner@ts.c... > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV@amad... in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-owner@ts.c... ================================================= DISCLAIMER: ==========================================================================================================================================================The information contained in this e-mail message may be privileged and/or confidential and protected from disclosure under applicable law. It is intended only for the individual to whom or entity to which it is addressed as shown at the beginning of the message. If the reader of this message is not the intended recipient, or if the employee or agent responsible for delivering the message is not an employee or agent of the intended recipient, you are hereby notified that any review, dissemination,distribution, use, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and permanently delete this message and your reply to the extent it includes this message. Any views or opinions presented in this message or attachments are those of the aut! hor and do not necessarily represent those of the Company. All e-mails and attachments sent and received are subject to monitoring, reading, and archival by the Company.========================================================================================================================================================== ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV@amad... in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-owner@ts.c... ================================================= Bookmark with:  Delicious
 Digg
 reddit
 Facebook
 StumbleUpon
Related Messages
opensubscriber is not affiliated with the authors of this message nor responsible for its content. |
All rights reserved.
Alternate link - Alternate link