Re: Max connections on a FW-1 cluster

From: SysAdm (wjones@sitesmith.com)
Date: 06/11/02 

From: "SysAdm" <wjones@sitesmith.com>
Date: Tue, 11 Jun 2002 21:55:07 +0000 (UTC)

er no.

maybe you didnt read the post, but its easy to increase the amount of
connections that FW-1 can accomodate, although this also depends on how much
memory is assigned to the kernel. Also, depending on which platform you run
it on, and how you have configured both it, and the surrounding
infrastructure, will depend on whether or not you are actually
load-balancing connections. The fact that you are running a pair of
firewalls is completely irrelevant. You asked if you could increase the
amount of concurrent connections the firewall(s) could handle. Both Greg
and I answered this.

As you say, you already know this. So why are you asking us.

SysAdm

"Ken Ord" <kenord@hotmail.com> wrote in message
news:hHiN8.8$f62.17065@news.lhr.globix.net...
> Thanks, but I already know this, and how to increase memory allocation.
As
> I said, this is theoretical but I have been asked to come up with an
answer
> and am struggling without a test system. It seems no-one on the FW-1
> mailing list knows the answer either!
>
> Ken
>
>
> "Greg Hennessy" <nntp@NOSPAM.cmkrnl.cix.co.uk> wrote in message
> news:j7bbguoiunvjqgcjek1nkc9jfu25ukfk6k@4ax.com...
> > On Mon, 10 Jun 2002 15:21:54 +0100, "Ken Ord" <kenord@hotmail.com>
wrote:
> >
> > >Theoretically I have a single Checkpoint FW-1 box that can handle up to
> > >50,000 concurrent connections, which isn't enough for my network.
> >
> > Are really sure that you need that amount of concurrent connections ?
> > I recommend using something like Cricket http://cricket.sourceforge.net/
> > to graph the averages of
> >
> > fw tab -t connections -s <module>
> >
> > to see what the true figure is. Most of the time, I've seen the pipe
fill
> > up b4 reaching the default connections limit of 25000.
> >
> > If you are running over 50000 connections through at once, its a good
bet
> a
> > lot of those will be small udp packets, FW1 prior to NG or 4.1 on IPSO
3.3
> > had major performance issues with large volume small packet traffic.
> >
> > Most firewall load balacing solutions will do a source/dest hash on the
> > incoming flow to direct the flow over the firewalls being balanced, i.e
a
> > firewall gets a specific flow.
> > This is not the same as something like IOS CEF load balancing which can
> > round robin each and every packet over the devices being balanced.
> >
> > http://www.phoneboy.com/faq/0289.html
> >
> >
> >
> > greg
> >
> >
> >
> >
> >
> > >
> > >
> >
> > --
> > $ReplyAddress =~ s#NOSPAM\.##;
> > "You say the hot sauce can't be beat, sit back and open wide.."
> >
>
>

Relevant Pages

  • Re: JDBC Driver Settings
    ... >>> small amount of data that you fetch completely. ... Cloned connections use the same connection ... JTA is not supported in direct mode. ... >>> Shelby Goerlitz ...
    (microsoft.public.sqlserver.jdbcdriver)
  • Re: Problem sending 30000 mail at once
    ... property to set max amount of connections. ... Could that be the reason? ... As being said it must a SMTP server limitation with 10. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Auto Disconnet ...
    ... After a little bit of sniffing the net I found that ALL connections from ... remote Win2k machine dies after certain amount of time. ...
    (Debian-User)
  • Re: tcp ports ftp hangs in CLOSE_WAIT state with NMAP scanner
    ... NMAP to scan the ports, my FTP server hangs with 8 connections in ... You can reproduce the same thing on Linux, ... connections would likely be higher. ... You can increase the amount of sockets available. ...
    (comp.os.vxworks)
  • Re: Linux kernel on FreeBSD
    ... Is there something I'm missing with the firewalls ... Netfilter seems to have better nat proxy support for protocols like ftp ... If you setting incomming ftp connections to an ftp server ...
    (freebsd-questions)