Today in Check Point adventure-land, I ran into a problem where legitimate traffic was sometimes making it through the firewall, and sometimes not. The log viewer (SmartView Tracker) was showing me where new connections were “accepted”. And then seconds later, traffic of the same class was “rejected”. I thought I was dealing with some sort of DDoS attack, where the firewall got tagged with some malicious packet and therefore had lost its mind.
The reality was far simpler. Although SmartView Tracker didn’t happen to mention it was rejecting connections due to the connection table being full, in fact that’s all that was going on. The light dawned ever so brightly upon me as I was at the firewall console, dutifully poking at this and that, and saw the logged message:
FW-1: A new connection has been detected but cannot be added to
the connections table.
The connection table may be at full capacity.
Please increase the connection table limit.
Ah, well that’s it, isn’t it…a quick jump over to SmartView Monitor, where a click on the firewall object in question and then on “Network Activity” told the tale. The firewall was bouncing off the rev limiter, so to speak. Connections were in the high 24,000 range, with 25,000 being the max. 25K is, AFAIK, the default Check Point connection limit. A “connection” in Check Point speak is any sort of connection you’ve opted to track, whether that is a connection-oriented protocol (like TCP), or not (like UDP or ICMP). As it happens, this particular firewall was very busy passing through myriad DNS queries and HTTP requests due to some new systems recently added to a DMZ this firewall guards.
So what’s a network engineer with an irritated firewall and cranky user base to do? Why, raise the connection limit, CPU and RAM permitting, of course. 25K is quite a conservative limit for a network of any size. After reviewing this firewall, I found I was comfortably able to raise the limit to 50K without taxing the system overly much. To do so, in SmartDashboard, you edit the properties of the firewall or cluster in question. Then look for “Capacity Optimization”, where the “Maximum concurrent connections” field is your holy grail. Push policy (which you can do without breaking existing connections, it’s okay), and you’re off and running with a higher connection limit.
A word of caution. Do you understand WHY your firewall is seeing a high connection count? Consider the possibility that your network is being DDoS’ed, or that you might have a virus or other malware loose in your environment, opening far more than normal connections. In that case, bumping up the rev limiter might make things worse for your environment. You only want to increase the connection count if the normal operation of your network calls for it.