Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Reserved Connections

Normally, when the connection table limit is reached, no more connections are allowed, even ones critical for operating and managing the gateway. The reserved connections feature allows the gateway to process these critical connections, even after the connections table limit is reached. There is a user defined amount of space that is reserved in the connections table for these critical connections. If the Rule Base allows these connections, they are allowed even if no other connections can be accepted.

For example, when the connections table limit is reached, the administrator may not be able to install a new policy that increases the connections limit or open other necessary connections, such as SSH to the gateway.

Enforcing the reserved connections limit

By default, the number of reserved connections is limited to 2000. The actual limit of the connections table is increased by this amount.

Before a new connection is recorded, the system makes sure that there is sufficient space in the connections table. If connections table limit is reached, the connection is recorded if it satisfies these conditions:

  • The limit is below the limit sum of connections table limit and reserved connections limit.
  • Connection matches one of the rules in the reserved connections table

If not, the connection is not recorded.

In VSX, Reserved Connections are supported for VS0 only.

Syntax

# asg_reserved_conns
Please choose one of the following:
-----------------------------------
1) Print reserved connections table
2) Add new reserved connection rule
3) Delete reserved connection rule
4) Exit
>

To show the reserved connections table:

Enter: 1

Output

Idx  Source           Mask  Destination      Mask  DPort  Ipp    Interface
---  ---------------  ----  ---------------  ----  -----  -----  ------------
 1)          0.0.0.0     0          0.0.0.0     0   1129      6         Sync
 2)          0.0.0.0     0          0.0.0.0     0   1130      6         Sync
 3)          0.0.0.0     0          0.0.0.0     0   4444      6         Sync
 4)          0.0.0.0     0          0.0.0.0     0     22      6         Sync
 5)          0.0.0.0     0          0.0.0.0     0   8888      6         Sync
 6)          0.0.0.0     0          0.0.0.0     0   2010      6         Sync
 7)          0.0.0.0     0          0.0.0.0     0   1131      6         Sync
 8)          0.0.0.0     0          0.0.0.0     0   1132      6         Sync
 9)          0.0.0.0     0          0.0.0.0     0    256      6         Sync
10)          0.0.0.0     0          0.0.0.0     0      0      1         Sync
11)          0.0.0.0     0          0.0.0.0     0   8116     17         Sync
12)          0.0.0.0     0          0.0.0.0     0      0      1     eth1-CIN
13)          0.0.0.0     0          0.0.0.0     0     22      6     eth1-CIN
14)          0.0.0.0     0          0.0.0.0     0     23      6     eth1-CIN
15)          0.0.0.0     0          0.0.0.0     0    161     17     eth1-CIN
16)          0.0.0.0     0          0.0.0.0     0    623     17     eth1-CIN
17)          0.0.0.0     0          0.0.0.0     0      0      1     eth2-CIN
18)          0.0.0.0     0          0.0.0.0     0     22      6     eth2-CIN
19)          0.0.0.0     0          0.0.0.0     0     23      6     eth2-CIN
20)          0.0.0.0     0          0.0.0.0     0    161     17     eth2-CIN
21)          0.0.0.0     0          0.0.0.0     0    623     17     eth2-CIN
22)          0.0.0.0     0          0.0.0.0     0     22      6          Any
23)          0.0.0.0     0          0.0.0.0     0    256      6          Any
24)          0.0.0.0     0          0.0.0.0     0  18191      6          Any
25)          0.0.0.0     0          0.0.0.0     0  18192      6          Any
Press enter to continue

Field

Description

Idx

Rule number

Source

Source IP

If the IP is 0.0.0.0, all IPs are allowed.

Mask

Subnet mask for the Source

Destination

Destination IP

If the IP is 0.0.0.0, all IPs are allowed.

Mask

Subnet mask for the Destination

DPort

TCP/UDP Port

This is ignored with non-TCP/UDP traffic.

Ipp

IP protocol number

Interface

Interface for this rule

To add a reserved connection rule:

  1. Enter: 2
  2. Follow the directions on the screen.
Enter source IP [0.0.0.0]:
>10.10.10.10
Enter source IP mask length [0]:
>24
Enter destination IP [0.0.0.0]:
>20.20.20.0
Enter destination IP mask length [0]:
>24
Enter destination port [0]:
>0
Enter IP protocol number (for example: tcp = 6, udp = 17):
>6
Enter interface number [0 = Any]:
0: Any
1: eth1-Mgmt4
2: eth2-Mgmt4
3: BPEth0
4: BPEth1
5: eth1-Mgmt1
6: eth1-CIN
7: eth1-01
8: eth2-Mgmt1
9: eth2-CIN
10: eth2-01
11: Sync
>0
OK to insert new reserved conn rule: <10.10.10.10/24, 20.20.20.0/24, 0, 6, Any> ? (y/n)
>y
entry inserted, rule will apply when new connection will be opened
Press enter to continue

To make sure the feature is configured correctly:

  1. Make sure the value of the kernel global parameter fwconn_reserved_conn_active is set to: 1
  2. Run asg_reserved_conns and enter: 1
  3. Run fw tab -t reserved_conns_table and make sure that the table contains the entries for the rules above.
  4. Make sure the contents of $FWDIR/bin/reserved_conns_table has rules of this feature.

To debug the feature:

  1. Set the kernel global parameter fwreserved_conns_debug to: 1
  2. Use the CONN kernel debug flag to see reserved connections related debugs.

To troubleshoot the feature:

  1. Run:

    # fw tab -t reserved_conns_table

  2. Make sure that the table contains the entries for the rules in this feature.
  3. Make sure the contents of $FWDIR/bin/reserved_conns_table has rules of this feature.

    Important - Do not make changes to this file.

  4. Delete all current rules from the kernel and reload the rules from $FWDIR/bin/reserved_conns_tab:

    # asg_reserved_conns -f

    It is useful if there were changes in network interface names or if $FWDIR/bin/reserved_conns_table was edited directly.

Configuration

The feature works after installation without additional configuration.

The rules are stored in:

$FWDIR/bin/reserved_conns_table

The feature uses these kernel global variables:

Variable

Description

fwconn_reserved_conn_active

Enables or disables the feature

Valid values:

  • 1 - Enabled
  • Any other integer: Disabled

fwconn_reserved_limit

Maximum allowed number of entries in $FWDIR/bin/reserved_conns_table

Default: 2000

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print