Configuring DNS Session Rate
To improve the DNS session rate, the 61000/41000 Security System includes these enhancements:
To improve the DNS session rate:
Run:
> fw ctl set int cphwd_udp_selective_delay_ha <delay_secs>
> fwaccel off
> fwaccel on
To make sure that DNS connections are delayed by the set value:
- Open a number of DNS connections from the same client to the same server.
- Run:
> fwaccel templates
Source SPort Destination DPort PR Flags Conns Open LCT DLY
--------------- ----- --------------- ----- -- --------- ------ ------ ---- ---
10.33.87.12 * 192.168.15.31 53 17 ......... 25 0 2 30
The number under should match <delay_secs>.
|
Note - The default value for this parameter is 30 seconds. The maximum value is 60.
|
To make the enhancements Permanent:
Update fwkern.con f:
> update_conf_file fwkern.conf cphwd_udp_selective_delay_ha=<delay>
To turn off the enhancements:
To turn off Delayed Connection and Delete on Response:
Extending Session Rate Enhancements to other UDP Services
Change the value of cphwd_delayed_udp_ports in fwkern.conf to extend the benefits of these two DNS session rate enhancements to other services. For example, to add UDP service 100 to the list, run:
> update_conf_file fwkern.conf cphwd_delayed_udp_ports=53,100,0,0,0,0,0,0
|
Note
- The number of services is limited to 8.
- The command must contain 8 values. If you configure less than 8 services, enter 0 for the others.
- This is the only way to extend DNS session rate enhancements to other UDP services. The
fw ctl set int command is not supported. - The configuration takes effect only after reboot.
|
|