Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Configuring DNS Session Rate

To improve the DNS session rate, the 61000/41000 Security System includes these enhancements:

  • Delayed Connection - When a DNS connection matches a SecureXL template, the 61000/41000 Security System firewall is not immediately notified. The notification is delayed using the global parameter: cphwd_udp_selective_delay_ha. After a delay is set, the connection is handled fully by the acceleration device.

    Note - If the connection is not fully handled (and closed) by the acceleration device during the set delay period, the firewall is notified in the usual manner.

  • Delete on Response - After the DNS response is received, the connection is immediately deleted from the gateway instead of being kept for an additional 60 seconds (the UDP connection default timeout).

To improve the DNS session rate:

Run:

> fw ctl set int cphwd_udp_selective_delay_ha <delay_secs>
> fwaccel off
> fwaccel on

To make sure that DNS connections are delayed by the set value:

  1. Open a number of DNS connections from the same client to the same server.
  2. Run:

    > fwaccel templates

Source          SPort Destination     DPort PR  Flags    Conns  Open   LCT  DLY
--------------- ----- --------------- ----- -- --------- ------ ------ ---- ---
    10.33.87.12     *   192.168.15.31    53 17 .........     25      0    2  30

The number under DLY should match <delay_secs>.

Note - The default value for this parameter is 30 seconds. The maximum value is 60.

To make the enhancements Permanent:

Update fwkern.conf:

> update_conf_file fwkern.conf cphwd_udp_selective_delay_ha=<delay>

To turn off the enhancements:

To turn off Delayed Connection and Delete on Response:

  • Run:

    fw ctl set int cphwd_udp_selective_delay_ha 0

    or

  • Remove all services from: cphwd_delayed_udp_ports

    Note - This disables both enhancements.

Extending Session Rate Enhancements to other UDP Services

Change the value of cphwd_delayed_udp_ports in fwkern.conf to extend the benefits of these two DNS session rate enhancements to other services. For example, to add UDP service 100 to the list, run:

> update_conf_file fwkern.conf cphwd_delayed_udp_ports=53,100,0,0,0,0,0,0

Note

  • The number of services is limited to 8.
  • The command must contain 8 values. If you configure less than 8 services, enter 0 for the others.
  • This is the only way to extend DNS session rate enhancements to other UDP services. The fw ctl set int command is not supported.
  • The configuration takes effect only after reboot.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print