Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Reserved connections

Description

Normally, when the connection table limit is reached, no more connections are allowed, even ones critical for operating and managing the gateway. The reserved connections feature allows the gateway to process these critical connections, even after the connections table limit is reached. There is a user defined amount of space that is reserved in the connections table for these critical connections. If the Rule Base allows these connections, they are allowed even if no other connections can be accepted.

For example, when the connections table limit is reached, the administrator may not be able to install a new policy that increases the connections limit or open other essential connections, such as SSH to the gateway.

Notes

Enforcing the reserved connections limit

The connections table limit is defined in the Capacity Optimization tab, but a certain amount of connections table space is always available for reserved traffic. By default, the number of reserved connections is limited to 2000 and the actual limit of the connections table is increased by this amount.

Before a new connection is recorded, the system verifies that there is enough space in the connections table. If connections table limit is reached, the connection is recorded if it satisfies these conditions:

The limit is below the limit sum of ‘connections table limit’ and ‘reserved connections limit’

  • Connection matches one of the rules in the reserved connections table
  • Otherwise the connection recording fails.

In VSX Reserved Connections is supported for VS0 only.

Syntax

asg_reserved_conns

 

Example 1

To display the initial list of connections which are allowed to be recorded in the connections table, even if it has reached its defined capacity, run the asg_reserved_conns command and choose 1) Print reserved connections table.

Output

 

Idx - The rule number.

Source and Mask - The IP address 0.0.0.0 stands for Any.

Destination and Mask - The destination IP address and mask.

Dport - The service number. In case of non-TCP/UDP protocol (6/17) it should be ignored.

Ipp - The IP protocol number – 6 for TCP, 17 for UDP, 1 for ICMP and so on.

Interface - The interface to which interface the rule applies.

Example 1

Adding new reserved connection rule:

Run the command asg_reserved_conns and choose 2) Add new reserved connection rule

Output

Configuration

The feature works after installation without additional configuration. Use the asg_reserved_conns CLI to manage the reserved connections rules.

The rules are recorded in the reserved_conns_table kernel table.

Kernel global variables:

fwconn_reserved_conn_active: (type int) enables or disables the feature. Default is 1 (enabled).

fwconn_reserved_limit: (type int) contains the number of entries in the reserved_conns_table kernel table. Default is 2000

Verification

To make sure the feature is configured properly do the following:

  1. Check that the value of the kernel global parameter fwconn_reserved_conn_active is set to 1.
  2. Run the command asg_reserved_conns and choose 1) Print reserved connections table.
  3. Run fw tab -t reserved_conns_table and make sure that the table contains the entries for the rules above
  4. Check the contents of the file $FWDIR/bin/reserved_conns_tab and make sure it contains the rules above

Debugging

To enable reserved connections debugging, set the following kernel global parameter and use the CONN kernel debug flag to see reserved connections related debugs.

fwreserved_conns_debug: (type int) used to enable reserved connections debug prints. Default 0 (disabled)

Troubleshooting

  1. Run "fw tab -t reserved_conns_table" and make sure that the table contains the entries for the rules above
  2. Check the contents of the file $FWDIR/bin/reserved_conns_tab and make sure it contains the rules above. This file is not intended to be edited directly.
  3. Run the ‘asg_reserved_conns -f’ command to delete all current rules from kernel and reload the reserved rules table from the file $FWDIR/bin/reserved_conns_tab to kernel. It is useful if there were changes in network interface names or when the $FWDIR/bin/reserved_conns_tab file was edited directly.
 



						

						
					
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print