Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Configuring DNS Session Rate

Description

To improve the DNS session rate, the 61000/41000 Security System includes these enhancements:

  • Delayed Connection - When a DNS connection matches a SecureXL template, the 61000/41000 Security System firewall is not immediately notified. The notification is delayed using the global parameter: cphwd_udp_selective_delay_ha. After a delay is set, the connection is handled completely by the acceleration device.

    Note - If the connection is not completely handled (and closed) by the acceleration device during the set delay period, then the firewall is notified in the usual manner.

  • Delete on Response - After the DNS response is received, the connection is immediately deleted from the gateway instead of being kept for an additional 60 seconds (the UDP connection default timeout).

Syntax

From gclish, run these commands, in this order:

>fw ctl set int cphwd_udp_selective_delay_ha <delay in seconds>
>fwaccel off
>fwaccel on

Verification

To make sure that DNS connections are delayed by the set value:

  1. Open several DNS connections from the same client to the same server
  2. Run: fwaccel templates

    The delay you see for the DNS template (under DLY field) should match the value specified for cphwd_udp_selective_delay_ha.

    Note - The default value for this parameter is 30 seconds. The maximum value is 60.

To make the enhancements Permanent:

Update fwkern.conf by running:

> update_conf_file fwkern.conf cphwd_udp_selective_delay_ha=<delay>

To turn off the enhancements:

To turn off Delayed Connection and Delete on Response:

  • Set cphwd_udp_selective_delay_ha to zero,

    or

  • Remove all services from cphwd_delayed_udp_ports.

    Note - this disables both enhancements.

Extending Session Rate Enhancements to other UDP Services

By modifying the value of cphwd_delayed_udp_ports in fwkern.conf , you can extend the benefits of these two DNS session rate enhancements to other services. For example, to add UDP service 100 to the list, from gclish run:

> update_conf_file fwkern.conf cphwd_delayed_udp_ports=53,100,0,0,0,0,0,0

Note -

  • The number of services is limited to 8.
  • The command must contain 8 values. If you configure less than 8 services, enter 0 for the others.
  • Directly updating fwkern.conf is the only way to extend DNS session rate enhancements to other UDP services (fw ctl set int is not supported).
  • The configuration takes effect only after reboot.
 
 



						

						
							
					 
				

			

				
	

	


	
	

		
			

				

					Top of Page
					©2014 Check Point Software Technologies Ltd. All rights reserved.
					
						Download Complete PDF
						
						Send Feedback
						
						Print