Print Download Complete help as Archive Send Feedback

Previous

Next

Aggressive Aging - Advanced

What can I do here?

Use this window to configure aggressive aging timeouts and enforcements.

Getting Here

Getting Here - Manage & Settings > Blades > General > Inspection Settings > General > Protections table > Aggressive Aging > Profile > Advanced

Understanding Aggressive Aging

To increase gateway stability, aggressive Aging helps manage the capacity of the connection table and gateway memory consumption.

Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout, it is marked as "eligible for deletion". When the connections table or memory consumption reaches a user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections until memory consumption or connection capacity falls to the desired level.

Aggressive Aging lets the Security Gateway handle large amounts of unexpected traffic, for example during a Denial of Service attack.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "Eligible for Deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "Eligible for Deletion" connections, no connections are deleted but the list is checked for each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently.

Best Practice: When memory consumption exceeds its threshold, work with shorter timeouts that can maintain the connectivity for the majority of the traffic.

In the Aggressive Aging Timeouts are enforced when section, select whether they will be enforced if the Connections table exceeds a limit, if Memory exceeds a limit, or if both exceed their limits.

If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the "Eligible for Deletion" list being deleted if either the Connections table or Memory consumption passes this limit.

Note - The limits for the Connections table and Memory consumption are set for each profile. The Aggressive Aging timeouts are global. Therefore: different gateways may enforce the same timeouts at different thresholds.

Activate this protection in either Prevent or Detect mode.