Configuring Services to Synchronize After a Delay

Some TCP services (for example, HTTP) are characterized by connections with a very short duration. There is no point to synchronize these connections, because every synchronized connection consumes resources on the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., and the connection is likely to have finished by the time an internal failover occurs.

For short-lived services, you can use the Delayed Notifications feature to delay telling the Security Group about a connection, so that the connection is only synchronized, if it still exists X seconds (by default, 3 seconds) after the connection was initiated. The Delayed Notifications feature requires SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. to be enabled on the Security Group (this is the default).

Notes:

  • By default, a connection is synchronized to backup Security Group Members only if it exists for more than 3 seconds.

  • Asymmetric connections are synchronized to backup Security Group Members on the Active Site, if according to the DXL calculation, the Client-to-Server connection and the Server-to-Client connection are passing through different Security Group Members.

To control the "Delayed Notifications" feature:

  • To enable this feature (this is the default):

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      • To enable temporarily in the current session, if you disabled it earlier (does not survive reboot):

        g_fw ctl set int fw_cluster_use_delay_sync 1

      • To enable permanently, if you disabled it earlier (survives reboot):

        g_update_conf_file fwkern.conf fw_cluster_use_delay_sync=1

  • To disable this feature (this increases the CPU load):

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      • To disable temporarily in the current session (does not survive reboot):

        g_fw ctl set int fw_cluster_use_delay_sync 0

      • To disable permanently (survives reboot):

        g_update_conf_file fw_cluster_use_delay_sync=0

To configure an applicable delay:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer.

  2. In the left tree, click the small arrow on the left of the Services to expand this category.

  3. In the left tree, select TCP.

  4. Search for the applicable TCP service.

  5. Double-click the applicable TCP service.

  6. In the TCP service properties window, click Advanced page.

  7. At the top, select Override default settings.

    On Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., select Override global domain settings.

  8. At the bottom, in the Cluster and synchronization section:

    1. Select Synchronize connections on cluster if State Synchronization is enabled on the cluster.

    2. Select Start synchronizing.

    3. Enter the applicable value.

    Important - This change applies to all policies that use this service.

  9. Click OK.

  10. Close the Object Explorer.

  11. Publish the SmartConsole session.

  12. Install the Access Control Policy on the Scalable Platform Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Note - The Delayed Notifications setting in the service object is ignored, if Connection Templates are not offloaded by the Firewall to SecureXL. For additional information about the Connection Templates, see the R80.30SP Quantum Maestro Performance Tuning Administration Guide.