Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] FW-1 connection table size vs. RAM == No answer previously ==

To: Olof Olsson <[email protected]>
Subject: Re: [FW1] FW-1 connection table size vs. RAM == No answer previously ==
From: Carric Dooley <[email protected]>
Date: Mon, 29 Jan 2001 06:49:35 -0500 (EST)
Cc: [email protected]
In-reply-to: <001601c0898e$1b632e60$0101a8c0@globalbr3urasp>
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I guess my first question would have to be: if you are peakinga t 50K
conns, why do you think  you need 200K or 500K?

I am working on a site currently with roughly 115K users.  I am managing 6
pairs of firewalls (just got the new pair on-line).

Our connection tables on the internet firewalls run around 35-40K.  I
haven't really watched the other units that closely.

I am curious; when you do the fw tab -t connections, does it tell you have
have a limit of 100K connections?

You are really only limited on connections by RAM and CPU. It depends on
teh hardware, software, FW version, platform, policy, NAT's, VPN, etc. so
number of connections a FW will handle will vary from unit to unit.  The
pair we just brought online was to supplement the ailing pair of E3500's
because at 40K conns CPU0 was pegged. Stonebeat was starting to fail over
because I guess because there weren't enough cycles left for the
heartbeat.

I'm looking at the new FWs, and at 2K conns (it's 06:47 on Monday) CPU is
b/t 0% and 2%, and I never see more than about 260MB RAM used no matter
how many connections.

Carric Dooley
Senior Consultant
COM2:Interactive Media

"But this one goes to eleven."
- -- Nigel Tufnel

On Mon, 29 Jan 2001, Olof Olsson wrote:

> Folks
> 
> I asked this question about a week ago, but never received a response. I am therefore reposting and hoping for better luck this time! I am also adding some more information/questions relating to DNS.
> 
> Here goes:
> 
> We are running a redundant pair of IP650 firewalls with the following configurations:
> 
> *** 256M RAM
> *** Connection table size set to 100K
> *** Connection table typically contains ~20K entries, peaking up to ~40-50K.
> 
> Questions:
> 
> Q1: What is the (practical) maximum connection table size? 
> Q2: What connection table sizes are high-volume sites typically running with?
> Q3: Can we set the connection table size to 200K, 500K?
> 
> Basically, I would really like to get feel for how other high volume sites out there configure their IP650s/FW1 boxes in relation to the connection table limits.
> 
> Thanks in advance,
> 
>     --oo
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBOnVY6VUqWOkDpMZ2EQLuJACg+LihO1SoVZ8bxdwOEDEjYAP27NsAniIi
On180UzcrF25dATu0XWBD+tD
=pNCF
-----END PGP SIGNATURE-----

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] FW-1 connection table size vs. RAM == No answer previously ==
  - From: "Olof Olsson" <[email protected]>

Prev by Date: Re: [FW1] Memory Leak
Next by Date: [FW1] ftp connect thru fw1 takes alot of time
Previous by thread: [FW1] FW-1 connection table size vs. RAM == No answer previously ==
Next by thread: [FW1] FW1 vs. high-volume DNS traffic (or any UDP traffic for that matter)
Index(es):
- Date
- Thread