Number of Entries Permitted in Tables

FireWall-1 keeps track of all connections in state tables that are maintained in the kernel. By default, most of the tables are limited to 25,000 entries. The connections table often needs to be increased.

In NG FP2 and beyond, memory management for state tables and the number of connections are controlled in the GUI in the gateway or gateway cluster object, Advanced frame. The memory management can be automatic (the default) or manual. In either case, you must still specify the number of connections permitted.

In FireWall-1 NG FP3 and above, perform the following steps in SmartDashboard.

1. Edit the Check Point object for the Firewall module.

2. Select the Capacity Optimization frame.

3. Modify the maximum number of concurrent connections (the default is 25,000).

4. Install the security policy.

In FireWall-1 NG FP2, perform the following steps in the Policy Editor.

1. Edit the Check Point object for the Firewall module.

2. Select the Advanced frame, then Capacity Planning.

3. Modify the maximum number of concurrent connections (the default is 25,000).

4. Install the security policy.

In FireWall-1 NG FP1 and prior NG releases, use the dbedit utility to make the change. Issue the following commands in dbedit . (Note that you can specify any value; 50,000 is an example.)

 dbedit>  modify properties firewall_properties connections_limit 50000  dbedit>  update properties firewall_properties  

If you decide to manually tweak the parameters, you should know how the hashsize parameter works. The hashsize parameter must be a power of 2 and should be the next highest power of 2 based on the number of connections you want to support. The hashsize is therefore 2 ⁿ where:

2 ⁿ¹ < connections_limit < 2 ⁿ

So for 50,000 connections, the hashsize should be 65,536:

2 ¹⁵ = 32,768 < 50,000 < 2 ¹⁶ = 65,536

Reinstall the security policy after making these changes.