{"id":1136,"date":"2019-03-19T16:32:35","date_gmt":"2019-03-19T16:32:35","guid":{"rendered":"http:\/\/www.ankenbrand24.de\/?page_id=1136"},"modified":"2019-03-19T16:33:07","modified_gmt":"2019-03-19T16:33:07","slug":"connection-table","status":"publish","type":"page","link":"https:\/\/www.ankenbrand24.de\/index.php\/articles\/check-point-articel\/performance-tuning\/connection-table\/","title":{"rendered":"Connection Table"},"content":{"rendered":"\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"message-subject\" style=\"text-align: center;\"><span class=\"lia-message-read\">R80.x Performance Tuning &#8211; Connection Table<\/span><\/h2>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<table style=\"border: 1px solid #c6c6c6; border-collapse: separate; border-radius: 5px; background-color: #e15180; padding: 6px; text-indent: 10px;\" width=\"100%\">\n<thead>\n<tr>\n<th align=\"left\"><span style=\"color: #ffffff; font-size: large;\">What is a connection kernel table<\/span><\/th>\n<\/tr>\n<\/thead>\n<\/table>\n<p><img loading=\"lazy\" class=\"alignnone  wp-image-1137\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_1.png\" alt=\"\" width=\"302\" height=\"170\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_1.png 307w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_1-150x85.png 150w\" sizes=\"(max-width: 302px) 100vw, 302px\" \/><\/p>\n<p>One of the most important tables in the Check Point firewall is the &#8220;connection kernel table&#8221;. Connections kernel table contains the specific information about the current connections (source, destination, protocol, timeout, etc etc etc). The direction of the connection is set by the first packet of the connection even though the connection may be bi-directional in reality.<\/p>\n<p>In principle, the following keys are used:<\/p>\n<ul>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Direction of the connection (0 = inbound, 1 = outbound)<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Connection key<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Connection type<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Connection flags<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Rule number in SmartDashboard, to which the connection was matched<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 An index of an INSPECT handler function that is executed on every packet that belong to the connection<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Unique 128-bit connection identifier.<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Anti-Spoofing cache<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Set of per-connection bits<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Connection modules&#8217; kernel buffers<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Time to Live \/ Timeout<\/li>\n<\/ul>\n<p>The information in the connections table is stored in the following form:<\/p>\n<p>&lt;direction,5-tuple-key;r_ctype,r_cflags,rule,service_id,handler,uuid1,uuid2,uuid3,uuid4,ifncin,ifncout,ifnsin,ifnsout,bits1,bits2,connection_module_kbufs@ttl\/timeout&gt;<\/p>\n<p><span style=\"font-size: 11.0pt;\">Detailed explanation about each parameter can you find in the following SK <a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65133&amp;partition=Advanced&amp;product=Security\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65133&amp;partition=Advanced&amp;product=Security\" target=\"_blank\" rel=\"noopener noreferrer\">Connections Table Format<\/a>.<\/span><\/p>\n<p><strong># fw tab -t connections -f -u<\/strong><\/p>\n<p>It is possible to manually delete an entry from the connection table with the following command.<\/p>\n<p>You can find more about the topic in the following SK &#8220;<a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103876\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103876\" target=\"_blank\" rel=\"noopener noreferrer\">How to manually delete an entry from the Connections Table&#8221;.<\/a> \u00a0Delete the desired connection entry:<\/p>\n<p><strong># fw tab -t connections -x -e DIRECTION,SOURCE_IP,SOURCE_PORT,DEST_IP,DEST_PORT,PROTOCOL<\/strong><\/p>\n<p><span style=\"color: red;\">Attention!<\/span><\/p>\n<ul>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 All subsequent packets of the deleted connection will be dropped as Out-of-State. The connection should be re-established.<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 This procedure will not remove entries from NAT translation tables.<\/li>\n<\/ul>\n<p>Intressant are also the installed connection modules. Attention these are often confused with the &#8220;fw monitor chain modules&#8221;. The modules have nothing to do with each other.\u00a0 These connection modules can be displayed with the following command:<\/p>\n<p><span style=\"font-size: 11.0pt;\"><strong># fw ctl conn -a<\/strong><\/span><\/p>\n<table style=\"border: 1px solid #c6c6c6; border-collapse: separate; border-radius: 5px; background-color: #e15180; padding: 6px; text-indent: 10px;\" width=\"100%\">\n<thead>\n<tr>\n<th align=\"left\"><span style=\"color: #ffffff; font-size: large;\">Tuning connection table<\/span><\/th>\n<\/tr>\n<\/thead>\n<\/table>\n<p>The goal is always to reduce the number of connections in the connection table. The following tips will give you some examples. First of all you have to see what your connetion table looks like at the moment. Everything else can be found in tip one.<\/p>\n<p>What I <span style=\"text-decoration: underline;\"><strong>don&#8217;t<\/strong><\/span> <span style=\"text-decoration: underline;\"><strong>want<\/strong><\/span> to enter here are different paths through the firewall in conjunction with SecureXL. More informations see here &#8220;<a href=\"https:\/\/community.checkpoint.com\/docs\/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow\" target=\"_blank\" rel=\"noopener noreferrer\" data-objecttype=\"102\">R80.x Security Gateway Architecture (Logical Packet Flow)<\/a>&#8220;<\/p>\n<ul>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 Fast path (Accelerated Path)<\/li>\n<li style=\"text-indent: -18.0pt;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0 Medium path<\/em> (PXL)<\/li>\n<li style=\"text-indent: -18.0pt;\"><em>\u00a0\u00a0\u00a0\u00a0\u00a0 Slow path<\/em> (F2F)<\/li>\n<\/ul>\n<p><span style=\"font-size: 22px; color: #33cccc;\">Tip 1<\/span><\/p>\n<p>From my point of view all systems should be set maximum concurrent connections\u00a0 to &#8220;<strong>automatically<\/strong>&#8221; (see picture).<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1138\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_2.png\" alt=\"\" width=\"605\" height=\"125\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_2.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_2-150x31.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/p>\n<p>Alternatively, you can toggle it to manually here.\u00a0I wouldn&#8217;t advise it, though. In most cases this is also set as default by older versions. If you use this, then please use it described below.<\/p>\n<p>This command shows the current and maximum number of connections.<\/p>\n<p># <strong>fw tab -t connections -s<\/strong><\/p>\n<p><strong><img loading=\"lazy\" class=\"alignnone size-full wp-image-1139\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_3.png\" alt=\"\" width=\"605\" height=\"48\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_3.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_3-150x12.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/strong><\/p>\n<p>This command shows the maximum number of possible connections:<\/p>\n<p># <strong>fw tab -t connections | grep limit | grep -v Kernel | grep -v connections | grep -oP &#8216;(?&lt;=limit ).*&#8217;<\/strong><\/p>\n<p><strong><img loading=\"lazy\" class=\"alignnone size-full wp-image-1140\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_4.png\" alt=\"\" width=\"434\" height=\"33\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_4.png 434w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_4-150x11.png 150w\" sizes=\"(max-width: 434px) 100vw, 434px\" \/><\/strong><\/p>\n<p>In this example there are <span style=\"color: red;\">23876<\/span> peek concurrent connections and 14056 concurrent connections while the default limit is 25000. The connection table limit should be increased to ensure uninterrupted operation. However, it should be noted here that the increase also uses resources (RAM). I would carefully double the connection limit in this case to 50000. Locate the maximum concurrent connections setting for the firewall (normally found in the object\u2019s properties) and increase the value. The increase should be done gradually and with care as it will also increase the memory usage of the firewall.<\/p>\n<p><strong><img loading=\"lazy\" class=\"alignnone size-full wp-image-1141\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_5.png\" alt=\"\" width=\"605\" height=\"129\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_5.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_5-150x32.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/strong><\/p>\n<p><strong><span style=\"color: red;\">Attention!<\/span> This changes the behavior of the firewall. Therefore please handle with caution.<\/strong><\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 2<\/span><\/p>\n<p><span style=\"font-size: 11.0pt;\">Packets are dropped on security gateway because maximal number of symbolic links for connections was reached in connection table.<\/span> <span style=\"font-size: 11.0pt;\">What is the consequence!<\/span> <span style=\"font-size: 11.0pt;\">Very low traffic on the security gateway.<\/span> <span style=\"font-size: 11.0pt;\">How do I analyze the problem?<\/span> <span style=\"font-size: 11.0pt;\">The output of &#8216;fw tab -t connections -s&#8217; command shows that the ratio of #SLINKS \/ #VALS is greater than\/equal to 5. What can I do? Follow<\/span> <a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65463&amp;partition=Advanced&amp;product=CoreXL%22\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65463&amp;partition=Advanced&amp;product=CoreXL%22\" target=\"_blank\" rel=\"noopener noreferrer\">sk65463<\/a>\u00a0<\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 3<br \/><\/span><\/p>\n<p>Turn on Aggressive Aging to have connections removed as quick as possible.<\/p>\n<p>Aggressive aging is activated in IPS profile, or new connections may be dropped for the reason that the connections table is full when a given CoreXL firewall instance has far fewer connection entries than the connections table limit, or the 80% threshold to activate aggressive aging as seen in the output of &#8216;fw ctl multik stat&#8217; command.<\/p>\n<p><span style=\"font-size: 11.0pt;\">The aggressive aging timeout values must be lower than the stateful inspection default for\u00a0 TCP session timeout (3600).<\/span> <span style=\"font-size: 11.0pt;\">The stateful inspection default session timeout values can be<\/span><span style=\"font-size: 11.0pt;\">found in: Global Properties &gt; Stateful Inspection &gt; TCP session timeout<\/span><span style=\"font-size: 11.0pt;\">\u00a0<\/span><\/p>\n<p><span style=\"font-size: 11.0pt;\">Check Aggressive Aging status:<\/span><\/p>\n<p><strong><span style=\"font-size: 11.0pt;\">:<\/span><span style=\"font-size: 11.0pt;\"># fw ctl pstat | grep Agg<\/span><\/strong><\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1142\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_6.png\" alt=\"\" width=\"444\" height=\"29\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_6.png 444w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_6-150x10.png 150w\" sizes=\"(max-width: 444px) 100vw, 444px\" \/><\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 4<br \/><\/span><\/p>\n<p>When you decrease the start timeout and end timeout, the connections will removed as quick as possible if the connection is no longer used.<\/p>\n<p>In the SmartDashboard go to \u201ePolicy-&gt;Global Properties\u201c and in the Stateful Inspection tab reduce the the following session timer (see picture):<\/p>\n<ul>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 TCP start timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 TCP end timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 UDP virtual session timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 ICMP virtual session timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 SCTP start timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 SCTP end timeout<\/li>\n<li style=\"text-indent: -18.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0 other IP protocols virtual session timeout<\/li>\n<\/ul>\n<p>Please refer to the firewall\u2019s user manual for more information on what the session timeout is.<\/p>\n<p><span style=\"color: red;\">Attention!<\/span> This changes the behavior of the firewall. Therefore please handle with caution.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1143\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_7.png\" alt=\"\" width=\"605\" height=\"268\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_7.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_7-150x66.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/p>\n<p>With the following command you can find the number of active sessions for \u201eTCP start timeout\u201c in the connections table. If you change the value in &#8220;grep&#8221; you can also show other session timeouts!<\/p>\n<p><strong># fw tab -t connections -u -f | grep &#8220;Expires:&#8221; |grep &#8220;\/25;&#8221; |wc -l<\/strong><\/p>\n<p><strong><img loading=\"lazy\" class=\"alignnone size-full wp-image-1144\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_8.png\" alt=\"\" width=\"474\" height=\"34\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_8.png 474w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_8-150x11.png 150w\" sizes=\"(max-width: 474px) 100vw, 474px\" \/><\/strong><\/p>\n<p><strong>Note:<\/strong> A high number of \u201eTCP start timeout\u201c could also indicate a DDoS SYN flood attack. In the area of Distributed Denial of Service (DDoS), TCP SYN flooding was one of the first attack vectors that was encountered and it has remained significant even now. The TCP handshake process, which starts with a TCP [SYN] packet, requires that a server allocate a transmission control block (TCB) for incomplete and half-open connections. More see here &#8220;<a title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112241&amp;partition=Advanced&amp;product=Security\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112241&amp;partition=Advanced&amp;product=Security\" target=\"_blank\" rel=\"noopener noreferrer\">Best Practices &#8211; DDoS attacks on Check Point Security Gateway&#8221;<\/a>.<\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 5<br \/><\/span><\/p>\n<p><span style=\"font-size: 11.0pt;\">Under R80.20 there is a new command that in conjunction with the &#8220;Dynamic Dispatcher&#8221; displays connections with a high load. That&#8217;s where I mention that CLI command here although it doesn&#8217;t quite match the theme. This command shows the table with heavy connections (that consume the most CPU resources) in the CoreXL Dynamic Dispatcher. For more information about the CoreXL Dynamic Dispatcher, see<\/span> <a href=\"http:\/\/supportcontent.checkpoint.com\/solutions?id=sk105261\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-size: 11.0pt;\">sk105261<\/span><\/a><span style=\"font-size: 11.0pt;\">.<\/span><\/p>\n<p><span style=\"font-size: 11.0pt;\">CoreXL suspects that a connection is &#8220;heavy&#8221; if it meets these conditions:<\/span><\/p>\n<ul>\n<li style=\"margin-left: 36.0pt; text-indent: -18.0pt;\"><span style=\"font-size: 10.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0<\/span> <span style=\"font-size: 11.0pt;\">Security Gateway detected the suspected connection during the last 24 hours<\/span><\/li>\n<li style=\"margin-left: 36.0pt; text-indent: -18.0pt;\"><span style=\"font-size: 10.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0<\/span> <span style=\"font-size: 11.0pt;\">The suspected connection lasts more than 10 seconds<\/span><\/li>\n<li style=\"margin-left: 36.0pt; text-indent: -18.0pt;\"><span style=\"font-size: 10.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0<\/span> <span style=\"font-size: 11.0pt;\">CoreXL FW instance that processes this connection causes a CPU load of over 60%<\/span><\/li>\n<li style=\"margin-left: 36.0pt; text-indent: -18.0pt;\"><span style=\"font-size: 10.0pt;\">\u00a0\u00a0\u00a0\u00a0\u00a0<\/span> <span style=\"font-size: 11.0pt;\">The suspected connection utilizes more than 50% of the total work the applicable CoreXL FW instance does<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 11.0pt;\">Here is an example:<\/span><\/p>\n<p style=\"margin-bottom: .0001pt;\"># <strong>fw ctl multik print_heavy_conn<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1145\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_9.png\" alt=\"\" width=\"605\" height=\"27\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_9.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_9-150x7.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 6<br \/><\/span><\/p>\n<p>An important point in tuning is the order of the rules. Normally the &#8220;rule counter&#8221; helps here. Rules that are often used should be at the beginning of the ruleset.<\/p>\n<p>It can also be helpful to view certain connections in real time. For this I have published some useful commands here. The commands are for version R80.20.<\/p>\n<p>1) Find all rules to an IP address in the connections table (<span style=\"color: red;\">Change the IP<\/span>):<\/p>\n<p><strong># fw tab -t connections -u -f | grep <span style=\"color: red;\">10.1.2.81<\/span> | grep Rule | awk &#8216;{split($0,a,&#8221;;&#8221;); print a[14];}&#8217; |sort -ng |uniq<\/strong><\/p>\n<p><strong><img loading=\"lazy\" class=\"alignnone size-full wp-image-1146\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_10.png\" alt=\"\" width=\"605\" height=\"72\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_10.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_10-150x18.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/strong><\/p>\n<p>2) Find all rules to an IP address in the connections table with IP and Port informations (<span style=\"color: red;\">Change the IP<\/span>):<\/p>\n<p># <strong>fw tab -t connections -u -f | grep <span style=\"color: red;\">10.1.2.81<\/span> | grep Rule | awk &#8216;{split($0,a,&#8221;;&#8221;); print a[14],&#8221; &#8220;,a[10],&#8221; &#8220;,a[6],&#8221; &#8220;,a[8],&#8221; &#8220;,a[9];}&#8217; |sort -ng<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1148\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_12.png\" alt=\"\" width=\"605\" height=\"55\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_12.png 605w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_12-150x14.png 150w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/p>\n<p><span style=\"font-size: 22px; color: #33cccc;\">TIP 7<br \/><\/span><\/p>\n<p>Another important point is the session timeout for a service. For example, the default session timeout for UDP is set to 40 seconds (TCP to 3600 seconds). This means, for example, that each DNS request is kept open for a maximum of 40 seconds after the last package. That&#8217;s a bit much from my point of view! Therefore it is possible to change the virtuall session timeouts in the service. I always test here with about 20 seconds (see picture) and adjust it a little bit upwards or downwards. So the DNS requests do not remain so long in the connetion table. This can also be applied to other services.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-1147\" src=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_11.png\" alt=\"\" width=\"403\" height=\"327\" srcset=\"https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_11.png 403w, https:\/\/www.ankenbrand24.de\/wp-content\/uploads\/2019\/03\/ct_11-150x122.png 150w\" sizes=\"(max-width: 403px) 100vw, 403px\" \/><\/p>\n<table style=\"border: 1px solid #c6c6c6; border-collapse: separate; border-radius: 5px; background-color: #e15180; padding: 6px; text-indent: 10px;\" width=\"100%\">\n<thead>\n<tr>\n<th align=\"left\"><span style=\"color: #ffffff; font-size: large;\">References<\/span><\/th>\n<\/tr>\n<\/thead>\n<\/table>\n<p><a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65133&amp;partition=Advanced&amp;product=Security\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk65133&amp;partition=Advanced&amp;product=Security\" target=\"_blank\" rel=\"noopener noreferrer\">Connections Table Format<\/a>\u00a0<br \/><a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103876\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103876\" target=\"_blank\" rel=\"noopener noreferrer\">How to manually delete an entry from the Connections Table<\/a>\u00a0<br \/><a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk41916&amp;partition=Advanced&amp;product=Security\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk41916&amp;partition=Advanced&amp;product=Security\" target=\"_blank\" rel=\"noopener noreferrer\">Packets are dropped on Security Gateway because maximal number of Symbolic Links for connections was reached in Connecti\u2026<\/a>\u00a0<br \/><a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112241&amp;partition=Advanced&amp;product=Security\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112241&amp;partition=Advanced&amp;product=Security\" target=\"_blank\" rel=\"noopener noreferrer\">Best Practices &#8211; DDoS attacks on Check Point Security Gateway<\/a>\u00a0<br \/><a class=\"link-titled\" title=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk35990&amp;partition=General&amp;product=CoreXL%22\" href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk35990&amp;partition=General&amp;product=CoreXL%22\" target=\"_blank\" rel=\"noopener noreferrer\">How Connections Table limit capacity behaves in CoreXL<\/a>\u00a0<br \/><a href=\"https:\/\/sc1.checkpoint.com\/documents\/R80.10\/WebAdminGuides\/EN\/CP_R80.10_PerformanceTuning_AdminGuide\/html_frameset.htm\" target=\"_blank\" rel=\"noopener noreferrer\">Performance Tuning R80.10 Administratio Guide<\/a><br \/><a href=\"https:\/\/sc1.checkpoint.com\/documents\/R80.20_GA\/WebAdminGuides\/EN\/CP_R80.20_PerformanceTuning_AdminGuide\/html_frameset.htm\" target=\"_blank\" rel=\"noopener noreferrer\">Performance Tuning R80.20 Administration Guide<\/a><br \/><a href=\"https:\/\/supportcenter.checkpoint.com\/supportcenter\/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk98348#Best%20practices%20-%20Multi-Queue\" target=\"_blank\" rel=\"noopener noreferrer\">Best Practices &#8211; Security Gateway Performance<\/a>\u00a0<\/p>\n<p>Copyright by Heiko Ankenbrand 1994-2019<\/p>\n","protected":false},"excerpt":{"rendered":"<p>R80.x Performance Tuning &#8211; Connection Table What is a connection kernel table One of the most important tables in the Check Point firewall is the &#8220;connection kernel table&#8221;. Connections kernel table contains the specific information about the current connections (source, destination, protocol, timeout, etc etc etc). The direction of the connection is set by the<\/p>\n<p><a class=\"button\" href=\"https:\/\/www.ankenbrand24.de\/index.php\/articles\/check-point-articel\/performance-tuning\/connection-table\/\" title=\"More\">  Read More \u2192<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1068,"menu_order":7,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1136"}],"collection":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/comments?post=1136"}],"version-history":[{"count":2,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1136\/revisions"}],"predecessor-version":[{"id":1150,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1136\/revisions\/1150"}],"up":[{"embeddable":true,"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/pages\/1068"}],"wp:attachment":[{"href":"https:\/\/www.ankenbrand24.de\/index.php\/wp-json\/wp\/v2\/media?parent=1136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}