The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Increasing Number of Connections Allowed

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

There is a limit to the number of connections that FireWall-1 can handle.

In NG FP2 and later, you can go to the gateway object in question, select "Performance Tuning" and specify the maximum number of connections allowed and/or tweak parameters. You can also do this in dbedit on the management console: after exiting all GUIs:

modify properties firewall_properties connections_limit 50000
modify properties firewall_properties connections_hashsize 65536
update properties firewall_properties

In FireWall-1 4.1 and earlier, it can be increased by editing $FWDIR/lib/tables.def on your management console in FireWall-1 4.1 and earlier. Look for the definition of the "connections" table:

#if LIVE_CONNS == 1
connections = dynamic refresh sync expires TCP_START_TIMEOUT
                          expcall KFUNC_CONN_EXPIRE
              implies tracked kbuf 1 intrap ADD_CONN outrap DEL_CONN
                          hashsize 8192;
connections = dynamic refresh sync expires TCP_START_TIMEOUT
                          expcall KFUNC_CONN_EXPIRE
              implies tracked kbuf 1 hashsize 8192;

Note the "hashsize" parameter. You will need to modify it so that it is the power of 2 closest to the number of connections you wish to allow. You will also need to add the "limit" parameter to set the actual limit. If you wanted to increase the connections limit to 50,000 connections, you would change "hashsize 8192" to "hashsize 65536 limit 50000" (this increases the hash size for the connections table and the limit to the number of connections accordingly).

Note that it is also recommended that you increase the amount of FireWall-1 kernel memory to compensate for the extra connections. See the following FAQ for details: fw: halloc: memory exhausted

Note that if you are performing address translation, you will also need to increase the number of entries allowed in the NAT table. In FireWall-1 3.x, this is hardcoded to 25,000. Paul Wernau from Sun forwarded me Sunsolve article SRDB 20435 which details how this can be done on a Solaris box (it may work on other Unix platforms as well). On the Nokia/VPN-1 Appliance, you can do this with a special kernel module. You will need to contact your support provider to get the necessary information.

In FireWall-1 4.x on all platforms, you can modify this by modifying objects.C. Close any remote GUIs and add the following lines under the :props ( line:

        :nat_limit (50000)
        :nat_hashsize (65536)

Note the numbers correspond to the limit and hashsize parameters mentioned above.

Once you've made these changes, re-install the security policy.

Re-install the security policy. Note that the firewall may require a reboot for the change to take effect.