By default NGX R65 comes with a very limited max active connections number (was 25 000 in my case).
Thats very weak especially for big website hosting.
To increase that limit :
- Double clic on the gateway object
- go in the Capacity Optimization section
- then you can tune Maximum concurrent connections counter
For NGX :
In $FWDIR/conf
Edit user.def.NGX_R60 on the SmartCenter or on the relevant CMA on the Provider-1
#define NON_VPN_TRAFFIC_RULES (src=1.1.1.1 or src=2.2.2.2 ,dst=1.1.1.1 or dst=2.2.2.2)
Install the policy
Clear SAs
Enjoy
On the MDS / Smartcenter Server
# mdsenv CMAXXX (if you have provider-1)
#vpn overlap_encdom
it wont show firewalls Interfaces IP addresses that are part of the vpn domain implicitely
LB_FAILED is triggered when LTM is ready to send the request to a pool member and one hasn’t been chosen (the system failed to select a pool or a pool member), is unreachable (when no route to the target exists), or is non-responsive (fails to respond to a connection request).
when LB_FAILED {
LB::reselect pool ANOTHER_POOL
}
If you use this rule in Pool_1 and all Pool_1 members are off or unreachable or the connectil limit has been reached you can redirect the client to Pool_2 (ANOTHER_POOL in the above example)
| success | The number of successful queries made to the server or zone. A successful query is defined as query which returns a NOERROR response with at least one answer RR. |
| referral | The number of queries which resulted in referral responses. |
| nxrrset | The number of queries which resulted in NOERROR responses with no data. |
| nxdomain | The number of queries which resulted in NXDOMAIN responses. |
| failure | The number of queries which resulted in a failure response other than those above. |
| recursion | The number of queries which caused the server to perform recursion in order to find the final answer. |
Each query received by the server will cause exactly one of success, referral, nxrrset, nxdomain, or failure to be incremented, and may additionally cause the recursion counter to be incremented.
We all know thats Smartdefense is a nightmare.
to disable SD http instpection there are two steps:
1/ remove the HTTP handler from your http service (Object Properties ->Advanced-> Protocol Type should be NONE)
2/ option 1 wont turn all SD inspection !! sometimes SD will continue to inspect and drop it, funny …
Connect on your CMA/SmartServer go in $FWDIR/lib and edit asm.def, it has to look like this :
##########################################################
IPList = {X.X.X.X,Y.Y.Y.Y};
#ifndef __asm_def__
#define __asm_def__
//
// (c) Copyright 1993-2004 Check Point Software Technologies Ltd.
// All rights reserved.
//
// This is proprietary information of Check Point Software Technologies
// Ltd., which is provided for informational purposes only and for use
// solely in conjunction with the authorized use of Check Point Software
// Technologies Ltd. products. The viewing and use of this information is
// subject, to the extent appropriate, to the terms and conditions of the
// license agreement that authorizes the use of the relevant product.
//
// $RCSfile: asm.def,v $ $Revision: 1.1.4.1.122.1 $ $Date: 2005/07/12 14:06:16 $
/*CIFS Worm Catcher */
#ifdef ASM_CIFS_WORM_CATCHER
#define CHECK_ASM_CIFS_WORMS
(
dport in cifs_services, tcp,
is_version_at_least(FP4_VER),
(call KFUNC_CIFS_INIT <0, 0, 0, 0, 0, 0> or drop)
) or 1
#else
#define CHECK_ASM_CIFS_WORMS 1
#endif
#define ACTIVATE_CPAS_NOTIFY
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>), ADD_INSPECTION(SPII_CPAS_NOTIFY_ID))
or 1
/*POP3 server protection*/
/* In case of content inspection we skip the FW to Server connection */
#ifdef POP3_SERVER_PROTECTION_DEFINED
#define ACTIVATE_POP3_SERVER_DEFENSE
(
tcp,
get <dst, dport> from pop3_server_rules to sr1,
sr1,
ADD_INSPECTION_WITH_PARAMS(SPII_POP3_ID, sr1)
) or 1
#else
#define ACTIVATE_POP3_SERVER_DEFENSE 1
#endif
/*IMAP server protection*/
#ifdef IMAP_SERVER_PROTECTION_DEFINED
#define ACTIVATE_IMAP_SERVER_DEFENSE
(
tcp,
get <dst, dport> from imap_server_rules to sr1,
sr1,
ADD_INSPECTION_WITH_PARAMS(SPII_POP3_ID, sr1)
) or 1
#else
#define ACTIVATE_IMAP_SERVER_DEFENSE 1
#endif
#define ACTIVATE_MAIL_SERVER_DEFENSE (ACTIVATE_POP3_SERVER_DEFENSE,ACTIVATE_IMAP_SERVER_DEFENSE) or 1
/*Web security global features*/
#ifdef WS_GLOBAL_FEATURES_DEFINED
#define ACTIVATE_WS_GLOBAL_DEFENSE
(
src not in IPList,dst not in IPList,tcp, dport in http_services,
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>) or ADD_INSPECTION(SPII_WEBSEC_ID))
) or 1
#else
#define ACTIVATE_WS_GLOBAL_DEFENSE (1)
#endif
/*Web security server protection*/
#ifdef WS_SERVER_PROTECTION_DEFINED
#define ACTIVATE_WS_SERVER_DEFENSE
(
src not in IPList,dst not in IPList,tcp, get <dst, dport> from web_server_rules to sr10,
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>) or ADD_INSPECTION_WITH_PARAMS(SPII_WEBSEC_ID, sr10))
) or ACTIVATE_WS_GLOBAL_DEFENSE
#else
#define ACTIVATE_WS_SERVER_DEFENSE ACTIVATE_WS_GLOBAL_DEFENSE
#endif
/*P2P blocking*/
#include “p2p_block.def”
#endif
##########################################################
on the fly change (no reboot required)
fw ctl set int fwtcpstr_max_window 65536
Reboot persistent with :
echo “fwtcpstr_max_window=65536″ > /opt/CPsuite-R65/fw1/boot/modules/fwkern.conf
sk30905
All interfaces that are not part from ClusterXL should be defined in :
$FWDIR/conf/discntd.if
to start the web interface :
#webui enable 443 (if you want to have it listening on the tcp 443 port)
There are two authentication levels :
1. admin password
2. expert password
You change the admin password using the \passwd admin command
You change the expert password using the regular passwd unix command