Changing the number of concurrent connections (or flows).
Firewall-1 on a Nokia IPSO platform uses a Kernel Parameter to limit the pool of memory used by Firewall-1 for it’s Connections table.
Changing some of these values on the Nokia IPSO platform requires the use of the MODZAP Utility.
See FAQ: Nokia – Obtaining the MODZAP Utility for instructions on how to obtain this. You may wish to review the FAQ: Nokia – Changing Kernel Parameters article as well.
Having logged in to the Firewall, the IPSO command line…
modzap _fwhmem $FWDIR/boot/modules/fwmod.o 0x1000000
.. Would allocate 16 MB to FW-1.
The following formula is used to calculate the required amount of memory for connections (ignoring any NAT, Encryption, or Security Servers
(overhead) + 60x (number of connections)
So for example for 200k concurrent connections:
3mb + 60 x 200000 = 15,000,000 bytes
It is then necessary to change *$FWDIR/lib/tables.def* as follows
limit 200000 hashsize 262144
Note that the overhead of 3Mb applies to Firewall-1 4.0 SP6, and should be increased as appropriate for newer versions of FW-1.
You should also check that this change is actually required for later versions of Nokia IPSO and Checkpoint Firewall-1
Find me on: