Changing the number of concurrent connections (or flows)
Changing the number of concurrent connections (or flows).
Firewall-1 on a Nokia IPSO platform uses a Kernel Parameter to limit the pool of memory used by Firewall-1 for it’s Connections table.
Changing some of these values on the Nokia IPSO platform requires the use of the MODZAP Utility.
Having logged in to the Firewall, the IPSO command line…
modzap _fwhmem $FWDIR/boot/modules/fwmod.o 0x1000000
.. Would allocate 16 MB to FW-1.
The following formula is used to calculate the required amount of memory for connections (ignoring any NAT, Encryption, or Security Servers
(overhead) + 60x (number of connections)
So for example for 200k concurrent connections:
3mb + 60 x 200000 = 15,000,000 bytes
It is then necessary to change *$FWDIR/lib/tables.def* as follows
limit 200000 hashsize 262144
Note that the overhead of 3Mb applies to Firewall-1 4.0 SP6, and should be increased as appropriate for newer versions of FW-1.
You should also check that this change is actually required for later versions of Nokia IPSO and Checkpoint Firewall-1