Derek...
The entries in the fwx_alloc can first be checked with a cursory
check to see what the predominant entry is in the source field
which should be the first or second colum IIRC. For me the easiest
way is to simply capture the output of the table
'fw tab -u -t fwx_alloc' into a text file and then import it into
a database and run a simple count query on the source IP.
The second thing you can do is to take the top 5 entries and
convert them from hex to decimal. For this task a simple hex
calculator, some hex math, or the use of Check Point's InfoView
are very handy.
As for having seen this before, I have, and in almost every single
case the issue has been a trojan or scanner on the network. This
will become obvious if you do the two things I mention above. You
should be able to track down who the heavy hitter is and cure that
problem should that be the case.
The only other issue that it could be is NG AI's new ability to
run in "VRRP aware" mode. I have found that this didn't work
very well and resulted in a multitude of issues in R54. I have
found that running with the OPSEC option works best under R54,
using traditional NG FP3 configurations (no topology under your
gateway cluster, but topology for cluter members).
If it is the firewalls that are being hidden by a NAT rule, make sure
that you add a single NAT rule to the top of your NAT policy that says
source=any destination=vrrp.mcast.net service=any xlate-src=orig
xlate-dest=orig xlate-svc=orig. Make certain that it is at the
top of your rulebase and that should take care of any unnecessary
translation of VRRP packets.
hope this helps...
jason...
/----------==----------==----------==----------==----------==----------\
Jason Prost - President and CEO
Guardian Technologies, Inc. phone: 630.871.8166
P.O.Box 88657 cell: 630.853.2569
Carol Stream, IL 60188 fax: 630.566.1972
http://www.guardiantechnologies.net
\----------------------------------------------------------------------/
Privileged/Confidential information may be contained in this message.
If you are not the intended addressee indicated by this message, you may
not copy or deliver this message to anyone. In such case, you should
destroy this message and kindly notify the sender by reply e-mail.
Opinions, conclusions and other information in this message that do not
relate to official business of Guardian Technologies, Inc. shall be
understood as neither given nor endorsed by it.
> -----Original Message-----
> From: Jones, Derek A. [mailto:DAJones@xxxxxxxx]
> Sent: Saturday, December 27, 2003 9:05 PM
> To: fw1-gurus@xxxxxxxxxxxxxxxxxx
> Subject: [fw1-gurus] Exceeding NAT Translations
>
>
> To all,
>
> Here is the problem, we have resetly migrated from 4.1 FP3 to NG-AI
>
> After migrating we continue to see an inconsistency between
> the number of connections and the number of entries in the
> fwx_alloc database
>
> Fw tab -t connections -s
> Produces: 4000 current and 10000 max
>
>
> Fw tab -t fwx_alloc -s
> Produces: 75000 current and 75000 max
>
>
> As some can tell, we have increased the maximum number of NAT
> Translation in the fwx_alloc table to 75000
>
> The table fills up about ever 36 hours
>
> We have also tried removing extra packages in IPSO
>
>
> Hardware: Nokia 710
> OS: IPSO 3.7 Build 29
> Checkpoint: Checkpoint NG-AI
> VRRP Clustered Active-Passive
>
>
> We figure this is a problem associated with upgrading and a
> difference between CP 4.1 and NG-AI
>
> Also our thought are that the entries in the table more point
> to the problem
>
> Has anyone had a problem like this?
> How did you fix it?
>
> If not, is there any kind of tools to decipher the fwx_alloc table?
>
> ---------------------------------------------------------------------
> FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
> To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
> For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.553 / Virus Database: 345 - Release Date: 12/18/2003
>
>
BEGIN:VCARD VERSION:2.1 N:Prost;Jason;H.;President and CEO FN:Jason H. Prost (jason@xxxxxxxxxxxxxxxxxxxxxxxx) ORG:Guardian Technologies, Inc. TITLE:President and CEO TEL;WORK;VOICE:(630) 871-8166 TEL;CELL;VOICE:(630) 853-2569 TEL;WORK;FAX:(630) 566-1982 ADR;WORK:;630.871.8166;P.O.Box 88657;Carol Stream;Illinois;60188;United States LABEL;WORK;ENCODING=QUOTED-PRINTABLE:630.871.8166=0D=0AP.O.Box 88657=0D=0ACarol Stream, Illinois 60188=0D=0AUnite= d States EMAIL;PREF;INTERNET:jason@xxxxxxxxxxxxxxxxxxxxxxxx REV:20021213T173727Z END:VCARD
Attachment:
smime.p7s
Description: S/MIME cryptographic signature