How to optimize connections on the firewall for better throughput or security
11/22/2021 138 People found this article helpful 495,986 Views
Description
This article explains how to optimize connections passing through the firewall to get maximum throughput/efficiency of security services
Resolution
Each different model of SonicWall firewall family can support different maximum number for network connections, while this number may also be affected when enabling function Appflow or change the type of Packet Inspection Service. When the current number of connections for the firewall reachs or gets close to the maximum number, this may create high CPU loads, force high memory consumption and even lead to system crash. In case changing the firewall model to increase the connection processing capability is unpractical, then to optimize the firewall connections becomes necessary .
To optimize the connections on your firewall, firstly you should check the connections status to determine whether the peak connections number is close to the maximum number of your firewall. If you intent to optimize your firewall connections, normally there are two ways to do the optimization. One is to increase the maximum number of connections that your firewall can afford, the other is to use access rule to limit the connections on your firewall.
- Check the maximum/peak/current number of connections on your firewall.
- Increase the maximum number of connections on your firewall.
- Use access rule to limit the number of connections.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Check the maximum/peak/current number of connections on your firewall.
Navigate to Home |Dashboard | System page, line Connections at System Information area displays the maximum number of network connections the SonicWall Security Appliance can support, the peak number of concurrent connections and the current number of connections.
Step 2: Increase the maximum number of connections on your firewall.
- Increase the maximum number of connections by disable AppFlow Collector.
Go to Device | App Flow | Flow reporting |Settings, disable option Enable AppFlow To Local Collector can increase the maximum number of connections on your firewall.
Go to AppFlow | Flow Reporting | External Collector, disable option Send Flows and Real-Time Data To External Collector can increase the maximum number of connections on your firewall.
Step 3: Increase the maximum number of connections by select lower level security protection service.
Go to Device |Firewall | Advanced. In the connections section, there are 3 options for you to select to increase the number of simultaneous connections.
Maximum SPI Connections (DPI services disabled) can provide the largest number of simultaneous connections in this three options. But with only stateful inspection (lower level security protection) enabled, this option is not recommended.
DPI Connections (DPI services enabled with additional performance optimizations) provides the smallest number of simultaneous connections while improve the performance when DPI scanning on those connections. Maximum DPI Connections (DPI services enabled) provides moderate simultaneous connections capability but with less performance. This is the default and recommended setting for most SonicWall network security appliance deployments.
Change the selection from the bottom option DPI Connections (DPI services enabled with additional performance optimizations) to the top option Maximum SPI Connections (DPI services disabled) can increase the maximum number of connections on your firewall while trades off the security protection performance.
Step 3: Use Access Rule to limit the number of connections.
In addition to mitigating the propagation of worms and iruses, connection limiting can alleviate connection-cache resource consumption issues.
Navigate to Policy |Rules and Policies | Access Rules . Click the edit button or add a rule you want to configure. This article will show the configuration steps on default LAN - WAN rule.
- Limit the number of connections by declaring the maximum percentage of the total available connections.
Click the Optional Settings tab. You can set any percentage value in option Number of connections allowed (% of maximum connections).
- Limit the number of connections by IP address.
In the Optional Settings tab, you can limit the connection number for each IP address, tick the Enable connection limit for each SourceDestination IP Address and enter the value as Threshold.
NOTE: Settings will not affect the current active connections. If you need the setting take effect immediately, you can go to Monitor| Tools and Monitor | Connections page to flush all connections.
The limitatios percentage of connections and the threshold for each IP address can be consumed by a certain type of traffic when configuring on a more specific rule (e.g. FTP traffic to any destination on the WAN).
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Check the maximum/peak/current number of connections on your firewall.
- Navigate to Monitor option at the top of the page
- Navigate to Current Status | System Status page, line Connections at System Information area displays the maximum number of network connections the SonicWall Security Appliance can support, the peak number of concurrent connections and the current number of connections.
Step 2: Increase the maximum number of connections by disabling AppFlow Collector.
- Navigate to Manage option at the top of the page
- Go to Logs & Reporting | Appflow Settings | Flow Reporting , disable option Enable AppFlow To Local Collector
Go to Logs & Reporting | Appflow Settings | Flow Reporting , disable option Send Flows and Real-Time Data To External Collector
Increase the maximum number of connections by select lower level security protection service.
- Navigate to Manage option at the top of the page
- Go to Security Configuration | Firewall Settings | . In the connections section, there are 3 options for you to select to increase the number of simultaneous connections.
- Maximum SPI Connections (DPI services disabled) can provide the largest number of simultaneous connections in this three options. But with only stateful inspection (lower level security protection) enabled, this option is not recommended.
- DPI Connections (DPI services enabled with additional performance optimizations) provides the smallest number of simultaneous connections while improve the performance when DPI scanning on those connections.
- Maximum DPI Connections (DPI services enabled) provides moderate simultaneous connections capability but with less performance. This is the default and recommended setting for most SonicWall network security appliance deployments.
Change the selection from the bottom option DPI Connections (DPI services enabled with additional performance optimizations) to the top option Maximum SPI Connections (DPI services disabled) can increase the maximum number of connections on your firewall while trades off the security protection performance.
Step 3: Use Access Rule to limit the number of connections.
In addition to mitigating the propagation of worms and iruses, connection limiting can alleviate connection-cache resource consumption issues.
Navigate to Policies | Rules | Access rules . Click the edit button or add a rule you want to configure. This article will show the configuration steps on default LAN -> WAN rule.
- Limit the number of connections by declaring the maximum percentage of the total available connections.
Click the Advanced tab. You can set any percentage value in option Number of connections allowed (% of maximum connections).
- Limit the number of connections by IP address.
In the Advanced tab, you can limit the connection number for each IP address, tick the Enable connection limit for each SourceDestination IP Address and enter the value as Threshold.
NOTE: Settings will not affect the current active connections. If you need the setting take effect immediately, you can go to Dashboard | Connection Monitor page to flush all connections.
The limitation percentage of connections and the threshold for each IP address can be consumed by a certain type of traffic when configuring on a more specific rule (e.g. FTP traffic to any destination on the WAN).
Related Articles
Categories