- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to optimize connections on the firewall for better throughput or security
11/22/2021 
84 People found this article helpful
41,777 Views
Description
This article explains how to optimize connections passing through the firewall to get maximum throughput/efficiency of security services
Resolution
Each different model of SonicWall firewall family can support different maximum number for network connections, while this number may also be affected when enabling function Appflow or change the type of Packet Inspection Service. When the current number of connections for the firewall reachs or gets close to the maximum number, this may create high CPU loads, force high memory consumption and even lead to system crash. In case changing the firewall model to increase the connection processing capability is unpractical, then to optimize the firewall connections becomes necessary .
To optimize the connections on your firewall, firstly you should check the connections status to determine whether the peak connections number is close to the maximum number of your firewall. If you intent to optimize your firewall connections, normally there are two ways to do the optimization. One is to increase the maximum number of connections that your firewall can afford, the other is to use access rule to limit the connections on your firewall.
- Check the maximum/peak/current number of connections on your firewall.
- Increase the maximum number of connections on your firewall.
- Use access rule to limit the number of connections.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Check the maximum/peak/current number of connections on your firewall.
Navigate to Home |Dashboard | System page, line Connections at System Information area displays the maximum number of network connections the SonicWall Security Appliance can support, the peak number of concurrent connections and the current number of connections.
Step 2: Increase the maximum number of connections on your firewall.
- Increase the maximum number of connections by disable AppFlow Collector.
Go to Device | App Flow | Flow reporting |Settings, disable option Enable AppFlow To Local Collector can increase the maximum number of connections on your firewall.
Go to AppFlow | Flow Reporting | External Collector, disable option Send Flows and Real-Time Data To External Collector can increase the maximum number of connections on your firewall.
Step 3: Increase the maximum number of connections by select lower level security protection service.
Go to Device |Firewall | Advanced. In the connections section, there are 3 options for you to select to increase the number of simultaneous connections.
Maximum SPI Connections (DPI services disabled) can provide the largest number of simultaneous connections in this three options. But with only stateful inspection (lower level security protection) enabled, this option is not recommended.
DPI Connections (DPI services enabled with additional performance optimizations) provides the smallest number of simultaneous connections while improve the performance when DPI scanning on those connections. Maximum DPI Connections (DPI services enabled) provides moderate simultaneous connections capability but with less performance. This is the default and recommended setting for most SonicWall network security appliance deployments.
Change the selection from the bottom option DPI Connections (DPI services enabled with additional performance optimizations) to the top option Maximum SPI Connections (DPI services disabled) can increase the maximum number of connections on your firewall while trades off the security protection performance.
Step 3: Use Access Rule to limit the number of connections.
In addition to mitigating the propagation of worms and iruses, connection limiting can alleviate connection-cache resource consumption issues.
Navigate to Policy |Rules and Policies | Access Rules . Click the edit button or add a rule you want to configure. This article will show the configuration steps on default LAN - WAN rule.
- Limit the number of connections by declaring the maximum percentage of the total available connections.
Click the Optional Settings tab. You can set any percentage value in option Number of connections allowed (% of maximum connections).
- Limit the number of connections by IP address.
In the Optional Settings tab, you can limit the connection number for each IP address, tick the Enable connection limit for each SourceDestination IP Address and enter the value as Threshold.
NOTE: Settings will not affect the current active connections. If you need the setting take effect immediately, you can go to Monitor| Tools and Monitor | Connections page to flush all connections.
The limitatios percentage of connections and the threshold for each IP address can be consumed by a certain type of traffic when configuring on a more specific rule (e.g. FTP traffic to any destination on the WAN).
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Check the maximum/peak/current number of connections on your firewall.
- Navigate to Monitor option at the top of the page
- Navigate to Current Status | System Status page, line Connections at System Information area displays the maximum number of network connections the SonicWall Security Appliance can support, the peak number of concurrent connections and the current number of connections.
Step 2: Increase the maximum number of connections by disabling AppFlow Collector.
- Navigate to Manage option at the top of the page
- Go to Logs & Reporting | Appflow Settings | Flow Reporting , disable option Enable AppFlow To Local Collector
Go to Logs & Reporting | Appflow Settings | Flow Reporting , disable option Send Flows and Real-Time Data To External Collector 
Increase the maximum number of connections by select lower level security protection service.
- Navigate to Manage option at the top of the page
- Go to Security Configuration | Firewall Settings | . In the connections section, there are 3 options for you to select to increase the number of simultaneous connections.
- Maximum SPI Connections (DPI services disabled) can provide the largest number of simultaneous connections in this three options. But with only stateful inspection (lower level security protection) enabled, this option is not recommended.
- DPI Connections (DPI services enabled with additional performance optimizations) provides the smallest number of simultaneous connections while improve the performance when DPI scanning on those connections.
- Maximum DPI Connections (DPI services enabled) provides moderate simultaneous connections capability but with less performance. This is the default and recommended setting for most SonicWall network security appliance deployments.
Change the selection from the bottom option DPI Connections (DPI services enabled with additional performance optimizations) to the top option Maximum SPI Connections (DPI services disabled) can increase the maximum number of connections on your firewall while trades off the security protection performance.
Step 3: Use Access Rule to limit the number of connections.
In addition to mitigating the propagation of worms and iruses, connection limiting can alleviate connection-cache resource consumption issues.
Navigate to Policies | Rules | Access rules . Click the edit button or add a rule you want to configure. This article will show the configuration steps on default LAN -> WAN rule. 
- Limit the number of connections by declaring the maximum percentage of the total available connections.
Click the Advanced tab. You can set any percentage value in option Number of connections allowed (% of maximum connections).
- Limit the number of connections by IP address.
In the Advanced tab, you can limit the connection number for each IP address, tick the Enable connection limit for each SourceDestination IP Address and enter the value as Threshold.
NOTE: Settings will not affect the current active connections. If you need the setting take effect immediately, you can go to Dashboard | Connection Monitor page to flush all connections.
The limitation percentage of connections and the threshold for each IP address can be consumed by a certain type of traffic when configuring on a more specific rule (e.g. FTP traffic to any destination on the WAN).
Related Articles
- How to enable and configure NTP?
- Cannot edit App Control Signatures, "Error: property 'value' can't be empty value"
- SSL-VPN 2FA: How to unbind TOTP for a single user or multiple users
YES
NO