Monitor connections on the SonicWall firewall

12/20/2019 130 27021

DESCRIPTION:

Each different model of SonicWall firewall family can support different maximum number for network connections, while this number may also be affected when enabling certain functions on the firewall. One thing should be noted. Once the current number of connections for the firewall reaches or gets close to the maximum number, the system will keep too busy to reboot automatically. Thereby, select a firewall model with suitable capability for processing the network connections is vitally important.  However, this article does not discuss how to select a firewall but about how to monitor the network connections to troubleshoot unexpected number of network connections.

RESOLUTION:

Check the maximum connections of your firewall.

• Navigate to Monitor at the top of the page.
• Navigate to Current Status | System Status, line Connections at System Information area displays the maximum number of network connections the SonicWall security appliance can support, the peak number of concurrent connections and the current number of connections.
   

Functions Options may affect the maximum connections that your firewall can process.

• Click the question icon besides the Max (Max: 375000) number of connections. A table will be displayed, which shows you how the maximum connection number of your appliance is determined.
    
  According to the table, besides the model of your firewall, the maximum connection number is also determined by function AppFlow, External Collector and Packet Inspection service. In this case, function AppFlow is enabled, External Collector is disabled and DPI Connections is selected, so the maximum connections is 375000.

• Click Visualization, UI will redirect to Logs & Reporting | AppFlow Settings | Flow reporting. Function AppFlow and External Collector can be configured in this page.
• Click button Maximum Connections,  UI will redirect to Security Configuration | Firewall Settings | Advanced Settings . Options for packet inspection service can be selected in this page.
  NOTE: There is a trade-off between function option selection and the number of maximum connections. For example, in this case, change the inspection service from DPI Connections to Maximum DPI Connections will increase the maximum connections while reduce the performance of security services protection.

Monitor and flush the connections by tool Connection Monitor.

Sometimes, if you are aware the current number of connections is abnormal, you can use SonicWall firewall tool Connection Monitor to diagnose.

• Navigate to Investigate option at the top of the page.
• Navigate to Logs | Connection Logs ; all active connections to the SonicWall security appliance will be displayed.

• You can filter the results to display only connections matching certain criteria (Source IP, Destination IP, Destination Port, Src Interface, Dst Interface, Protocol and Flow Type).
    
• You can export all filtered result to a file for further analysis or Flush All filtered entries.
• Click Export Results button at page Connections Monitor. The result can be exported to a plain text file, or a comma-separated-value (CSV) file.  
• Click the X button to flush the connections.
  

  NOTE: Flush the connections may cease unexpected connections but it may also generate the same number re-sync packets, which means if you intend to flush thousands of TCP entries, the CPU  of the firewall may have to deal with thousands of sync packets later.