Good catch Barry. Forgot about this one.
>>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 5:49:24 PM >>>
>My opnion on that is that the state table has a limited number of connections. If CP
>allowed any tcp connection
>to stay resident in the state table for a long period of time, eventually, memory
>would be exhausted and no further
>connections would be possible to the firewall.
>
>Thinking on this line, it probably is possible to max out the state table, and place
>the site in a DoS state.
>
>Comments from the group of Checkpoint?
>
>merlin
>
>Robert MacDonald wrote:
>
>> Barry,
>>
>> Figuring that CP is in the security related field,
>> it's probably for security reasons. Why should
>> a connection be left open, if nothing is going on?
>>
>> Robert
>>
>> >>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 1:33:41 PM >>>
>> >Well that is a good point. According to my working on the problem, there
>> >is a paramater called tcp keepalive. Unfortunately it has to be built within the
>> >client
<snip>
>> >> >Doug Schmidt wrote:
>> >> >
>> >> >> Hi,
>> >> >> I have called CP Support and also searched the Phonyboy FAQ's, but nothing.
>> >> >> CP Support told me to increase the TCP Session Timeout. Which has a max
>> >> >> setting of 6500 seconds ( ~2 hours) which is not long enough for our needs.
>> >> >>
>> >> >> We have our user LAN behind the FW. Some of our developers on this LAN, need
>> >> >> to have telnet/ssh connections
>> >> >> to some servers (outside the FW), While these connections are open, they run
>> >> >> some jobs, which can last anywhere
>> >> >> from minutes to many hours. In the case of a job lasting say 4-5 hours, this
>> >> >> would not be long enough, since the FW
>> >> >> will drop the TCP Session when it is not active.
>> >> >>
>> >> >> Is/are there any workarounds fixes to this problem? Any advise would be
>> >> >> great.
>> >> >>
>> >> >> Firewall Version 4.1 Build 41489 running on Slowaris 2.7
>> >> >>
>> >> >> ~D
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
