StoneBlog.stonesoft.com

“Neighbour table overflow” message comes from linux kernel and means that ARP cache overflows. This may happen if there are a lot of directly connected hosts behind firewall’s interface.

It is possible to increase the size of engine’s ARP cache by changing values of
/proc/sys/net/ipv4/neigh/default/gc_thresh3 (The hard maximum number of entries to keep in the ARP cache. Defaults to 1024.) and
/proc/sys/net/ipv4/neigh/default/gc_thresh2 (The soft maximum number of entries to keep in the ARP cache. Defaults to 512.)

The changes should be made to /data/run-at-boot (remember Firewall state transitions) file in order for changes to survive boot. The run-at-boot file must be created with execute permission for root.

Add the following lines to /data/run-at-boot file in all of the engines of the cluster:

#!/bin/sh
echo 8192 >/proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 4096 >/proc/sys/net/ipv4/neigh/default/gc_thresh2

The change activates after boot or by executing the run-at-boot script. The change should be activated as simultaneously as possible in all the nodes of the cluster, so that the functioning of the nodes in the cluster would be same all the time.

written by christoph - 1,579 views \\ tags: arp, CLI, engine, state, state transitions, stonegate firewall, tech details

In initial configuration state (before any security policies have been installed from the management), the following connections are allowed by the firewall engine:

From the firewall engine:
- SSH (TCP/22)
- SG-init (TCP/3021)

To the firewall engine:
- SG-remote-upgrade (TCP/4950)
- SG-mgmt (TCP/4987)
- SG-monitor (TCP/8888)
- SSH (TCP/22)

Furthermore, the following ICMP messages are allowed to and from the firewall engine:
- Echo reply ( type 0 )
- Echo ( type 8 )
- Destination unreachable, fragmentation needed and don’t fragment was set ( type 3, code 4 )

written by christoph - 639 views \\ tags: CLI, engine, initial state, open port, state, stonegate firewall

Seems like there is an undocumented setting in SMC regarding the Netlinks. You’ll see them when you right-click any Netlink on the Status view and select Netlink state. A new drop-down menu opens with three choises:

1. always enabled 2.always disabled and 3. reset to auto

By default, the state selection setting is “auto”. With this setting, netlink works normally meaning that netlink status probing is taken into account.

1. always enabled

When setting is “always enabled”, netlink remains in active state even if the status probing fails. In other words, it remains active/enabled even if probing shows it to be down. This can be used in situation where netlink status probing doesn’t work reliably. For example if you know that netlink is up and working but probing shows status to be down, setting netlink state to “always enabled” will allow using this netlink as well.

2. Always disabled

Well, this quite clear. When this setting is on the particular netlink is always in inactive/disabled state and doesn’t process traffic.

3. Reset to auto

Last option “reset to auto” can be used to change this setting in engine back to default auto setting if it was previously set to “always enabled” or “always disabled”.

written by Emalias - 1,448 views \\ tags: multilink, Netlinks, state