Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
After applying the latest hotfix set, you should consider tuning your firewall parameters.


Solution:
Firewall tuning parameters are entirely dependent on the type and amount of traffic as well as your network security needs. The parameter variables listed in this document are available for modification in order to tune the firewall after application of the latest set of hotfixes.

Search for these strings (parameters) in a given file and set the recommended values according to your needs. If a string is not present already, simply enter the string at the end of the applicable file. Strings are not case-sensitive.

Note: This is a partial list of the most commonly modified values associated with applying a patch or tuning a firewall for a newly installed and patched security gateway.

%eagleconfigdir%\config.cf file:

Parameter(s)	Purpose	Symantec Knowledge Base Article
ftpd.allow_address_mismatch=False	Secures firewall from FTP bounce attack. Default = True.	Hotfix for Symantec Enterprise Firewall 6.5 FTPD module
udp-gsp.low_unnumbered_port=29000	Modify if you need to pass a large amount of udp_gsp traffic (default is 30001).	Error: "udp-gsp[pid]: 523 Resource allocation failure: could not allocate port (Resource temporarily unavailable)" in SEF log
udp_gsp.csvr.max_conns=256	Increase this value up to 512 (default is 256) if you need to authorize an inordinate amount of udp_gsp traffic concurrently. You may need to increase the value if you have disabled the dnsd and are passing large amount of DNS traffic through udp_gsp proxy. Messages that are similar to "exceed thread limit 256" in your log may indicate that the value should be increased, as long as you are not seeing any system CPU and memory resource shortage.	Hotfix for Symantec Enterprise Firewall 6.5 udp_gsp module
pingd.csvr.max_conns=256	Usually not necessary to modify, but you may increase this value up to 512 (default is 256).	Hotfix for Symantec Enterprise Firewall 7.0 PINGD module
smtpd.verify_reverse_lookup=False	Set this value if there are excessive smtpd reverse lookup warnings (default is True - recommended for security).	Error: "host.xyz.com <ip address 1>: can't verify reverse address - lookup does not include original address: <ip address 2>" in firewall log
driver.global.tcp_idle_timeout=43200	Set this value ( in seconds) to clean-up idle TCP sessions contributing to the kernel memory usage. This value overrides all TCP idle timeout values set at the proxy level, such as in telnetd.	VPN memory usage increasing
driver.global.max_memory=67108864	Typically, you do not have to modify this value from the default 32 MB, and you should not need to increase the value past 64 MB. If you are noticing high current_memory usage (more than 70 percent of the max_memory value), you should evaluate what may be causing the kernel memory usage. Increase to 67108864 if you believe that the kernel memory is limited (default is 32 MB).	How to edit the Global/Max_Memory value
driver.Global.LogSuppressionMask[2]=4096	Set this value if you need to suppress excessive ARP errors beyond your control	How to suppress ARP warnings
tcpap-gsp.enable_ecn_flag=1 driver.global.flagcheck_enabled=false	Set these values if you need to pass Explicit Congestion Notification (ECN) bits.	Error: "401 Internal error: received TCP packet with flags 0xc2 from driver" in the firewall logfiles

Additional performance enhancement suggestions:

Disable reverse look-up
If your network does not require strict reverse look-up verification, disabling reverse look-up checking can be the most effective performance tuning change possible. This change results in significantly faster initial client access to your firewall.

---

Note: Depending upon your firewall configuration, you may lose access to certain features such as the use of domain network entities (for transparent or nonproxy access) and host name logging on your firewall by disabling the reverse look-up.
More details are provided in the Symantec Knowledge Base article How to disable reverse look-up.

---

Disable normal activity logging
If you do not audit your normal logs for large amounts of 121 statistic message, you may disable the "Log Normal Activity" option on your rules to help speed performance on busy firewall computers. Errors and failed access attempts are still logged with this setting disabled.

To disable normal activity logging

1. Connect to the firewall with the Symantec Raptor Management Console (SRMC).
2. In the left pane, expand Access Controls.
3. Click Rules.
4. In the right pane, double-click the rule that you need to alter.
5. In the Rule Properties dialog box, on the Miscellaneous tab, uncheck Log Normal Activity.
6. Click OK.
7. Save and reconfigure the firewall.

Block unwanted traffic with an interface filter
Unnecessary traffic uses up processing time and memory that takes away from those resources available for the traffic that you want to pass through the firewall. Using an interface filter drops this traffic long before it gets to the application proxies thereby using much less processing power to deny traffic that you do not want.
Symantec strongly recommends that you read and implement the procedures that are described in the following Symantec Knowledge Base articles:

• How to configure Symantec Enterprise Firewall to block Nimda and Code Red worms
• How to limit ingress to increased traffic caused by W32.SQLExp.worm

Document ID: 2003061018150754
Last Modified: 01/26/2006
Date Created: 06/10/2003
Operating System(s): Windows NT 4.0, Windows 2000
Product(s): Symantec Enterprise Firewall 7.x
Release(s): Symantec Enterprise Firewall 7.0, Symantec Enterprise Firewall 7.04

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements