To configure when the Aggressive Aging timeouts are enforced: The default timeouts can be viewed and configured in the Device > Advanced Settings > Stateful Inspection attributes. Make sure that the Aggressive timeouts are lower than the default timeouts.
Select the checkboxes of the Aggressive Aging Timeouts that you want to enforce and enter the Aggressive Aging timeout. The logs are shown in Logs & Monitoring > Security Logs under the IPS blade. To log Aggressive Aging events, select Log Aggressive Aging events. Select Enable Aggressive Aging of connections when appliance is under load. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions. The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. Timeout settings are a key factor in memory consumption configuration. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.Īggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.Īggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability.Īggressive Aging introduces a new set of short timeouts called aggressive timeouts.
Table: Administrators RADIUS authentication AttributesĪdministrators RADIUS authentication Attribute To reset all the appliance attributes to the default settings:įrom the Advanced Settings window, click Restore Defaults.Īll appliance attributes are reset to the default settings. For more details on the attributes, see the next sections. To cancel the filter, click X next to the search string.Ĭonfigure the settings, or click Restore Defaults to reset the attribute to the default settings. The search results are dynamically shown as you type.
Continue only if you are certain that you understand the required changes.įor further details regarding the attributes, consult with Check Point Support when necessary. Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. You can configure values for multiple advanced settings for the various blades. The Device > Advanced Settings page is for advanced administrators or Check Point Support.