Posted on Nov 23rd, 2010 by Michael Hamelin

It starts in a few days - crowds will go shopping, transaction rates will reach new peaks and your web servers will be loaded to maximum capacity. Just a little bit more, and they will fall over - causing downtime and disrupting business. What can you do to avoid this scenario?

  • First, start monitoring now! The firewall is ideally placed for monitoring connection rates. Make sure that logs are being generated. If you are not recording firewall performance stats, turn it on now- before you need it.
  • Next, start looking for anything that can cause an interruption of service due to resource exhaustion.  What is your firewall connection table limit? If it was 25,000 last year, should it be a little higher this year?
  • Take a look at what your peak was last year and what your peak has been so far this year. Plan for somewhere between 20% and 200% depending on your business model. You want to make sure you don't hit your max connections at this time of year. Often we set this number low enough to stop a denial-of-service, but at this time of year we are expecting that sudden burst of connections.
  • Make sure you print out some hard copies of performance trends from last year. It is much easier if you already have them handy when you are trying to understand this year's trend.
  • Also take a look at all of your disk drives. Logically, do you have plenty of space?  Don't forget to physically walk to your firewalls and make sure there are no failed drives with the little red lights on.  With firewalls tucked away in data centers, and drives in RAID, we sometimes forget to look for faults on devices, like a failed drive in a RAID mirror set.

One of our users explained the following technique:

  • Monitor the connection rate through the firewall
  • Get alerted when certain thresholds are reached and decide what to do based on the trends

Monitoring Firewall Connections with SecureTrack

If you use SecureTrack, it can monitor firewall connections using the firewall OS monitoring facility.

SecureTrack actually monitors a variety of parameters such as CPU Usage, Memory, Packets (accepted, dropped etc.), Processes and Disk space. You can also define thresholds and receive e-mail alerts that include the recent trend:

When a connection threshold is reached, you can perform additional analysis to determine the cause of traffic. Run a rule and object usage report to pin-point the exact rules, networks and services that cause the high connection rate.

We're interested in your feedback - what anti-overload techniques do you use?

Michael and Reuven