Hi all,
I recently added the following graphs :
Checkpoint : traffic (bits/second per interface)
Checkpoint : accepted packets/second (per interface)
Checkpoint : dropped packets/second (per interface)
No packets are rejected/logged.
In my mind, since our packet size is 1500 bytes (max), the following inequation should be right :
traffic <= (accepted + dropped ) * 1500 * 8
( * 8 to convert in bits)
When I see my graphs, traffic show 30Mbits/second, whereas I only have 100 accepted packets and 17 dropped packets ( (100+17)*1500*8=1,4Mbits/second ), so there's a huge difference.
May I forgot something, but I can't find what !
Does anyone have an idea ?
Thanks for your help.
Nokia checkpoint : Delta between traffic and packet number
Moderators: Developers, Moderators
Your equation is not correct.
The number of packets CheckPoint reports is the number of accepted packets that are logged. This is also the case with the dropped packet-count.
So, in an environment where there are few connections with huge packet-flows (like an ftp-site with large files and few users), you could see a low number of connections but a large number of bits.
CheckPoint only logs the establishment of connections (after the 3-way handshake) or the drop/reject of this connection attempt if unsuccessful.
Besides, not every packet that goes through your firewall will be 1500 bytes...
The number of packets CheckPoint reports is the number of accepted packets that are logged. This is also the case with the dropped packet-count.
So, in an environment where there are few connections with huge packet-flows (like an ftp-site with large files and few users), you could see a low number of connections but a large number of bits.
CheckPoint only logs the establishment of connections (after the 3-way handshake) or the drop/reject of this connection attempt if unsuccessful.
Besides, not every packet that goes through your firewall will be 1500 bytes...
Are you sure that accepted/dropped packets in SNMP means accepted/dropped AND log ???
It would mean that if you forget to log everything (and I can't log everything, it would take to much space !), you can't trust your statistics since it differs from real.
When I look to CHECKPOINT-MIB, it's not mentionned :
fwlfacceptPcktsIn ---> Number of accepted packets in the inbound direction
fwlfAcceptPcktsOut ---> Number of accepted packets in the outbound direction
fwDropPcktsIn ---> Number of dropped packets in the inbound direction
fwDropPcktsOut ---> Number of dropped packets in the outbound direction
Where did you get this information ?
Concerning the packets' size, since my MTU is 1500 bytes, how could I have packets bigger than that ?
It would mean that if you forget to log everything (and I can't log everything, it would take to much space !), you can't trust your statistics since it differs from real.
When I look to CHECKPOINT-MIB, it's not mentionned :
fwlfacceptPcktsIn ---> Number of accepted packets in the inbound direction
fwlfAcceptPcktsOut ---> Number of accepted packets in the outbound direction
fwDropPcktsIn ---> Number of dropped packets in the inbound direction
fwDropPcktsOut ---> Number of dropped packets in the outbound direction
Where did you get this information ?
Concerning the packets' size, since my MTU is 1500 bytes, how could I have packets bigger than that ?
Who is online
Users browsing this forum: No registered users and 2 guests