max_conn & emb_limit

tonny_ecmyy · ‎11-15-2006

Hi there,

What is the recommended value for the max_con & emb_limit

for example (web server)

static (inside,outside) 211.211.211.2 192.168.1.2 netmask 255.255.255.255 0 0

i set to 80 30, still the webserver cannot be access with tcp syn flood continuously (for testing only)

i'm using pix506e, 6.3(5)

thanks

a.kiprawih · ‎11-15-2006

It really depends on your server's capabilities in handling connection/application request plus cpu/ram power. I would say no exact figure for that.

Maybe you can set a threshold of max conn to 1000 max connection, but set the half-open session @ embryonic level/limit to 200 or less.

This (emb_limit) at least allows you to control syn request to the server (and tcp sync attack), and see if you need to increase, maintain or lower the number.

But if you expect huge traffic or many users to access it, i.e e-commerce server/application, you can probably set the emb_limit higher and set the max conn to bigger no. But start at relatively smaller than 5,000 max connection or less.

Need to consider your internet line/bandwidth, i.e huge data to download vs smaller bandwidth or the other way round, as well as your PIX capacity in handling incoming connection (i.e PIX 506E vs PIX535 in handling expected 100,000 concurrent connection).

HTH

AK

tonny_ecmyy · ‎11-16-2006

Thanks for taking your time replying my message, good info for me, thanks dude..