CKPfw fwx_backw reaching 25000

On November 30, 2001, I posted the following message on comp.security.firewalls and FW-1 Wizards concerning a problem we were having with the reverse NAT table on Check Point FireWall-1:

Hello. We are running CKPfw 4.0 build 4303 on Solaris 7.

Recently, we have noticed many syslog messages of:
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_init_xlation_tables:
fw_xlate_set_tables failed
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_xlate_forw: failed to initialize the
connection

After doing some research, it is apparent that we are reaching our fwx_backw
NAT limit:
# ./fw tab -t fwx_forw -t fwx_backw -t connections -s
HOST NAME ID #VALS
localhost fwx_forw 8189 2674
localhost fwx_backw 8188 24870
localhost connections 18 2740

I have read on how to increase this value, but I have a few questions before
I do so:

1. Should I be concerned that fwx_forw and fwx_backw are significantly
different values?
2. What would account for the discrepancy?
3. Could this be caused by an internal portscan? A service that is attempting
to be NATed (snmp, GRE) that shouldn't be (I did a cursory check for this)?
We don't have an IDS installed on the firewall, but if something like snort
would help, I would definitely install it soon.
4. What exactly does fwx_forw and fwx_backw mean? I was thinking it was the
number of packets that required forward and reverse NAT, respectively.
5. Any other suspect network traffic I should look for?

Thanks in advance for your help! I am by no means very experienced with
Checkpoint, but was unfortunately unable to resolve this by checking Phoneboy
and some other Deja searches.

Kind regards,

Brandon Hutchinson

-----

Since then, I've heard from a number of users that have been experiencing the same problem. Here is one response I received from a member of the FW-1 Wizards list:

Subject: RE: [fw1-wizards] fwx_backw reaching 25000
Date: Sat, 1 Dec 2001 15:39:43 +0100
From: "Gerard Hooft" <postmaster@hooft.demon.nl>
To: "'Brandon Hutchinson'"

Hi, we are running CP4.1 SP2 on Solaris 2.6. We have the same problem. The
questions you have are answered to us by Checkpoint. Next week we will build
a test environment to see what is the impact of increasing the size.
General Checkpoint says it will not decrease the performance but you have to
stick to the procedure from the Checkpoint site. If you don't it will
possible bring your firewall down. Some answers we got I filled in below.
Advise from Checkpoint is upgrade to 4.1 sp3 minimum and increase the size
of the table to 50000. In our case also the connections table is bigger.
About 8000 entries and we expect it to grow fast.

Gerard Hooft

Van: Brandon Hutchinson
Verzonden: vrijdag 30 november 2001 15:57
Aan: fw1-wizards@lists.phoneboy.com
Onderwerp: [fw1-wizards] fwx_backw reaching 25000


Hello. We are running CKPfw 4.0 build 4303 on Solaris 7.

Recently, we have noticed many syslog messages of:
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_init_xlation_tables:
fw_xlate_set_tables failed
Nov 29 14:48:02 nsmmfw02 unix: FW-1: fw_xlate_forw: failed to initialize the
connection

After doing some research, it is apparent that we are reaching our fwx_backw
NAT limit:
# ./fw tab -t fwx_forw -t fwx_backw -t connections -s
HOST NAME ID #VALS
localhost fwx_forw 8189 2674
localhost fwx_backw 8188 24870
localhost connections 18 2740

I have read on how to increase this value, but I have a few questions before
I do so:

1. Should I be concerned that fwx_forw and fwx_backw are significantly
different values?

There are fixes for the adress translation tables in CP4.1 sp3. This means
in older versions the fwx_backw table isn't always cleaned up correctly.
Some enties will stay in there forever until you reboot. This also explains
the differrent values in forw. and backw.

2. What would account for the discrepancy?

Bug.

3. Could this be caused by an internal portscan? A service that is
attempting to be NATed (snmp, GRE) that shouldn't be (I did a cursory check for this)?
We don't have an IDS installed on the firewall, but if something like snort would help, I would definitely install it soon.

No, just if both tables are filled up this could be a reason.

4. What exactly does fwx_forw and fwx_backw mean? I was thinking it was the
number of packets that required forward and reverse NAT, respectively.

It is the number of entries in the translation tables. So it should be
actual connections that are translated.
The direction of the traffic that has to be translated. Incoming the entry
uses the forw table. The returning packets will use the backw table.

5. Any other suspect network traffic I should look for?

Not directly.

Thanks in advance for your help! I am by no means very experienced with
Checkpoint, but was unfortunately unable to resolve this by checking
Phoneboy and some other Deja searches.

Kind regards,

Brandon Hutchinson

-----

In our case, a reboot of the firewall was necessary to clear the stale entries out of the fwx_backw table; stopping and starting Check Point FireWall-1 did not clear the table. Also, we were at the latest Service Pack for our version of Check Point FireWall-1.

Our version:
# ./fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.0 Build 4304 [VPN + DES + STRONG]

We have not had the problem recur since rebooting the firewall, and have not been able to identify a cause of the problem. However, this link suggests that an internal portscan or trojan horse could cause the problem.

Back to brandonhutchinson.com.
Last modified: 09/29/2004