My question isn't so much *how* to do it, but how to establish a baseline. My plan is to apply this globally and not worry about connection settings for specific hosts behind the pix. In other words I want to make sure the values for maximum connections, embryonic, etc, are set higher than the peaks we might see during normal operations (perhaps arbitrarily double/triple them). Many of the hosts behind the pix are web servers so advice on how I might adjust timeouts would be helpful as well.
Can someone tell me how I might best determine the baselines for my network for the settings under "set connection <attribute> <value>":
set connection conn-max <value>
set connection embryonic-conn-max <value>
set connection per-client-embryonic-max <value>
set connection per-client-max <value>
set connection random-sequence-number enable
set connection timeout embryonic <value>
set connection timeout half-closed <value>
set connection timeout tcp <value>
(See the config snippet at the bottom)
I've run a "sh conn detail" and I'm assuming that I can take the information for the TCP connections (example):
TCP Interface1:220.127.116.11/25 Interface2:18.104.22.168/1474 flags saA
...and then after taking multiple samples over the course of a week or so use the connection flags to determine what values I should apply to the "set connection" attributes correct? If does someone have a good idea on how to accomplish this? Does the pix maintain these counts somewhere? I ran a query in sql to get the current counts of distinct flags offline.
3912 in use, 5365 most used
Here is an example taken from the Cisco Wiki. It appears the values below would be much lower than I need:
Also, how does the threat detection built into the PIX work compared to using the policy map above? Does it work in conjunction by using these values as its baseline for threat detection or are the settings completely independent? It seems like the settings for threat detection cross over a bit with the policy map connection settings for things like connection limits, etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :