Forefront TMG Firewall Packet Engine Test
In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected/dropped. Packet drops may also occur if the firewall is handling more traffic than it can. To be able to differentiate between these two conditions, administrators should keep track of the packets and connections flowing into the firewall. This is where the Forefront TMG Firewall Packet Engine test helps!
The test monitors the traffic flowing through the firewall and reports the rate at which packets are allowed to pass through the firewall. In addition, this test reports the number of dropped, blocked, and backlogged packets, thereby shedding light on what caused the packet drop – genuine packet filtering performed by the firewall or an overload condition on the firewall.
Target of the test : A Forefront TMG Server
Agent deploying the test : An internal agent
Outputs of the test : One set of results for the Forefront TMG that is to be monitored.
Parameter | Description |
---|---|
Test Period |
How often should the test be executed. |
Host |
The IP address of the host for which this test is to be configured. |
Port |
The port at which the specified host listens to. By default, this is 1745. |
IsPassive |
If this parameter is set to Yes, then it means that, by default, all the Forefront TMG servers being monitored by the eG system are the passive servers of a Forefront TMG cluster. No alerts will be generated if the servers are not running. Measures will be reported as “Not applicable” by the agent if the servers are not up. |
Measurement | Description | Measurement Unit | Interpretation |
---|---|---|---|
Total Packets |
Indicates the rate at which the packets were inspected by this firewall. |
Packets/Sec |
|
Allowed packets |
Indicates the rate at which the packets were allowed to pass through this firewall. |
Packets/Sec |
A high value is desired for this measure. This measure clearly indicates the load on the firewall. |
Backlogged packets |
Indicates the number of packets that are backlogged i.e., the packets that are waiting for the firewall packet engine to create a data pump in the Forefront TMG server. |
Number |
A low value is desired for this measure. This measure can directly have an impact on the Dropped packets measure and vice versa. If there is a steady rise in both the measures simultaneously or if the value of this measure suddenly increases with the immediate rise in the Dropped packets measure, it clearly indicates that the Forefront TMG is not capable of handling the current volume of traffic. If this case occurs consistently even after you observe a constant value in the Active Connections measure, then it is an indication of a bottleneck or capacity constraint with one of the dependent systems of the Forefront TMG such as the DNS or Active Directory. |
Dropped packets |
Indicates the rate at which the packets were dropped by this firewall. |
Packets/sec |
A low value is desired for this measure. If there is a consistent increase in the value of this measure without a corresponding rise in the value of the Backlogged packets measure, it clearly indicates that the Forefront TMG is either processing a lot of malicious traffic or is under attack. |
Data passed rate |
Indicates the rate at which data is allowed to pass through this firewall. |
KB/sec |
|
Connections created |
Indicates the rate at which new connections were created on the Forefront TMG server. |
Connections/sec |
A high value is desired for this measure. A sudden decrease in the value may point to a processing bottleneck with the Forefront TMG. |
Enqueued log items |
Indicates the rate at which the logs were enqueued in this firewall. |
Packets/sec |
|
Packets blocked by NIS |
Indicates the rate at which the packets were blocked by the Network Interface service (NIS) in kernel mode. |
Packets/sec |
|
Active Connections |
Indicates the number of active connections through which data is currently passed to this firewall. |
Number |
Ideally, the value of this measure should be constant over a period of time. If the value of this measure increases suddenly, then it is a clear indicator of an overload condition. |
Avg packets blocked by NIS |
Indicates the percentage of packets that were blocked by the NIS in kernel mode. |
Percent |
|
Dropped Packets ratio |
Indicates the percentage of packets that were dropped by this firewall. |
Percent |
A low value is desired for this measure. |