Forefront TMG Firewall Packet Engine Test

In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected/dropped. Packet drops may also occur if the firewall is handling more traffic than it can. To be able to differentiate between these two conditions, administrators should keep track of the packets and connections flowing into the firewall. This is where the Forefront TMG Firewall Packet Engine test helps!

The test monitors the traffic flowing through the firewall and reports the rate at which packets are allowed to pass through the firewall. In addition, this test reports the number of dropped, blocked, and backlogged packets, thereby shedding light on what caused the packet drop – genuine packet filtering performed by the firewall or an overload condition on the firewall.

Target of the test : A Forefront TMG Server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Forefront TMG that is to be monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The IP address of the host for which this test is to be configured.

Port

The port at which the specified host listens to. By default, this is 1745.

IsPassive

If this parameter is set to Yes, then it means that, by default, all the Forefront TMG servers being monitored by the eG system are the passive servers of a Forefront TMG cluster. No alerts will be generated if the servers are not running. Measures will be reported as “Not applicable” by the agent if the servers are not up.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Total Packets

Indicates the rate at which the packets were inspected by this firewall.

Packets/Sec

 

Allowed packets

Indicates the rate at which the packets were allowed to pass through this firewall.

Packets/Sec

A high value is desired for this measure. This measure clearly indicates the load on the firewall.

Backlogged packets

Indicates the number of packets that are backlogged i.e., the packets that are waiting for the firewall packet engine to create a data pump in the Forefront TMG server.

Number

A low value is desired for this measure. This measure can directly have an impact on the Dropped packets measure and vice versa. If there is a steady rise in both the measures simultaneously or if the value of this measure suddenly increases with the immediate rise in the Dropped packets measure, it clearly indicates that the Forefront TMG is not capable of handling the current volume of traffic. If this case occurs consistently even after you observe a constant value in the Active Connections measure, then it is an indication of a bottleneck or capacity constraint with one of the dependent systems of the Forefront TMG such as the DNS or Active Directory.

Dropped packets

Indicates the rate at which the packets were dropped by this firewall.

Packets/sec

A low value is desired for this measure. If there is a consistent increase in the value of this measure without a corresponding rise in the value of the Backlogged packets measure, it clearly indicates that the Forefront TMG is either processing a lot of malicious traffic or is under attack.

Data passed rate

Indicates the rate at which data is allowed to pass through this firewall.

KB/sec

 

Connections created

Indicates the rate at which new connections were created on the Forefront TMG server.

Connections/sec

A high value is desired for this measure. A sudden decrease in the value may point to a processing bottleneck with the Forefront TMG.

Enqueued log items

Indicates the rate at which the logs were enqueued in this firewall.

Packets/sec

 

Packets blocked by NIS

Indicates the rate at which the packets were blocked by the Network Interface service (NIS) in kernel mode.

Packets/sec

 

Active Connections

Indicates the number of active connections through which data is currently passed to this firewall.

Number

Ideally, the value of this measure should be constant over a period of time. If the value of this measure increases suddenly, then it is a clear indicator of an overload condition.

Avg packets blocked by NIS

Indicates the percentage of packets that were blocked by the NIS in kernel mode.

Percent

 

Dropped Packets ratio

Indicates the percentage of packets that were dropped by this firewall.

Percent

A low value is desired for this measure.