High state table timeout
-
We replaced two Sonicwall 4500s yesterday with one pfSense box. Very happy so far as the Sonicwalls were terrible. Just trying to understand how pfSense works.
One thing I noticed is that pfSense keeps ESTABLISHED TCP connection in the state table for a day when "Firewall optimization" is set on normal. I've used PIX and Sonicwalls mostly and I don't believe either kept these entries in the state table this long. I'm seeing close to 50k states when on the other firewalls at this time of day that number would be around 5k. Why does pfSense not age out these as fast as other firewalls? Any good reasons not to age these out faster via the aggressive setting or using the advanced option in a FW rule? If this long of an timeout is preferable to a shorter one I'm ok with that as well. Just trying to understand it.
-
If the connection isn't closed (by a FIN or RST), they sit there for a day waiting to time out. TCP connections will most always be closed on their own though, in cases where they aren't there generally is some kind of poorly behaving application involved, or maybe some other issue outside the firewall. You can change the state keeping to aggressive to time them out more quickly, but that sounds like an indication of some other problem.