eG Help

In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected. Administrators would want to keep track of those packets and connections using which he/she can detect how well the firewall is capable of handling the load. This is where the FTMGFirewallPacTest test helps!

The test monitors the traffic flowing through the firewall and reports the rate at which packets are allowed to pass and the rate at which data is passing through the firewall. In addition, this test keeps track on the number of dropped packets, blocked packets and the backlogged packets which hugely influence in identifying the load handling ability of the firewall. This test also identifes how well the new connections are created and how many active connections are currently allowing data to pass through them. This way administrators can be proactively alerted about the level of traffic flowing through the firewall and the load handling capability of the firewall!

Measurement	Description	Measurement Unit	Interpretation
Packets	Indicates the rate at which the packets were inspected by this firewall.	Packets/Sec
AllowPacket	Indicates the rate at which the packets were allowed to pass through this firewall.	Packets/Sec	A high value is desired for this measure. This measure clearly indicates the load on the firewall.
BackLoggedPac	Indicates the number of packets that are backlogged i.e., the packets that are waiting for the firewall packet engine to create a data pump in the Forefront TMG server.	Number	A low value is desired for this measure. This measure can directly have an impact on the DroppedPac measure and vice versa. If there is a steady rise in both the measures simultaneously or if the value of this measure suddenly increases with the immediate rise in the DroppedPac measure, it clearly indicates that the Forefront TMG is not capable of handling the current volume of traffic. If this case occurs consistently even after you observe a constant value in the ActConn measure, then it is an indication of a bottleneck or capacity constraint with one of the dependent systems of the Forefront TMG such as the DNS or Active Directory.
DroppedPac	Indicates the rate at which the packets were dropped by this firewall.	Packets/sec	A low value is desired for this measure. If there is a consistent increase in the value of this measure without a corresponding rise in the value of the BackLoggedPac measure, it clearly indicates that the Forefront TMG is either processing a lot of malicious traffic or is under attack.
Bytes_Sec	Indicates the rate at which data is allowed to pass through this firewall.	KB/sec
Connection_Sec	Indicates the rate at which new connections were created on the Forefront TMG server.	Connections/sec	A high value is desired for this measure. A sudden decrease in the value may point out to a processing bottleneck or capacity constaint of the Forefront TMG.
LogItems	Indicates the rate at which the logs were enqueued in this firewall.	Packets/sec
PacketsBlocked	Indicates the rate at which the packets were blocked by the Network Interface service (NIS) in kernel mode.	Packets/sec
ActConn	Indicates the number of active connections through which data is currently passed to this firewall.	Number	Ideally, the value of this measure should be constant over a period of time. If the value of this measure increases suddenly, then it is a clear indicator of the overload condition of the Forefront TMG.
BlockedPacket_perc	Indicates the percentage of packets that were blocked by the NIS in kernel mode.	Percent
avgDroppedPac	Indicates the percentage of packets that were dropped by this firewall.	Percent	A low value is desired for this measure.