eG Monitoring
 

Measures reported by FTMGFirwalSerTest

Though target environments are protected by a firewall, network administrators constantly need to check the legibility of the firewall from time-to-time. This can be achieved by constantly monitoring the TCP connections, sessions, UDP connections, data transmission etc of the firewall service. The FTMGFirwalSerTest test exactly does the same!

This test monitors the firewall service of the Forefront TMG and reports the following:

  • The numerical statistics of the active TCP, UDP connections and the sessions.
  • The number of active SIP sessions and SIP registrations
  • The rate at which data is read and written to the Forefront TMG
  • The number active worker threads and the number of worker threads that are currently available
This way network administrators can keep track on the firewall service and be proactively alerted for any discrepancies that occur in the Forefront TMG due to various factors like malicious content, non-availabity of the worker threads, TCP connections etc.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
AcceptTcpConnec Indicates the number of connection objects that were waiting for a TCP connection from the Forefront TMG client after a successful remote connection is established. Number A high value could indicate an increase in the proxy server load, due to which lesser TCP connection requests are accepted.
ActiveSession Indicates the number of active sessions for this firewall service. Number  
ActiveSIPReg Indicates the total number of active SIP (Session Initiation Protocol) registrations. Number  
ActiveSIPSession Indicates the total number of active SIP (Session Initiation Protocol) sessions. Number The Session Initiation Protocol (SIP) is a signaling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks.

The protocol defines the messages that are sent between peers which govern establishment, termination and other essential elements of a call. SIP can be used for creating, modifying and terminating two-party (unicast) or multiparty (multicast) sessions consisting of one or several media streams. Other SIP applications include video conferencing, streaming multimedia distribution, instant messaging, presence information, file transfer, fax over IP and online games.
ActiveTCP Indicates the number of active TCP connections that are currently passing data through this firewall. Number The number of connections that are not established and the pending connections are not counted for this measure.
ActiveUDP Indicates the number of active UDP connections for this firewall. Number  
BytesRead_Sec Indicates the rate at which data is read by the data pump of the Forefront TMG. KB/sec  
BytesWrite_Sec Indicates the rate at which data is written by the data pump of the Forefront TMG. KB/sec  
FailedDNS Indicates the number of gethostbyname and gethostbyaddr application programming interface (API) calls that have failed. Number The API calls are used to resolve host DNS domain names and IP addresses for Firewall service connections.
LogQueueSize Indicates the size of the Forefront TMG log queue on disk. KB  
PendingDNS Indicates the number of gethostbyname and gethostbyaddr API calls that are currently pending resolution. KB Ideally, the value of this mesure should be zero. Generally, the TMG firewall relies heavily on DNS to perform name resolution and authentication. Therefore, it is vital that name resolution be performed quickly and efficiently, especially for TMG firewalls that are joined to a domain. If the value of this measure sustains a non-zero value for a longer period, then the name resolution infrastructure should be investigated closely. These are calls used to resolve host DNS domain names and IP addresses for Firewall service connections.
PendingTCP Indicates the number of pending TCP connections. KB Ideally, the value of this measure should be zero. If the value of this measure increases in accordance with the PendingDNS measure, then it indicates that the current workload on the firewall is high and the firewall is incapable of handling such huge workloads.
WorkerThread Indicates the total number of firewall service worker threads that are currently active. Number A high value is desired for this measure. This measure is a clear indicator of the load handling ability of the Forefront TMG. The higher the value, the Forefront TMG is more capable of handling the current workload.
blockedConnNIS Indicates the rate at which the connections were blocked by NIS in User mode. Connections/sec  
DNSHit Indicates the percentage of time the DNS domain name was found in the DNS cache of the firewall service. Percent A high value is desired for this measure.
availWorkerThr Indicates the number of Firewall service worker threads that are available or waiting in the completion port queue. Number The high increase in the number may affect the performance of the host / applications.