R80.x Performance Tuning and Debug Tips – fw monitor

Document created by Heiko Ankenbrand Champion on Nov 17, 2018Last modified by Heiko Ankenbrand Champion on Feb 5, 2019
Version 43Show Document
  • View in full screen mode

R80.20 - fw monitor



Tip 1

SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor".

Since R80.20  "fw monitor" is able to show the traffic accelerated with SecureXL. Thus it is possible to see SecureXL (provide more performance) modules in fw monitor chain. For more informations revert to "SecureXL offloading chain modules" in this article. Now you can see that SecureXL is used, which increases the performance of the firewall.

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.


# fwaccel off                                      > no longer necessary in R80.20 and above

# fw monitor -e "accept(...);"


R77.30 and R80.10 - fw monitor

On R77.30 and R80.10 only disabling SecureXL allows to see the complete connection in fw monitor, which may be required for troubleshooting purposes or revert to "How to disable SecureXL for specific IP addresses".


# fwaccel off                            

# fw monitor -e "accept(...);"





R80.x Security Gateway Architecture (Logical Packet Flow)

R80.x Security Gateway Architecture (Content Inspection) 

R80.x Security Gateway Architecture (Acceleration Card Offloading) 

R80.x Ports Used for Communication by Various Check Point Modules 

Performance Tuning:

R80.x Performance Tuning Tip - AES-NI 

R80.x Performance Tuning Tip - SMT (Hyper Threading) 

R80.x Performance Tuning Tip - Multi Queue 

R80.x Performance Tuning Tip - Connection Table 

R80.x Performance Tuning Tip - fw monitor

R80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP 

R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ 

Cheat Sheet:

R80.x update cheat sheet - fw monitor


More interesting articles: cp.ankenbrand24.de


New fw monitor inspection points in R80.20


Tip 2


Furthermore there are new fw monitor inspection points available:


Inspection pointName of fw monitor inspection pointRelation to firewall VMAvailable since version
iPre-InboundBefore the inbound FireWall VM                            (for example, eth1:i)always
IPost-InboundAfter the inbound FireWall VM                               (for example, eth1:I)always
idPre-Inbound VPNInbound before decrypt                                          (for example, eth1:id)R80.20
iDPost-Inbound VPNInbound after decrypt                                             (for example, eth1:ID)R80.20
iqPre-Inbound QoSInbound before QoS                                               (for example, eth1:iq)R80.20
iQPost-Inbound QoSInbound after QoS                                                  (for example, eth1:IQ)R80.20
oPre-OutboundBefore the outbound FireWall VM                           (for example, eth1:o)always
OPost-OutboundAfter the outbound FireWall VM                              (for example, eth1:O)always



Pre-Outbound VPN*

Outbound before encrypt                                        (for example, eth1:e)    in R80.10

                                                                                (for example, eth1:oe)  in R80.20





Post-Outbound VPN*

Outbound after encrypt                                           (for example, eth1:E)    in R80.10

                                                                                (for example, eth1:OE)  in R80.20



oqPre-Outbound QoSOutbound before QoS                                             (for example, eth1:oq)R80.20
oQPost-Outbound QoSOutbound after QoS                                                (for example, eth1:OQ)R80.20

* The fw monitor inspection point is different in R80.10 ("e" or "E") and R80.20 ("oe" and "OE")


For more information, see sk30583, fw monitor or How to use FW Monitor.


SecureXL offloading chain modules


Tip 3


Like I said SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"

There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

# fw ctl chain



The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).


SecureXL inbound (sxl_in)                 > Packet received in SecureXL from network

SecureXL inbound CT (sxl_ct)           > Accelerated packets moved from inbound to outbound processing (post routing)


SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processing

SecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet


New VM chain modules in R80.20


Tip 4


There are more new chain modules in R80.20


vpn before offload (vpn_in)                  > FW inbound preparing the tunnel for offloading the packet (along with the connection)

fw offload inbound (offload_in)            > FW inbound that perform the offload

fw post VM inbound  (post_vm)            > Packet was not offloaded (slow path) - continue processing in FW inbound


# fw ctl chain



New fw monitor chain key (00000000)


Tip 5


In Firewall kernel (now also SecureXL), each kernel is associated with a key (red) witch specifies the type of traffic applicable to the chain modul.


# fw ctl chain



ffffffffIP Option Stip/Restore
00000001new processed flows
00000002wire mode
00000003will applied to all ciphered traffic (VPN)
00000000SecureXL offloading (new in R80.20+)



R&D meeting Israel


Copyright by Heiko Ankenbrand  2018-2019

108 people found this helpful