topic SecureXL and SSH in Firewall and Security Management

SecureXL and SSH

mickkel2179 — Tue, 11 Oct 2022 19:58:05 GMT

We migrated to a pair of 16Ks running VSX. When we created the new VS and launched it successfully, everything works fine but one issue, a user can't ssh to his server when SecureXL is enabled. When it's disabled (fwaccel off) it works and they can SSH. MTU is currently set to 1500.

Re: SecureXL and SSH

AaronCP — Tue, 11 Oct 2022 21:48:02 GMT

Hey @mickkel2179,

You can bypass SecureXL for specific connections or ports by following SK104468

I know this doesn't address the underlying issue, but may act as a temporary workaround whilst you troubleshoot the problem.

Re: SecureXL and SSH

Chris_Atkinson — Tue, 11 Oct 2022 23:27:27 GMT

Which version & JHF is used?

If disabling secureXL resolves a symptom it's typically a bug and needs to be investigated with TAC.

Re: SecureXL and SSH

mickkel2179 — Wed, 12 Oct 2022 13:13:45 GMT

Hey Aaron,

Thanks for the response, really appreciate it! The client has to many IPs to list in order to use this feature. Right now we have a ticket in with R&D .. let's see how that unravels.

Re: SecureXL and SSH

mickkel2179 — Wed, 12 Oct 2022 13:14:29 GMT

Hey Chris,

The client is on 81.10 335 build and JHF Take 66

Re: SecureXL and SSH

the_rock — Wed, 12 Oct 2022 13:26:56 GMT

I agree with @AaronCP , but as you said, if there are too many IP addresses, then see what R&D says.

Re: SecureXL and SSH

PhoneBoy — Wed, 12 Oct 2022 15:33:14 GMT

You can disable SecureXL (or more accurately prevent templating) for a specific service.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104468&partition=Advanced&product=SecureXL
Specifically, you'll add the SSH port (22) to the tcp_f2f_ports table.

However, as stated by others on this thread, if disabling SecureXL "solves" a problem, it's likely a bug and the TAC should be engaged.