topic Re: R80.20 Securexl not disable in Firewall and Security Management

R80.20 Securexl not disable

sam_huang — Thu, 21 Feb 2019 17:36:38 GMT

Will R80.20! How do we completely shut down securexl

Re: R80.20 Securexl not disable

G_W_Albrecht — Fri, 22 Feb 2019 12:39:33 GMT

I know, in cpconfig this option is no longer available ! Find the reference in Next Generation Security Gateway Guide R80.20 p.235 - there is no possibility anymore to permanently disable SecureXL. Of course, you could write a cron job script testing the SecureXL state and issuing fwaccel off if needed, as any reboot will turn SecureXL on again.

Re: R80.20 Securexl not disable

PhoneBoy — Sat, 23 Feb 2019 11:43:30 GMT

You can't completely shut down SecureXL in R80.20.

For what reason do you wish to shut down SecureXL?

Re: R80.20 Securexl not disable

sam_huang — Tue, 05 Mar 2019 04:38:26 GMT

Can you tell me how to add this script?

Re: R80.20 Securexl not disable

PhoneBoy — Tue, 05 Mar 2019 05:55:24 GMT

If the problem can be solved by disabling SecureXL, then it's a bug and it needs to be brought through the TAC.

Why are you asking for SecureXL to be permanently disabled?

Re: R80.20 Securexl not disable

HeikoAnkenbrand — Sun, 10 Mar 2019 09:59:22 GMT

More infos to R80.20+ SecureXL you found here:

R80.20 SecureXL + new chain modules + fw monitor

Do not turn SecureXL off completely.

Disable SecureXL for singel IP addresses with problems.

Re: R80.20 Securexl not disable

HeikoAnkenbrand — Sun, 10 Mar 2019 10:03:48 GMT

SK:

How to disable SecureXL for specific IP addresses

Re: R80.20 Securexl not disable

Marko_Keca — Wed, 07 Aug 2019 10:54:10 GMT

I also need option to permanently disable SecureXL as it produces lots of problems when HTTPS inspection is enabled.

I have at least two customers who are running HTTPS inspection without problems when SecureXL is disabled. They have strong enough boxes that acceleration is not needed at this point.

So turning off SecureXL permanently is must have feature by my opinion.

Disabling SecureXL for specific IP addresses sounds promising but it is unusable until network addresses are permited, so we can exclude whole subnets from acceleration.

Regards,
--
Marko

Re: R80.20 Securexl not disable

Timothy_Hall — Wed, 07 Aug 2019 12:30:49 GMT

If you find yourself having to disable SecureXL in R80.20+, the best course of action is to open a TAC case so the problem can be identified and fixed. Disabling SecureXL long-term in R80.20+ is not a good idea and will eventually get you into further trouble.

However in the interim, there is a workaround for disabling SecureXL upon bootup on R80.20+ in this thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

While your box may be "strong enough" to handle the workload without the SecureXL functions throughput acceleration and rulebase accept templating (session rate acceleration), keep in mind that disabling SecureXL will also disable automatic interface affinity and Multi-Queue. This will cause all SoftIRQ processing for all interfaces to happen on the lowest-numbered SND/IRQ core, typically CPU #0 which can easily get overloaded in this situation. After disabling SecureXL keep an eye on the RX-DRP counter reported by command netstat -ni, if the RX-DRP rate rises above 0.1% on any interface you will need to define manual interface affinity via the fw ctl affinity -i command and the fwaffinity.conf file (not the sim affinity command since SecureXL is disabled) to manually spread SoftIRQ processing around on the SND/IRQ cores. Disabling SecureXL and defining manual interface affinity is not a path I would recommend going down if it can be avoided.