topic Re: R80.x Performance Tuning and Debug Tips – fw monitor in Firewall and Security Management

R80.x Performance Tuning and Debug Tips – fw monitor

HeikoAnkenbrand — Fri, 22 May 2020 17:15:35 GMT

R80.20 - fw monitor

Tip 1

SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor".

Since R80.20 "fw monitor" is able to show the traffic accelerated with SecureXL. Thus it is possible to see SecureXL (provide more performance) modules in fw monitor chain. For more informations revert to "SecureXL offloading chain modules" in this article. Now you can see that SecureXL is used, which increases the performance of the firewall.

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

# fwaccel off > no longer necessary in R80.20 and above

# fw monitor -e "accept(...);"

R77.30 and R80.10 - fw monitor

On R77.30 and R80.10 only disabling SecureXL allows to see the complete connection in fw monitor, which may be required for troubleshooting purposes or revert to "How to disable SecureXL for specific IP addresses".

# fwaccel off

# fw monitor -e "accept(...);"

Chapter

More interesting articles:

- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

New fw monitor inspection points in R80.20

Tip 2

Furthermore there are new fw monitor inspection points available:

Inspection point	Name of fw monitor inspection point	Relation to firewall VM	Available since version
i	Pre-Inbound	Before the inbound FireWall VM (for example, `eth1:i`)	always
I	Post-Inbound	After the inbound FireWall VM (for example, `eth1:I`)	always
id	Pre-Inbound VPN	Inbound before decrypt (for example, `eth1:id`)	R80.20
iD	Post-Inbound VPN	Inbound after decrypt (for example, `eth1:ID`)	R80.20
iq	Pre-Inbound QoS	Inbound before QoS (for example, `eth1:iq`)	R80.20
iQ	Post-Inbound QoS	Inbound after QoS (for example, `eth1:IQ`)	R80.20
o	Pre-Outbound	Before the outbound FireWall VM (for example, `eth1:o`)	always
O	Post-Outbound	After the outbound FireWall VM (for example, `eth1:O`)	always
e oe	Pre-Outbound VPN*	Outbound before encrypt (for example, `eth1:e`) in R80.10 (for example, `eth1:oe`) in R80.20	R80.10 R80.20
E OE	Post-Outbound VPN*	Outbound after encrypt (for example, `eth1:E`) in R80.10 (for example, `eth1:OE`) in R80.20	R80.10 R80.20
oq	Pre-Outbound QoS	Outbound before QoS (for example, `eth1:oq`)	R80.20
oQ	Post-Outbound QoS	Outbound after QoS (for example, `eth1:OQ`)	R80.20

* The fw monitor inspection point is different in R80.10 ("e" or "E") and R80.20 ("oe" and "OE")

For more information, see sk30583, fw monitor or How to use FW Monitor.

SecureXL offloading chain modules

Tip 3

Like I said SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"

There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

# fw ctl chain
The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).
SecureXL inbound (sxl_in)                 > Packet received in SecureXL from network
SecureXL inbound CT (sxl_ct)          > Accelerated packets moved from inbound to outbound processing (post routing)
SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processing
SecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet

New VM chain modules in R80.20

Tip 4

There are more new chain modules in R80.20

vpn before offload (vpn_in)                > FW inbound preparing the tunnel for offloading the packet (along with the connection)
fw offload inbound (offload_in)            > FW inbound that perform the offload
fw post VM inbound (post_vm)            > Packet was not offloaded (slow path) - continue processing in FW inbound

# fw ctl chain

New fw monitor chain key (00000000)

Tip 5

In Firewall kernel (now also SecureXL), each kernel is associated with a key (red) witch specifies the type of traffic applicable to the chain modul.

# fw ctl chain

Key	Function
ffffffff	IP Option Stip/Restore
00000001	new processed flows
00000002	wire mode
00000003	will applied to all ciphered traffic (VPN)
00000000	SecureXL offloading (new in R80.20+)

References

R&D meeting Israel

Re: R80.x Performance Tuning and Debug Tips – fw monitor

HeikoAnkenbrand — Sat, 17 Nov 2018 20:05:05 GMT

I can see in the lab that many SecureXL connections are visible in fw monitor without disabling SecureXL. Does this mean that under R80.20 we don't have to deactivate SexureXL with "fwaccel off" to run "fw monitor"?

Could you confirm that from Check Point?

Regards

Heiko

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Reihard_Westle — Sat, 17 Nov 2018 20:54:49 GMT

Nice information.

Thanks

Reinhard

Re: R80.x Performance Tuning and Debug Tips – fw monitor

PhoneBoy — Sun, 18 Nov 2018 17:44:34 GMT

That’s correct and one of the benefits of moving most of SecureXL into user space.

Re: R80.x Performance Tuning and Debug Tips – fw monitor

HeikoAnkenbrand — Sun, 18 Nov 2018 19:03:52 GMT

Hi Dameon,

thanks for this information.

Regards

Heiko

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Roger_Bachstein — Mon, 19 Nov 2018 09:13:14 GMT

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Martin_Raska — Mon, 19 Nov 2018 10:04:58 GMT

Can someone explain performance benefit of moving SecureXL into user space? My understanding was everything in user space can create a bottleneck and old implementation of SecureXL layer under kernel at low level should be faster.

Re: R80.x Performance Tuning and Debug Tips – fw monitor

PhoneBoy — Mon, 19 Nov 2018 16:58:57 GMT

The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.

On the 23900 in particular, we could not leverage all the processor cores due to this limitation.

By moving all (or most) of SecureXL to user space, it's possible to leverage more processor cores as the firewall can entirely run in user space.

(Note it still doesn't by default in R80.20 in non-VSX mode, but it can be enabled.)

It also means certain kinds of low-level packet processing that could not easily be done in SecureXL because it was being done in the kernel now can.

For VSX in particular, it means you can now configure the penalty box features on a per-VS basis.

It also improves session establishment rates on the higher-end appliances.

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Tim_Maurer — Thu, 22 Nov 2018 15:03:42 GMT

Check Point should include this in the SK.

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Sven_Glock — Thu, 29 Nov 2018 08:46:49 GMT

Am I right that this will influence tcpdump usage as well?

Re: R80.x Performance Tuning and Debug Tips – fw monitor

PhoneBoy — Thu, 29 Nov 2018 13:58:23 GMT

Yes, namely that you don't need to turn of SecureXL to use it

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Rob_Bush — Thu, 24 Jan 2019 18:27:34 GMT

Hello. I am dealing with an issue where I have found that when SecureXL is turned on for our R80.20 gateway, traffic is not flowing across our VPN correctly. I just stumbled on this article and I'm very excited to try and use the new features in FW Monitor to isolate the issue. That being said, I noticed your comment here that SecureXL does not run in the user space on non-VSX mode, so I'm presuming the ability to use the SecureXL features of FW Monitor then would not work. I have searched the Checkpoint KB to try and find out how to enable SecureXL to run in the user space on non-VSX, but I'm striking out. Could you point me in the right direction on how to enable that?

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Rob_Bush — Thu, 24 Jan 2019 18:49:14 GMT

Might have found it. Is it the "kiss_usermode_enabled" parameter of the SecureXL Kernel Parameters?

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Martin_Raska — Fri, 01 Feb 2019 08:35:42 GMT

Please explain why its not enabled by default or how to enable SecureXL in user space or relevant SK which decribe it. Thanks

Re: R80.x Performance Tuning and Debug Tips – fw monitor

HeikoAnkenbrand — Fri, 01 Feb 2019 09:22:05 GMT

Hi Martin Raska,

With R80.20 SecureXL works automatically in user space.

You can switch SecureXL on and off as usual in R80.20.

Permanent:

# cpconfig

Until the next reboot:

# fwaccel off

# fwaccel on

Regards

Heiko

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Martin_Raska — Fri, 01 Feb 2019 09:38:13 GMT

Thank you, I was confused by Daemon comment "(Note it still doesn't by default in R80.20 in non-VSX mode, but it can be enabled.)"

Re: R80.x Performance Tuning and Debug Tips – fw monitor

PhoneBoy — Fri, 01 Feb 2019 15:59:19 GMT

To be clear, a LOT of SecureXL is already in userspace (as Heiko said).

Some firewalling is still in the kernel.

There is a separate "user mode" switch specifically for the 23900 on R80.20 (or anything above 40 cores, really) that moves all of the firewall into userspace (same as VSX, where we've already done that).

We haven't published the command yet and I need to check with R&D before I post it here

Re: R80.x Performance Tuning and Debug Tips – fw monitor

PhoneBoy — Sat, 02 Feb 2019 18:54:13 GMT

I want to correct a few inaccuracies that I helped to propagate above thanks to a gentle email from R&D.

SecureXL is actually not in userspace in R80.20, it still mostly happens in the kernel.

That said a lot of other things have moved to userspace that lead to some of the performance/functionality improvements in R80.20 even in Security Gateway mode.

VSX instances have run in userspace since R75.40VS.

Starting from R80.20, it is possible to run regular Security Gateway (non-VSX) mode with usermode firewall enabled.

It is NOT the default in R80.20 and is ONLY required on platforms that have more than 40 cores (eg 23900).

On platforms with 40 cores or less, you can enable it if you wish, but don't expect a performance improvement.

If you wish to enable usermode firewall in R80.20:

cpprod_util FwSetUsermode 1
reboot

In R80.30, we plan to make this the default for the 23900.

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Rene_Rosenkrant — Wed, 08 May 2019 13:39:22 GMT

On VSX R80.20 with Jumbo 47. I see that the flow is sometimes limited to "id", for trafic related to VPN.

Stating that disabling secureXL, is not longer necessary must be in very specific situations?

And disabling secureXL can make VPN unstable.

Is it backed by Checkpoint and will Checkpoint troubleshoot with fw monitor without disabling secureXL?

Best regards

René Rosenkrantz

Re: R80.x Performance Tuning and Debug Tips – fw monitor

Rene_Rosenkrant — Wed, 08 May 2019 13:42:46 GMT

On VSX R80.20 with Jumbo 47. I see that the flow is sometimes limited to "id", for trafic related to VPN.

Stating that disabling secureXL, is not longer necessary must be in very specific situations?

And disabling secureXL can make VPN unstable.

Is it backed by Checkpoint and will Checkpoint troubleshoot with fw monitor without disabling secureXL?

Best regards

René Rosenkrantz