https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fast-Accel-on-Virtualized-Firewalls/m-p/239770#M46519 <P>Hello everyone,</P><P>I'm working on a network lab environment virtualized on <STRONG>ESXi</STRONG>, where I have two SGs (sg1 and sg2) connected via a route-based S2S VPN.&nbsp;<BR /><BR />Both firewalls are running R81.20 JHF 76.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ubuntus.png" style="width: 697px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29453i395F2304D749A76A/image-dimensions/697x101?v=v2" width="697" height="101" role="button" title="ubuntus.png" alt="ubuntus.png" /></span><BR /><BR />I have connectivity between both servers.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pings u1 a u2.png" style="width: 693px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29454iDCF819DD9474898E/image-dimensions/693x106?v=v2" width="693" height="106" role="button" title="pings u1 a u2.png" alt="pings u1 a u2.png" /></span></P><P>These are the static routes on sg1 on the left and sg2 on the right.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rutas estaticas.png" style="width: 644px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29455iCE3C99BAA166D39B/image-dimensions/644x45?v=v2" width="644" height="45" role="button" title="rutas estaticas.png" alt="rutas estaticas.png" /></span></P><P>One of the goals of the lab is to test the <STRONG>fast_accel</STRONG> feature. According to the official documentation, this feature should be effective for connections accelerated by <STRONG>SecureXL</STRONG>, and the connections should appear in the <STRONG>fwaccel conns</STRONG> command.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fwaccel conns.png" style="width: 632px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29456iD980EB6ED68DF948/image-dimensions/632x362?v=v2" width="632" height="362" role="button" title="fwaccel conns.png" alt="fwaccel conns.png" /></span></P><P>To test this, I have created two rules with <STRONG>fast_accel</STRONG> on both firewalls (sg1 and sg2), as my research suggests that this should be sufficient for the rules to match the traffic between <STRONG>ubuntu1</STRONG> and <STRONG>ubuntu2</STRONG>.<BR /><BR />&nbsp;"I created the rules with the following commands on both firewalls:</P><UL><LI>fw ctl fast_accel add 192.168.22.20 192.168.21.20 any any</LI><LI>fw ctl fast_accel add 192.168.21.20 192.168.22.20 any any</LI></UL><P>However, even though I'm generating traffic between the two servers using <STRONG>iperf3</STRONG>, I don't see any hits on the accelerated connections.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hits.png" style="width: 541px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29457i13FC5E04B586878E/image-dimensions/541x273?v=v2" width="541" height="273" role="button" title="hits.png" alt="hits.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iperf.png" style="width: 788px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29458i3AD39CF8C011EBBC/image-dimensions/788x258?v=v2" width="788" height="258" role="button" title="iperf.png" alt="iperf.png" /></span></P><P>Can anyone provide guidance on what might be going wrong or if there's something additional I need to configure for the <STRONG>fast_accel</STRONG> rules to be applied correctly?</P><P>Thanks!</P> Tue, 28 Jan 2025 02:29:30 GMT jennyado 2025-01-28T02:29:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fast-Accel-on-Virtualized-Firewalls/m-p/239770#M46519 <P>Hello everyone,</P><P>I'm working on a network lab environment virtualized on <STRONG>ESXi</STRONG>, where I have two SGs (sg1 and sg2) connected via a route-based S2S VPN.&nbsp;<BR /><BR />Both firewalls are running R81.20 JHF 76.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ubuntus.png" style="width: 697px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29453i395F2304D749A76A/image-dimensions/697x101?v=v2" width="697" height="101" role="button" title="ubuntus.png" alt="ubuntus.png" /></span><BR /><BR />I have connectivity between both servers.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pings u1 a u2.png" style="width: 693px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29454iDCF819DD9474898E/image-dimensions/693x106?v=v2" width="693" height="106" role="button" title="pings u1 a u2.png" alt="pings u1 a u2.png" /></span></P><P>These are the static routes on sg1 on the left and sg2 on the right.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rutas estaticas.png" style="width: 644px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29455iCE3C99BAA166D39B/image-dimensions/644x45?v=v2" width="644" height="45" role="button" title="rutas estaticas.png" alt="rutas estaticas.png" /></span></P><P>One of the goals of the lab is to test the <STRONG>fast_accel</STRONG> feature. According to the official documentation, this feature should be effective for connections accelerated by <STRONG>SecureXL</STRONG>, and the connections should appear in the <STRONG>fwaccel conns</STRONG> command.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fwaccel conns.png" style="width: 632px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29456iD980EB6ED68DF948/image-dimensions/632x362?v=v2" width="632" height="362" role="button" title="fwaccel conns.png" alt="fwaccel conns.png" /></span></P><P>To test this, I have created two rules with <STRONG>fast_accel</STRONG> on both firewalls (sg1 and sg2), as my research suggests that this should be sufficient for the rules to match the traffic between <STRONG>ubuntu1</STRONG> and <STRONG>ubuntu2</STRONG>.<BR /><BR />&nbsp;"I created the rules with the following commands on both firewalls:</P><UL><LI>fw ctl fast_accel add 192.168.22.20 192.168.21.20 any any</LI><LI>fw ctl fast_accel add 192.168.21.20 192.168.22.20 any any</LI></UL><P>However, even though I'm generating traffic between the two servers using <STRONG>iperf3</STRONG>, I don't see any hits on the accelerated connections.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hits.png" style="width: 541px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29457i13FC5E04B586878E/image-dimensions/541x273?v=v2" width="541" height="273" role="button" title="hits.png" alt="hits.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iperf.png" style="width: 788px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29458i3AD39CF8C011EBBC/image-dimensions/788x258?v=v2" width="788" height="258" role="button" title="iperf.png" alt="iperf.png" /></span></P><P>Can anyone provide guidance on what might be going wrong or if there's something additional I need to configure for the <STRONG>fast_accel</STRONG> rules to be applied correctly?</P><P>Thanks!</P> Tue, 28 Jan 2025 02:29:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fast-Accel-on-Virtualized-Firewalls/m-p/239770#M46519 jennyado 2025-01-28T02:29:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fast-Accel-on-Virtualized-Firewalls/m-p/239772#M46520 <P>Whether the gateway is virtualized or on "bare-metal" non-virtualized hardware will not affect how fast_accel operates.</P> <P>Based on your <STRONG>fwaccel conns</STRONG> outputs the connection is already in the fastpath because the "S" flag (streaming) is not present.&nbsp; If the connection was F2F/slowpath it would not show up in the output of <STRONG>fwaccel conns</STRONG> at all.</P> <P>Because the connection would have been offloaded to the fastpath regardless of your fast_accel rule, the hit count is not incremented.&nbsp; If the connection was originally destined for the Medium Path but the fast_accel rule had forced it into the fastpath, then the hit count would have been incremented and you would see an "F" flag for your connection in <STRONG>fwaccel conns</STRONG>.&nbsp; See&nbsp;<A href="https://support.checkpoint.com/results/sk/sk180496" target="_blank" rel="noopener"><SPAN>sk180496: No match on SecureXL Fast Accelerator (fw fast_accel).</SPAN></A>&nbsp;<SPAN>&nbsp;F2F/slowpath connections cannot be forced into the fastpath by fast_accel.</SPAN></P> <P>All this and much more is covered in my <A href="http://www.maxpowerfirewalls.com/gw-optimization-course.html" target="_blank" rel="noopener">Gateway Performance Optimization</A> course; you can preview the Table of Contents for free and this topic was covered on pages 149-151.</P> Tue, 28 Jan 2025 13:30:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fast-Accel-on-Virtualized-Firewalls/m-p/239772#M46520 Timothy_Hall 2025-01-28T13:30:53Z