topic Re: Error due to SecureXL in Firewall and Security Management

Error due to SecureXL

Matlu — Thu, 13 Mar 2025 02:04:34 GMT

Hello, everyone.

One question, is it advisable to disable SecureXL?

We have a problem in which our CCTV server cannot 'visualize' the IP cameras it has hooked.

The only way to solve the error, and have video of the IP cameras is if we disable SecureXL.

Is this something 'expected' in CP equipment? I am referring to the fact that SecureXL is often the cause of problems with certain types of traffic.

What would be the right way to fix this error permanently?
I currently have version R81.20.

Regards.

Re: Error due to SecureXL

emmap — Thu, 13 Mar 2025 02:25:54 GMT

The software is coded and tested with the assumption that SXL is enabled. It is not recommended to leave it off. Highly recommended to tackle this one with TAC so that we can fix it properly.

Re: Error due to SecureXL

Matlu — Thu, 13 Mar 2025 03:06:57 GMT

Disabling SecureXL for certain connections is not a solution that can be considered as 'permanent'?

Re: Error due to SecureXL

Chris_Atkinson — Thu, 13 Mar 2025 05:15:40 GMT

No, if you have to disable SecureXL it's a bug or misconfiguration that should be taken with TAC.

Re: Error due to SecureXL

Tal_Paz-Fridman — Thu, 13 Mar 2025 10:15:55 GMT

I also suggest contacting TAC to resolve the issue.

A workaround could be to exclude specific traffic from SecureXL:

https://support.checkpoint.com/results/sk/sk104468

Re: Error due to SecureXL

G_W_Albrecht — Thu, 13 Mar 2025 10:29:33 GMT

It may be the constant workaround - disabling SecureXL completely is no way to go. But a TAC case might be the proper process - but try to exclude the traffic now quickly so you can turn SecureXL on again.

Re: Error due to SecureXL

Matlu — Thu, 13 Mar 2025 11:37:46 GMT

Our CP is in R82 version, managed by a Smar-1 Cloud.
Then the TAC has to give us a solution, since it is not recommended to have the SXL off right?

Re: Error due to SecureXL

the_rock — Thu, 13 Mar 2025 11:46:04 GMT

I would follow sk @Tal_Paz-Fridman provided. What is the exact issue when sxl is enabled? Yes, it can be disabled permanently, but I would NOT do that.

Andy

Re: Error due to SecureXL

AkosBakos — Thu, 13 Mar 2025 19:55:17 GMT

Hi @Matlu

Maybe fast_accel worths a try

https://support.checkpoint.com/results/sk/sk156672

Re: Error due to SecureXL

the_rock — Thu, 13 Mar 2025 20:07:45 GMT

Thats a good idea.

Andy

Re: Error due to SecureXL

Matlu — Thu, 13 Mar 2025 21:40:13 GMT

Hello,

Is there any way to “validate” if the SXL is “dumping” traffic, when it is active?

It seems that tshoot commands like tcpdump or fw ctl zdebug, don't exactly “see” traffic that may be being dropped by the SXL.

So, what commands can help you, to validate if SXL is being the problem for a particular traffic?

Re: Error due to SecureXL

Timothy_Hall — Thu, 13 Mar 2025 21:55:15 GMT

You need to use the command fw ctl zdebug + drop to also see any drops occurring in SecureXL, although they are usually much more rare than drops in the main INSPECT code.

The best way to determine if SecureXL is the source of your problem is to leave the questionable connections in the slowpath (no offloading to the Medium or Fast paths allowed) and see if the situation improves. sk104468: How to exclude traffic from SecureXL

Re: Error due to SecureXL

genisis__ — Thu, 13 Mar 2025 21:59:47 GMT

Here's a good place to start:

SecureXL Debug Procedure

However as everyone has suggested, best to engage TAC, ensure your running latest recommended Jumbo etc as this will be a first step suggestion from TAC.

Last time I had an issue with SecureXL it was on R7x.x and the issue was resolve by upgrading to the latest version at the time.

Re: Error due to SecureXL

Matlu — Thu, 13 Mar 2025 22:04:56 GMT

It's a little weird.

I used the command you recommend, my destination was an IP camera.

When we have the SXL enabled on the CP, the CCTV server cannot see the video from the camera, but the command

fw ctl zdebug + drop | grep <IP CAMERA> ... at that time it shows me nothing.

It is as if for the FW everything is working fine.

Then, when we disable the SXL, immediately the CCTV server retrieves the video from the camera.

Only the “fw ctl zdebug + drop” is the command that helps to detect if it is the SXL that is giving problems?

Re: Error due to SecureXL

the_rock — Thu, 13 Mar 2025 22:35:06 GMT

When sxl is on, you probably would need to do sxl debugs.

Andy

Re: Error due to SecureXL

Timothy_Hall — Thu, 13 Mar 2025 23:43:22 GMT

If you see nothing in the fw ctl zdebug + drop that means no Check Point code (SecureXL/INSPECT) is dropping that traffic.

Also I have to ask, are you on a Quantum Force 9000/19000/29000 or Lightspeed appliance?

Is this traffic multicast? It could be getting dropped in the Gaia OS itself due to some kind of problematic interaction with SecureXL. Only way to know for sure is set up a fw monitor -F with SecureXL enabled and see if the problematic traffic is hitting inspection points iI but failing to re-enter at o. There have been issues in the past with SecureXL and multicast.

Re: Error due to SecureXL

the_rock — Fri, 14 Mar 2025 02:09:27 GMT

@Matlu

FYI

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topics-PTG/SecureXL-Debug/SecureXL-Debug-Procedure.htm

Re: Error due to SecureXL

genisis__ — Fri, 14 Mar 2025 14:21:19 GMT

Tim - valid point about mcast, we had issues in the past where the Checkpoint was a RP and after engaging TAC it was determined this was a bug, but we never had issues with mcast being passed through the appliances, assuming correct policy is in place.

Re: Error due to SecureXL

the_rock — Fri, 14 Mar 2025 16:50:43 GMT

Hey bro,

Any luck with this or still same issue?

Andy