topic Re: F2F cluster message in General Topics

F2F cluster message

Nik_Bloemers — Tue, 21 Jan 2020 08:10:45 GMT

Hello Check Mates,

Can anyone explain what the F2F violation 'cluster message' means?

fwaccel stats -p
F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 227              ICMP miss conn 153026
TCP-SYN miss conn 327641              TCP-other miss conn 28868624
UDP miss conn              295417 other miss conn 10604
VPN returned F2F 0              uni-directional viol 0
possible spoof viol 11              TCP state viol 0
out if not def/accl 0              bridge, src=dst 0
routing decision err 0              sanity checks failed 0
fwd to non-pivot 0              broadcast/multicast 0
cluster message 207254     cluster forward 0
chain forwarding 0              F2V conn match pkts 89454
general reason 0              route changes 0

The ATRG sk for SecureXL explains most values, but not this one. I believe this should normally be 0, so I'm wondering why it's quite high.

Re: F2F cluster message

_Val_ — Tue, 21 Jan 2020 08:25:45 GMT

F2F means "forwarded to Firewall", a.k.a "Slow Path". It applies to any packet that cannot or should not be accelerated.

The term is in fact mentioned in multiple guides and SecureKnowledge articles, for example, in sk153832, quoting:

"Firewall path / Slow path (F2F) - Packet flow when the SecureXL device is unable to process the packet (refer to sk32578 - SecureXL Mechanism). The packet is passed on to the CoreXL layer and then to one of the Core FW instances for full processing. This path also processes all packets when SecureXL is disabled."

Exactly the same statement is used in sk98722.

Re: F2F cluster message

Nik_Bloemers — Tue, 21 Jan 2020 08:40:29 GMT

I am well aware of what F2F means, but I want to understand what the 'cluster message' violation reason entails.

Re: F2F cluster message

_Val_ — Tue, 21 Jan 2020 09:16:38 GMT

@Nik_Bloemers apologies, I must have misread you original questions.

There are two answers:

1. "Violations" here is not a good term. It generally applies to any packet that SXL cannot accelerate. It is meant as a "violation of acceleration". It does not mean there is anything wrong with the traffic.

2. Cluster messages are all CCP packets. They cannot be accelerates as they should go to CXL for the purposes of sync and health status monitoring.

Re: F2F cluster message

Timothy_Hall — Tue, 21 Jan 2020 14:42:17 GMT

Val is correct, that counter indicates the CCP traffic. Traffic that is addressed to the firewall itself (i.e. not transiting trying to reach a destination IP that is not the firewall) is never accelerated by SecureXL and always goes F2F. This is expected behavior.