topic Re: SecureXL 100% F2Fed 80.30 in General Topics

SecureXL 100% F2Fed 80.30

Mike_Jensen — Mon, 31 Aug 2020 17:59:32 GMT

I have a HA cluster of Check Point 15,400's running 80.30 with JHA take 215.

[Expert@xxxxx]# enabled_blades
fw vpn ips identityServer vpn
[Expert@xxxxxx0]#

Hyperthreading and CoreXL are both enabled.

A month or so ago when I checked my SecureXL statistics about 70% of my traffic was being accelerated and now 100% of packets are taking the F2Fed. I am having a heck of a time trying to determine how literally no packets are being accelerated.

The only major things that have changed recently are IPS Protection - I make sure all protections with a critical performance rating are disabled , and JHA take 215.

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

[Expert@xxxxxx]# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/2659685415 (0%)
F2Fed pkts/Total pkts : 2659685415/2659685415 (100%)
F2V pkts/Total pkts : 0/2659685415 (0%)
CPASXL pkts/Total pkts : 0/2659685415 (0%)
PSLXL pkts/Total pkts : 0/2659685415 (0%)
QOS inbound pkts/Total pkts : 0/2659685415 (0%)
QOS outbound pkts/Total pkts : 0/2659685415 (0%)
Corrected pkts/Total pkts : 0/2659685415 (0%)
[Expert@MAIN-EXT-FWA:0]#

[Expert@xxxx# fwaccel stats -p
F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 4197 ICMP miss conn 695465
TCP-SYN miss conn 6076140 TCP-other miss conn 829529441
UDP miss conn 1835183626 other miss conn 4260
VPN returned F2F 20 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
SCTP state affecting 0 out if not def/accl 0
bridge, src=dst 0 routing decision err 0
sanity checks failed 0 fwd to non-pivot 0
broadcast/multicast 0 cluster message 38231619
cluster forward 0 chain forwarding 0
F2V conn match pkts 0 general reason 0
route changes 0

Re: SecureXL 100% F2Fed 80.30

Timothy_Hall — Mon, 31 Aug 2020 18:14:41 GMT

Are you checking these statistics on the standby member of a cluster (cphaprob stat)? 100% F2F is expected in that case since all connections are to and from the firewall itself which are never accelerated.

If you did get these stats on the active member or there isn't a cluster present, it is almost certainly something in your IPS config. You can confirm by running ips off, then fwaccel stats -r, waiting two minutes, then fwaccel stats -s. Note that doing this may expose your organization to attacks, and don't forget to run ips on when done!

Re: SecureXL 100% F2Fed 80.30

Mike_Jensen — Mon, 31 Aug 2020 18:31:53 GMT

Hi Tim,

Yes, this is happening on the active cluster member (sorry I should have specified in the original post).

I performed the ips off test twice, once just "ips off" and the second time with "ips off -n", reset the SecureXL statistics, waited two minutes, then checked fw accel stats -s again and the stats are still the same 😞

[Expert@xxxx:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/3099956 (0%)
F2Fed pkts/Total pkts : 3099956/3099956 (100%)
F2V pkts/Total pkts : 0/3099956 (0%)
CPASXL pkts/Total pkts : 0/3099956 (0%)
PSLXL pkts/Total pkts : 0/3099956 (0%)
QOS inbound pkts/Total pkts : 0/3099956 (0%)
QOS outbound pkts/Total pkts : 0/3099956 (0%)
Corrected pkts/Total pkts : 0/3099956 (0%)
[Expert@TROY-EXT-A:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/3162794 (0%)
F2Fed pkts/Total pkts : 3162794/3162794 (100%)
F2V pkts/Total pkts : 0/3162794 (0%)
CPASXL pkts/Total pkts : 0/3162794 (0%)
PSLXL pkts/Total pkts : 0/3162794 (0%)
QOS inbound pkts/Total pkts : 0/3162794 (0%)
QOS outbound pkts/Total pkts : 0/3162794 (0%)
Corrected pkts/Total pkts : 0/3162794 (0%)

Re: SecureXL 100% F2Fed 80.30

Timothy_Hall — Tue, 01 Sep 2020 01:42:25 GMT

Head to your Inspection Settings in the Access Control policy, are there any settings enabled that have a High or Critical performance impact, mainly:

Directory Listing
Small PMTU
SYN Attack (although this is in SecureXL in R80.20+)
Network Quota
Gzip Enforcement

The other place to look will be the 39 IPS "Core Protections" which are still active even when IPS is disabled (!), are any of these enabled:

HTTP Header Spoofing
Inbound DNS Requests
ISN Spoofing
IP ID Masking
Malicious IPs
Mismatched Replies
Scrambling
TTL Masking

Beyond that TAC will need to run a debug to determine why everything is going F2F. This debug isn't nearly as straightforward as it used to be prior to R80.20; please share the commands TAC uses as the kernel debug flags documentation has not been updated for R80.20+. 😀

Re: SecureXL 100% F2Fed 80.30

Mike_Jensen — Tue, 01 Sep 2020 16:38:27 GMT

I have all of the above Core protections off and all Threat Cloud protections with a performance impact of critical set to inactive as well.

Is there a good rule of thumb to follow in regards to how old a protection should before before marking it as inactive? 5 years, 7 years, etc?

I have a TAC case open and I will post any debug commands they run.

Re: SecureXL 100% F2Fed 80.30

Mike_Jensen — Wed, 21 Oct 2020 18:43:39 GMT

TAC resolved this issue for me! They recreated my environment in their lab and found in one of my VPN communities in the wire mode option I had the box checked for "Allow uninspected encrypted traffic between Wire mode interfaces of this Community members".

After I removed the check mark and installed policy I began to see accelerated traffic on all affected HA clusters!

The only debug command / output that I was able to see for this case is:

@;21151; 1Oct2020 15:11:44.275421;[cpu_1];[fw4_2];get_connkey_flags_should_accelerate: wire mode acceleration is user disabled -> F2F;