topic Re: Secure XL in General Topics

Secure XL

Atul_Sharma — Mon, 15 May 2017 15:31:27 GMT

Secure XL considers Partial connection as an accelerated path, but by definition partial connection means "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

So my confusion is what connection is considered as a partial connection ?

How does the SecureXL know that a particular connection is a partial connection ?

Thanks

Re: Secure XL

Brian_Deutmeyer — Mon, 22 May 2017 03:01:47 GMT

Here an old datasheet that might be helpful:

https://www.checkpoint.com/downloads/campaigns/whitepapers/performance-innovations-with-software-blade-architecture-wp.pdf

Also, from the admin guide:

Using SecureXL

SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
Slow path - Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
Accelerated path - Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
Medium path - Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.
The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.

Re: Secure XL

Gal_Katz — Mon, 22 May 2017 10:31:28 GMT

Partial connections are used when specific features such as NAT templates and drop templates are used. The idea is to make sure the Performance Pack knows that a connection exists and will not drop an S2C packet of an existing connection on a drop template or re-use a NAT port when opening a new connection if the port is already in use. When SecureXL is being turned on (e.g. after running `fwaccel off` and `fwaccel on`), SecureXL will iterate over the connections tables and will offload partials connections if needed.

Re: Secure XL

Atul_Sharma — Tue, 23 May 2017 09:19:18 GMT

Hi Brian,

Thanks for the response.
I'm still confused about the below query.

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

Re: Secure XL

Atul_Sharma — Tue, 23 May 2017 09:20:17 GMT

Hi Gal,

Isn't Anticipated connections prevent dropping of connections due to drop templates ?

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

Re: Secure XL

VictorRuiz — Thu, 13 Apr 2023 16:22:52 GMT

Hi Atul_Sharma.

I found information about your question here:

http://dkcheckpoint.blogspot.com/2019/01/r80x-security-gateway-architecture.html

I understood that a partial connection is when a TCP handshake has been established, and a non-partial connection is when this one is about to do a TCP handshake. In other words, a partial connection carries data information, and a non-partial connection carries packets such as SYN, ACK, SYN-ACK, RST, FIN, and FIN-ACK.

Regards!