topic Re: Clarification Needed on fwaccel stat in General Topics

Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 14:35:19 GMT

Hi,
What does this indicate? It's not very clear to me do we need to make any changes?
Thanks a lot!

Accept Templates : disabled by Firewall
Layer Policy Security disables template offloads from rule #xxxx
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer Policy Security disables template offloads from rule #xxxx
Throughput acceleration still enabled.
LightSpeed Accel : disabled

Re: Clarification Needed on fwaccel stat

G_W_Albrecht — Wed, 09 Jul 2025 14:39:48 GMT

Did you read sk32578: SecureXL Mechanism ?

Re: Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 14:57:03 GMT

Hi
Yes, but what is mean disables template offloads from rule #xxxx?
It's affects something or not?

Re: Clarification Needed on fwaccel stat

the_rock — Wed, 09 Jul 2025 15:09:29 GMT

I would say if anyone on this planet can explain this perfectly, its @Timothy_Hall

Andy

Re: Clarification Needed on fwaccel stat

Lesley — Wed, 09 Jul 2025 15:17:01 GMT

Remove rule #xxxx if it is not needed, or move it all the way down in rulebase.

Most of the time rule contains traceroute or ALL_DCE_RPC ports for Windows

Show the relevant rule. After this rule no performance optimization. All rules below #xxxx

Re: Clarification Needed on fwaccel stat

Chris_Atkinson — Wed, 09 Jul 2025 15:33:30 GMT

What is the rule# relative to the policy size?

Commonly this would be due to a specific objects like DCOM, RPC, DCE, snmp-readonly, rip-response which are optimally put lower in the rule base but other potential reasons are documented in sk32578.

You can move the rule lower down or remove offending object to improve templating.

Re: Clarification Needed on fwaccel stat

the_rock — Wed, 09 Jul 2025 15:52:45 GMT

Hey bro,

Make sure this is enabled (what I attached)

Andy

Re: Clarification Needed on fwaccel stat

the_rock — Wed, 09 Jul 2025 15:58:52 GMT

Also, can you send output of below?

Andy

[Expert@R82:0]# fwaccel templates
The templates table is empty
[Expert@R82:0]# fwaccel templates -s

Total number of templates: 0
[Expert@R82:0]#

Re: Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 16:33:23 GMT

That's in my cluster it's not enable..
What is the purpose of this?

Re: Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 16:34:34 GMT

this is the rule, maybe this service it's the root cause:

Re: Clarification Needed on fwaccel stat

the_rock — Wed, 09 Jul 2025 16:35:19 GMT

Firewall Policy Optimization
Enable or disable firewall drop optimization to improve gateway resource consumption during periods of heavy traffic load. Let SecureXL handle traffic that the firewall policy determines should be dropped.

Not enabling this option means that only Allowed connections are off loaded to SecureXL, leaving the gateway to handle connections that should be dropped or rejected. For more, see:
- sk90861
- sk90941

Re: Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 16:35:48 GMT

What happens to the rules that come after this one? This is what I want to understand?

Re: Clarification Needed on fwaccel stat

RemoteUser — Wed, 09 Jul 2025 16:39:11 GMT

so nowadays it would always seem better to enable it....
thanks a lot

Re: Clarification Needed on fwaccel stat

the_rock — Wed, 09 Jul 2025 16:43:17 GMT

Yes, I would, 100%

Re: Clarification Needed on fwaccel stat

_Val_ — Thu, 10 Jul 2025 08:05:48 GMT

The main outcome is that your policy has a rule with one of the SecureXL limitations affecting acceleration with templates. Below that rule, templates will not be applied. Depending on how many rules are in your rulebase and how high that limiting rule is placed in your policy, it may negatively affect the performance of your GW. From reading the discussion, I see that the DCE-RPC service is most probably the root cause.

The recommendation is to see if you can remove or edit this rule to overcome the limitation (for example, change DCE to ANY) or push it as deep as possible in your rulebase.

Re: Clarification Needed on fwaccel stat

RemoteUser — Thu, 10 Jul 2025 09:53:36 GMT

I put in disable the rule affected.
I have one question... If under the rule affected i have a lot vpn s2s, it's possible that those rule may be affected or not?

Re: Clarification Needed on fwaccel stat

_Val_ — Thu, 10 Jul 2025 10:25:34 GMT

After disabling the rule and re-installing the policy, check fwaccel stat again to see if there is any other issue with templates.

Re: Clarification Needed on fwaccel stat

RemoteUser — Thu, 10 Jul 2025 10:26:37 GMT

After disabling the rule, now it's semmes ok

Re: Clarification Needed on fwaccel stat

_Val_ — Thu, 10 Jul 2025 10:27:56 GMT

Now, you get your answer 🙂

Re: Clarification Needed on fwaccel stat

the_rock — Thu, 10 Jul 2025 11:43:54 GMT

Great job bro!

Andy