topic Re: New SecureXL path in R80.20 (CPASXL) in General Topics

New SecureXL path in R80.20 (CPASXL)

HeikoAnkenbrand — Wed, 20 Mar 2019 20:22:09 GMT

What I notice more and more in the last years is CPAS (Check Point Active Streaming). With increased https, the firewall workers are more and more stressed if https inspection is enabled. Now also CPAS use the SecureXL path in R80.20. CPAS works through the F2F path in R80.10 and R77.30. Now CPASXL is offered in SecureXL path in R80.20. This should lead to a higher performance. "fwaccel stats -s" shows the new path in R80.20. I think PXL was renamed to PSLXL. This is from my point of view the politically correct better term.

Check Point Active Streaming active streaming allow the changing of data and play the role of “man in the middle”. Several protocols uses CPAS, for example: Client Authentication, VoIP (SIP, Skinny/SCCP, H.323, etc.), Data Leak Prevention (DLP) blade, Security Servers processes, etc. I think it's not to be underestimated in tuning.

# fwaccel stats -s

We have already discussed this here with Timothy Hall Security Gateway Performance Optimization Excerpt.

Maybe Check Point can give us more information here.

I had adapt CPASXL and PSLXL to the following article:

R80.x Security Gateway Architecture (Logical Packet Flow)

R80.x Security Gateway Architecture (Content Inspection)

Re: New SecureXL path in R80.20 (CPASXL)

Martin_Krolikow — Fri, 28 Sep 2018 08:46:00 GMT

Hi Heiko,

thanks for the information, thats an interesting finding. Do you have any idea, what the "F2V" is? Another acceleration path?

I hope that Check Point can add some information here.

Cheers,

Martin

Re: New SecureXL path in R80.20 (CPASXL)

_Val_ — Fri, 28 Sep 2018 10:51:50 GMT

F2V - Forward to VPN

Re: New SecureXL path in R80.20 (CPASXL)

Martin_Krolikow — Fri, 28 Sep 2018 10:52:49 GMT

Thank you, Valeri!

Re: New SecureXL path in R80.20 (CPASXL)

_Val_ — Fri, 28 Sep 2018 11:00:26 GMT

No problem

Re: New SecureXL path in R80.20 (CPASXL)

HeikoAnkenbrand — Fri, 28 Sep 2018 11:48:35 GMT

Now you can see in R80.20 the "F2F streaming path" and "medium streaming path" for PSL and CPAS.

# fwaccel stat

I will be a R80.20 fan!

Nice, nice, nice!

I will adapt "inline streaming path" and "medium streaming path" to the following article:

R80.x Security Gateway Architecture (Logical Packet Flow)

R80.x Security Gateway Architecture (Content Inspection)

Regards,

Heiko

Re: New SecureXL path in R80.20 (CPASXL)

_Val_ — Fri, 28 Sep 2018 12:03:58 GMT

i would not do that. both are parts of PXL

Re: New SecureXL path in R80.20 (CPASXL)

HeikoAnkenbrand — Fri, 28 Sep 2018 12:11:18 GMT

Hi Valeri,

I do not change the drawing:-)

I have only included the new designations in the text.
- PSLXL
- CPASXL
- Medium Streaming Path > for medium path

- Inline Streaming Path > for F2F path

Regards,

Heiko

Re: New SecureXL path in R80.20 (CPASXL)

_Val_ — Fri, 28 Sep 2018 12:17:12 GMT

I have commented on one of your documents already. It is not about the drawing, it is about correct terminology

Re: New SecureXL path in R80.20 (CPASXL)

HeikoAnkenbrand — Fri, 28 Sep 2018 14:24:47 GMT

Exciting command show's anti spoofing ranges:-)

You have to take a closer look.

# fwaccel ranges

Regards,

Heiko

Re: New SecureXL path in R80.20 (CPASXL)

phlrnnr — Tue, 08 Jan 2019 19:27:37 GMT

Is F2V used for HTTPS inspection as well? I have HTTPS inspection enabled on an R80.20 firewall, but no VPN functions, yet 73% of my packets are hitting F2V:

[Expert@<removed>]# fwaccel stats -s
Accelerated conns/Total conns : 0/6762 (0%)
Accelerated pkts/Total pkts : 136454042/718363754 (18%)
F2Fed pkts/Total pkts : 445455764/718363754 (62%)
F2V pkts/Total pkts : 527371395/718363754 (73%)
CPASXL pkts/Total pkts : 9670829/718363754 (1%)
PSLXL pkts/Total pkts : 126783119/718363754 (17%)
QOS inbound pkts/Total pkts : 0/718363754 (0%)
QOS outbound pkts/Total pkts : 0/718363754 (0%)
Corrected pkts/Total pkts : 0/718363754 (0%)

Not sure how 62% can be F2Fed and 73% be F2V. Must be some sort of overlap, or fuzzy math

Re: New SecureXL path in R80.20 (CPASXL)

_Val_ — Wed, 09 Jan 2019 06:18:43 GMT

F2V is a decryption module in your case. Considering you need to decrypt before making a decision to inspect or not, lower F2F rate makes perfect sense. Some decrypted packages may still be accelerated without any need for further inspection in F2F path