cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80.20 SIT Tunnel

So I appreciate this is an edge case, but is a feature of Gaia is hampered by standard configuration in R80.20.

I have a SIT tunnel in partnerships with HE tunnel provider, for a routed IPv6 subnet. As with R80.20 you cannot permenantly disable SecureXL, yet SecureXL does not work with a SIT tunnel configured on the device.

I have to manually disable SecureXL for IPv6 each time the system reboots.


I wanted to know if this is something other people have had an issue with and if Check Point are aware of issues with SIT tunnels + SecureXL in R80.20. I've traditionally always had to disable SecureXL to get this to work.

I've tried adding a crontab that disables SecureXL at reboot "@reboot /opt/CPsuite-R80.20/fw1/bin/fwaccel6 off > /dev/null 2>&1" but this doesn't seem to work.

0 Kudos
13 Replies

Re: R80.20 SIT Tunnel

Afaik SecureXL can be permanently disabled through the CPconfig utility. See sk41397 How to enable/disable Check Point SecureXL via CLI.

0 Kudos

Re: R80.20 SIT Tunnel

Can't be permenantly disabled on R80.20 sadly Smiley Sad no option in cpconfig.

0 Kudos

Re: R80.20 SIT Tunnel

You could try something: On boot, the bash script$FWDIR/bin/fwstart is called. Here we find the line:

$CPDIR/bin/cpprod_util FwSetSecureXL 1

If you do

[Expert@Hostname]# cp $FWDIR/bin/fwstart  $FWDIR/bin/fwstart_ORIGINAL

and change that to

$CPDIR/bin/cpprod_util FwSetSecureXL 0

in $FWDIR/bin/fwstart, it is set to off instead...

Re: R80.20 SIT Tunnel

I shall give that a try, thank you!

0 Kudos

Re: R80.20 SIT Tunnel

So I gave that a try. It seemed to break a lot of things..

It looked like it didn't load the driver at all, and I can only guess that R80.20 relies on it moreso than before - no network traffic passing through the box. Had to revert back for the moment - good shout though.

0 Kudos

Re: R80.20 SIT Tunnel

Yes, and we both are throughly convinced that it is not supported 😉

0 Kudos

Re: R80.20 SIT Tunnel

I'd thought as much, making these sorts of changes - It's not for a critical environment so I'm happy to do things like this, as remembering to flip SXL off each time at boot is more of a pain.

More of a moan towards CP for having conflicting features!

0 Kudos

Re: R80.20 SIT Tunnel

Oh my lord - this is available in a much, much easier way !

- open GAiA WebGUI

- go to System Management > Job Scheduler

- click Scheduled Jobs > Add

- you already do know which Command to Run 😉

- select "At startup"

- be Happy !

0 Kudos

Re: R80.20 SIT Tunnel

Yep that's what I've done!

Here's my script:


#!/bin/sh
source /etc/profile.d/CP.sh
/opt/CPsuite-R80.20/fw1/bin/fwaccel off > /dev/null 2>&1
/opt/CPsuite-R80.20/fw1/bin/fwaccel6 off > /dev/null 2>&1
exit

Seems to work, SXL flipped back on again a while afters but I think it's unrelated.. I swear the cron scheduler never used to provide the option of "At startup" although @reboot has been around since - forever..

0 Kudos

Re: R80.20 SIT Tunnel

Yes, i just did remember in the back of my mind something similar, had a look there and - emacs !

0 Kudos

Re: R80.20 SIT Tunnel

So you could mark mine as the correct answer  !

0 Kudos
Highlighted

Re: R80.20 SIT Tunnel

Wow, I somewhat randomly came across this thread when searching to see if there was any way to allow SecureXL to run, but not actually do anything as I would like to have the monitoring visibility of SNMP and Netflow but without the random network communication breakage that seems to resul with it on when using NAT and routed vpnt to vpnt traffic (ie. a WAN tier transport devices and even my client "VPN hub" tier devices).  It's an unpleasant surprise to find that the option to turn of secureXL is gone in R80.20 and up versions, but obviously much better than finding out as a surprise after upgrading to R80.20.   Did you end up getting a satisfactory solution to this or am I staying on R80.10 for a number of my devices, also bad?

Any details as to how you resolved is appreciated, as well as how stable the solution appears to be.

 

0 Kudos

Re: R80.20 SIT Tunnel

FYI:
SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor", The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.

More infos here:

R80.x Security Gateway Architecture (Logical Packet Flow)

 

Tags (1)