Here is a new F2F/slowpath reason (shown by fw tab-t connections -z) that was not included in the presentation. This new reason was recently brought to my attention by an attendee of my Gateway Performance Optimization Course. The following content was added to the course as a result:
-
Reason: Post Sync – This indicates the presence of a so-called "partial connection" that exists in the Firewall Worker state table (fw tab -t connections) but does not exist in the SecureXL state table (fwaccel conns). Most commonly, this is a transitory condition caused by a ClusterXL failover, because only the Firewall Worker state table is synchronized between the cluster members (the SecureXL state table is not). It can also be caused by a policy installation in some cases or by manually cycling the running state of SecureXL with the fwaccel off and fwaccel on commands.
If no packets have yet been received for this partial connection, it exists exclusively in the Firewall Worker state table, and therefore can only be processed in the F2F/slowpath, as SecureXL has no knowledge of it. Once packets are received for this partial connection, SecureXL forwards these unknown packets to the Firewall Worker, who then "re-injects" the connection state information back into the SecureXL state table, and then, if possible, offloads the connection back into the Medium or Fast path. Prior to this re-injection occurring (assuming it ever does), the total number of packets and bytes reported by fw tab -t connections -z for the partial connection will be zero.
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course