This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hcampuzano
Participant
‎2023-08-11 12:41 PM

Bypass all Blades for a source subnet.

Hello community.
I'd like to ask if there's a way to skip all Blades for a specific sub net to a specific destination, like making the firewall to act as a router for that particular sub nets / hosts.
I was asked to do so as part of an active troubleshooting and I was told it can be done on the CLI.
I've been searching on line but had no luck.
Is it possible? Is there any documentation about it?

 

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2023-08-11 12:52 PM

Add a rule at the top of your firewall policy accepting all traffic between the subnets in question, then force the traffic into the fastpath where there will be minimal further enforcement:

sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

It isn't quite acting as "just a router" but it is pretty close.  Only catch is if the traffic is in the slowpath/F2F it cannot be forced to the fastpath using this technique.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
hcampuzano
Participant
‎2023-08-11 03:33 PM
In response to Timothy_Hall

Thank you very much for your input.
Is there a way to validate if the packets are going it the slowpath?

0 Kudos
Machine_Head
Collaborator
Collaborator
‎2023-08-12 01:46 AM
In response to hcampuzano

run "fwaccel conns | grep x.x.x.x". THis is the SecureXL table, means the connection is going medium/fast path. It should be most of the traffic

If your connection is there it can be accelerated with fast_accel.

 

You can check if the connection is in the fw connection table with "fw ctl conntab"

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 06 May 2025 @ 09:00 AM (EEST)

    CheckMates Live Cyprus - Performance Optimization Best Practices
    In-Person

    Wed 21 May 2025 @ 11:30 AM (CDT)

    Tempe: Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events