Re: Bypass all Blades for a source subnet.

hcampuzano · ‎2023-08-11

Hello community.
I'd like to ask if there's a way to skip all Blades for a specific sub net to a specific destination, like making the firewall to act as a router for that particular sub nets / hosts.
I was asked to do so as part of an active troubleshooting and I was told it can be done on the CLI.
I've been searching on line but had no luck.
Is it possible? Is there any documentation about it?

Timothy_Hall · ‎2023-08-11

Add a rule at the top of your firewall policy accepting all traffic between the subnets in question, then force the traffic into the fastpath where there will be minimal further enforcement:

sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above

It isn't quite acting as "just a router" but it is pretty close. Only catch is if the traffic is in the slowpath/F2F it cannot be forced to the fastpath using this technique.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

hcampuzano · ‎2023-08-11

Thank you very much for your input.
Is there a way to validate if the packets are going it the slowpath?

Machine_Head · ‎2023-08-12

run "fwaccel conns | grep x.x.x.x". THis is the SecureXL table, means the connection is going medium/fast path. It should be most of the traffic

If your connection is there it can be accelerated with fast_accel.

You can check if the connection is in the fw connection table with "fw ctl conntab"

Are you a member of CheckMates?

Bypass all Blades for a source subnet.