- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Bypass all Blades for a source subnet.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bypass all Blades for a source subnet.
Hello community.
I'd like to ask if there's a way to skip all Blades for a specific sub net to a specific destination, like making the firewall to act as a router for that particular sub nets / hosts.
I was asked to do so as part of an active troubleshooting and I was told it can be done on the CLI.
I've been searching on line but had no luck.
Is it possible? Is there any documentation about it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a rule at the top of your firewall policy accepting all traffic between the subnets in question, then force the traffic into the fastpath where there will be minimal further enforcement:
sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
It isn't quite acting as "just a router" but it is pretty close. Only catch is if the traffic is in the slowpath/F2F it cannot be forced to the fastpath using this technique.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your input.
Is there a way to validate if the packets are going it the slowpath?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
run "fwaccel conns | grep x.x.x.x". THis is the SecureXL table, means the connection is going medium/fast path. It should be most of the traffic
If your connection is there it can be accelerated with fast_accel.
You can check if the connection is in the fw connection table with "fw ctl conntab"
