Solved: Clarification Needed on fwaccel stat

RemoteUser · ‎2025-07-09

Hi,
What does this indicate? It's not very clear to me do we need to make any changes?
Thanks a lot!

Accept Templates : disabled by Firewall
Layer Policy Security disables template offloads from rule #xxxx
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer Policy Security disables template offloads from rule #xxxx
Throughput acceleration still enabled.
LightSpeed Accel : disabled

_Val_ · ‎2025-07-10

After disabling the rule and re-installing the policy, check fwaccel stat again to see if there is any other issue with templates.

View solution in original post

Timothy_Hall · ‎2025-07-10

@RemoteUser even if fwaccel stat reports "Accept templates: enabled", the "Accelerated conns/Total conns" part of fwaccel stats -s may always report zero, and fwaccel templates -s may perennially report zero as well. This can be diagnosed with the fwaccel templates -R option added in R81.20, which will report a high percentage of "Prevented by Policy rules".

This situation is not the end of the world, and simply means that for the start of every new connection, a full rulebase lookup against the Firewall blade will always be required in the F2F/slowpath, with no accept template formation or matching possible. This is generally caused by at least one of the following situations being present:

1) In your first layer (ordered mode), or top/parent layer (non-sub-rules for inline mode), you have any blade other than Firewall enabled. If you do this the templating rate will always be zero, as enabling any other blades in that top/first layer makes matching against entities other than IP addresses and port numbers possible, which accept templating cannot handle.

2) Use of services in a rule with "Protocol Signature" set in their Advanced Properties; this option is never enabled by default. Utilization of these services in the policy will need to invoke Medium Path streaming to complete that first rulebase lookup for a new connection, which causes dramatically more CPU overhead and is wholly incompatible with the use of accept templates.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

G_W_Albrecht · ‎2025-07-09

Did you read sk32578: SecureXL Mechanism ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

RemoteUser · ‎2025-07-09

Hi
Yes, but what is mean disables template offloads from rule #xxxx?
It's affects something or not?

Lesley · ‎2025-07-09

Remove rule #xxxx if it is not needed, or move it all the way down in rulebase.

Most of the time rule contains traceroute or ALL_DCE_RPC ports for Windows

Show the relevant rule. After this rule no performance optimization. All rules below #xxxx

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2025-07-09

I would say if anyone on this planet can explain this perfectly, its @Timothy_Hall

Andy

Timothy_Hall · ‎2025-07-10

@RemoteUser even if fwaccel stat reports "Accept templates: enabled", the "Accelerated conns/Total conns" part of fwaccel stats -s may always report zero, and fwaccel templates -s may perennially report zero as well. This can be diagnosed with the fwaccel templates -R option added in R81.20, which will report a high percentage of "Prevented by Policy rules".

This situation is not the end of the world, and simply means that for the start of every new connection, a full rulebase lookup against the Firewall blade will always be required in the F2F/slowpath, with no accept template formation or matching possible. This is generally caused by at least one of the following situations being present:

1) In your first layer (ordered mode), or top/parent layer (non-sub-rules for inline mode), you have any blade other than Firewall enabled. If you do this the templating rate will always be zero, as enabling any other blades in that top/first layer makes matching against entities other than IP addresses and port numbers possible, which accept templating cannot handle.

2) Use of services in a rule with "Protocol Signature" set in their Advanced Properties; this option is never enabled by default. Utilization of these services in the policy will need to invoke Medium Path streaming to complete that first rulebase lookup for a new connection, which causes dramatically more CPU overhead and is wholly incompatible with the use of accept templates.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Chris_Atkinson · ‎2025-07-09

What is the rule# relative to the policy size?

Commonly this would be due to a specific objects like DCOM, RPC, DCE, snmp-readonly, rip-response which are optimally put lower in the rule base but other potential reasons are documented in sk32578.

You can move the rule lower down or remove offending object to improve templating.

CCSM R77/R80/ELITE

RemoteUser · ‎2025-07-09

this is the rule, maybe this service it's the root cause:

RemoteUser · ‎2025-07-09

What happens to the rules that come after this one? This is what I want to understand?

the_rock · ‎2025-07-09

Hey bro,

Make sure this is enabled (what I attached)

Andy

RemoteUser · ‎2025-07-09

That's in my cluster it's not enable..
What is the purpose of this?

the_rock · ‎2025-07-09

Firewall Policy Optimization
Enable or disable firewall drop optimization to improve gateway resource consumption during periods of heavy traffic load. Let SecureXL handle traffic that the firewall policy determines should be dropped.

Not enabling this option means that only Allowed connections are off loaded to SecureXL, leaving the gateway to handle connections that should be dropped or rejected. For more, see:
- sk90861
- sk90941

RemoteUser · ‎2025-07-09

so nowadays it would always seem better to enable it....
thanks a lot

the_rock · ‎2025-07-09

Yes, I would, 100%

the_rock · ‎2025-07-09

Also, can you send output of below?

Andy

[Expert@R82:0]# fwaccel templates
The templates table is empty
[Expert@R82:0]# fwaccel templates -s

Total number of templates: 0
[Expert@R82:0]#

_Val_ · ‎2025-07-10

The main outcome is that your policy has a rule with one of the SecureXL limitations affecting acceleration with templates. Below that rule, templates will not be applied. Depending on how many rules are in your rulebase and how high that limiting rule is placed in your policy, it may negatively affect the performance of your GW. From reading the discussion, I see that the DCE-RPC service is most probably the root cause.

The recommendation is to see if you can remove or edit this rule to overcome the limitation (for example, change DCE to ANY) or push it as deep as possible in your rulebase.

RemoteUser · ‎2025-07-10

I put in disable the rule affected.
I have one question... If under the rule affected i have a lot vpn s2s, it's possible that those rule may be affected or not?

_Val_ · ‎2025-07-10

After disabling the rule and re-installing the policy, check fwaccel stat again to see if there is any other issue with templates.

RemoteUser · ‎2025-07-10

After disabling the rule, now it's semmes ok

_Val_ · ‎2025-07-10

Now, you get your answer 🙂

the_rock · ‎2025-07-10

Great job bro!

Andy

Are you a member of CheckMates?

Clarification Needed on fwaccel stat