Due to an architectural change in R80.20, the ability to permanently disable SecureXL wasn't really removed, it is just not possible any more.  Disabling SecureXL long-term is not a viable solution, but here is a workaround if you absolutely must do it.  Doing this may break other things though...

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

@Johannes_Schoen  - can you please elaborate what do you mean by without SXL all is fast? 

In general this is not good practice to disable SXL, users do it to just identify the problem so my answer will be once you have an issue with SXL just open a TAC case or you can contact me directly and we will investigate the issues.

There is no reason to disable SXL.

Thank @Ilya_Yusupov -  we troubleshooted the issue and found out, it's a current bug with vpn acceleration when having wire-mode on one tunnel in use

Thank You @Johannes_Schoen for your time !!!

As i mention before there is no need to disable SXL unless we have an issue, so the best way to deal with it is open a TAC case.

You can also contact me and i will do my best to assist.

Ilya,  In the past I have have two issues where SecureXL genuinely broke application connectivity.  In both cases the applications where custom applications.

In both cases TAC cases where raised, and in both cases TAC where unable to provide a solution.

I should point out the two times I've seen this issue was only in R77.x (when they where still in support), the first issue was resolved by upgrading from R77.10 to R77.30.

The second (which was running R77.30 with hotfixes), we gave up on Checkpoint and just left it running without SecureXL which was not the best approach, but we had no choice.

If we have an issue with SecureXL the main observation I see is time, time to resolve issue is way too slow, this comment is purely from my experience, again to stress I've seen this twice! so in my case its a pretty rare thing. 

We made some fairly significant changes to the SecureXL implementation in R80.20.
In addition, you can always disable SecureXL for a given IP using: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Even when you "disable" SecureXL these days, you're really just preventing new connections from getting templated/accelerated.
I'd still engage the TAC if you're having issues involving SecureXL. 

Adding to that, there is a way to disable acceleration for specific addresses and services, but the decision to do so should be done by experts, so, once again to stress, TAC case should be the way to handle things

Interestingly I have a R80.20 customer that does historically does seem to have SecureXL disabled.  SND is disabled but I believe this is because the openserver is licensed for only two cores.

# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth8,eth9,eth10,eth11, |
| | | |eth3,eth4,eth5,eth6,eth7 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.

# fwaccel on

]# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth8,eth9,eth10,eth11, |
| | | |eth3,eth4,eth5,eth6,eth7 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.

# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/185722688 (0%)
F2Fed pkts/Total pkts : 185722688/185722688 (100%)
F2V pkts/Total pkts : 0/185722688 (0%)
CPASXL pkts/Total pkts : 0/185722688 (0%)
PSLXL pkts/Total pkts : 0/185722688 (0%)
QOS inbound pkts/Total pkts : 0/185722688 (0%)
QOS outbound pkts/Total pkts : 0/185722688 (0%)
Corrected pkts/Total pkts : 0/185722688 (0%)

Note: This installation has no jumbo installed (which I insisted but be applied).  This said SecureXL should enable regardless.

HIi @genisis__,

As i mention before there is no need to disable SXL and if you encounter with an issue that required you to disable SXL you may contact me directly and i will try to assist push it faster + open a TAC case.

regarding the second case of R80.20 SXL disabled my guess will be that the license not include SXL, is it open Server?

Thanks,

Ilya 

Yep it's an open server (first one I've dealt with in a good few years!), never realised this was a separate license

# cplic print
Host Expiration Features
aa.bb.cc.dd never CPSG-C-2-500 CPSB-FW CPSG-U CPSB-VPN CPSB-ADN CPSB-IA

Also thanks for offering to get involved in SXL issue, appreciate it 

Back then when i investigate the SXL with license issues i found that you need to have one of the two:

1. CPSB-ADN

2. CPSB-ACCL

You have the first so it should be enabled, if you have TAC case for that can you share it with me? if not i suggest to open one so we can understand it better.

For any case you may contact me directly via email iliay@checkpoint.com and i will do my best to assist to push it faster.

Thanks,

Ilya 

Thanks will reach out to you if we cannot resolve this, presently I've not been engaged to deal with this specific issue.  We are actually planning to move to new openservers running R81.

To explain the features:

• CPSB-ADN is "Advanced Networking and Clustering" (Dynamic Routing + ClusterXL)
• CPSB-ACCL is "Acceleration" (i.e. SecureXL)

At one time, these were extra (paid-for) features, but all modern Open Server SKUs include them.
Not having a license for ACCL would explain why SecureXL is disabled.

Something else interesting about your license:

• Only 500 hosts can be behind your gateway (i.e. visible from interfaces marked internal)
• You cannot route traffic between interfaces marked external

@genisis__ I would strongly consider trading this license in for something modern, possibly with support for more cores.

Already suggested this .