Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Geomix7
Collaborator

Disable SecureXL permanent R80.20

Jump to solution

How can i permanently disabled SecureXL on R80.20?

2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

The ability to permanently disable SecureXL was removed in R80.20.
If the solution to your problem involves disabling SecureXL, please open a TAC case.

View solution in original post

HeikoAnkenbrand
Champion
Champion

Hi @Geomix7 

Permanently disable SecureXL was removed in R80.20.

But you have the possibility to control SecureXL and CoreXL paths.

More read here: 
R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths

View solution in original post

21 Replies
G_W_Albrecht
Legend
Legend

Please explain the reason for this - if something does not work because of SecureXL i would open a SR# with TAC, not disable SecureXL permanently, as this is no good idea at all. 

0 Kudos
Geomix7
Collaborator
i would like to know if there is the possibility to be disabled permanent.
0 Kudos
Johannes_Schoen
Collaborator
Did you found a solution for R80.20?
TAC cases involve too many time and I got the same problem currently. Without SecureXL everything is fast and JHF's doesn't help. Maybe a boot-script or sth like that?
0 Kudos
Timothy_Hall
Champion
Champion

Due to an architectural change in R80.20, the ability to permanently disable SecureXL wasn't really removed, it is just not possible any more.  Disabling SecureXL long-term is not a viable solution, but here is a workaround if you absolutely must do it.  Doing this may break other things though...

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Ilya_Yusupov
Employee
Employee

@Johannes_Schoen  - can you please elaborate what do you mean by without SXL all is fast? 

 

In general this is not good practice to disable SXL, users do it to just identify the problem so my answer will be once you have an issue with SXL just open a TAC case or you can contact me directly and we will investigate the issues.

 

There is no reason to disable SXL.

0 Kudos
Johannes_Schoen
Collaborator
I know, It's an not optimal, but we experience issues with Microsoft navision and slow VPN connections.
The Customer got a really long case-history with Check Point and burnt a lot of money during support sessions (due to professional partner service and time), so he (and me) don't look forward to a TAC case - because for that there is no time and no one is willing to pay for these efforts.
Disabling SecureXL works as a workaround, so we are fine with that as a solution
Johannes_Schoen
Collaborator

Thank @Ilya_Yusupov -  we troubleshooted the issue and found out, it's a current bug with vpn acceleration when having wire-mode on one tunnel in use

0 Kudos
Ilya_Yusupov
Employee
Employee

Thank You @Johannes_Schoen for your time !!!

 

As i mention before there is no need to disable SXL unless we have an issue, so the best way to deal with it is open a TAC case.

You can also contact me and i will do my best to assist.

0 Kudos
HeikoAnkenbrand
Champion
Champion

Hi @Geomix7 

Permanently disable SecureXL was removed in R80.20.

But you have the possibility to control SecureXL and CoreXL paths.

More read here: 
R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths

View solution in original post

genisis__
Advisor

Ilya,  In the past I have have two issues where SecureXL genuinely broke application connectivity.  In both cases the applications where custom applications.

In both cases TAC cases where raised, and in both cases TAC where unable to provide a solution.

I should point out the two times I've seen this issue was only in R77.x (when they where still in support), the first issue was resolved by upgrading from R77.10 to R77.30.

The second (which was running R77.30 with hotfixes), we gave up on Checkpoint and just left it running without SecureXL which was not the best approach, but we had no choice.

If we have an issue with SecureXL the main observation I see is time, time to resolve issue is way too slow, this comment is purely from my experience, again to stress I've seen this twice! so in my case its a pretty rare thing. 

0 Kudos
PhoneBoy
Admin
Admin

We made some fairly significant changes to the SecureXL implementation in R80.20.
In addition, you can always disable SecureXL for a given IP using: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Even when you "disable" SecureXL these days, you're really just preventing new connections from getting templated/accelerated.
I'd still engage the TAC if you're having issues involving SecureXL. 

0 Kudos
_Val_
Admin
Admin

Adding to that, there is a way to disable acceleration for specific addresses and services, but the decision to do so should be done by experts, so, once again to stress, TAC case should be the way to handle things

0 Kudos
genisis__
Advisor

Interestingly I have a R80.20 customer that does historically does seem to have SecureXL disabled.  SND is disabled but I believe this is because the openserver is licensed for only two cores.

 

# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth8,eth9,eth10,eth11, |
| | | |eth3,eth4,eth5,eth6,eth7 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.

# fwaccel on

]# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth8,eth9,eth10,eth11, |
| | | |eth3,eth4,eth5,eth6,eth7 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer xxx Security disables template offloads from rule #397
Throughput acceleration still enabled.

 

# fwaccel stats -s
Accelerated conns/Total conns : 0/0 (0%)
Accelerated pkts/Total pkts : 0/185722688 (0%)
F2Fed pkts/Total pkts : 185722688/185722688 (100%)
F2V pkts/Total pkts : 0/185722688 (0%)
CPASXL pkts/Total pkts : 0/185722688 (0%)
PSLXL pkts/Total pkts : 0/185722688 (0%)
QOS inbound pkts/Total pkts : 0/185722688 (0%)
QOS outbound pkts/Total pkts : 0/185722688 (0%)
Corrected pkts/Total pkts : 0/185722688 (0%)

 

Note: This installation has no jumbo installed (which I insisted but be applied).  This said SecureXL should enable regardless.

0 Kudos
Ilya_Yusupov
Employee
Employee

HIi @genisis__,

 

As i mention before there is no need to disable SXL and if you encounter with an issue that required you to disable SXL you may contact me directly and i will try to assist push it faster + open a TAC case.

 

regarding the second case of R80.20 SXL disabled my guess will be that the license not include SXL, is it open Server?

 

Thanks,

Ilya 

0 Kudos
genisis__
Advisor

Yep it's an open server (first one I've dealt with in a good few years!), never realised this was a separate license

# cplic print
Host Expiration Features
aa.bb.cc.dd never CPSG-C-2-500 CPSB-FW CPSG-U CPSB-VPN CPSB-ADN CPSB-IA

 

Also thanks for offering to get involved in SXL issue, appreciate it 

0 Kudos
Ilya_Yusupov
Employee
Employee

Back then when i investigate the SXL with license issues i found that you need to have one of the two:

1. CPSB-ADN

2. CPSB-ACCL

You have the first so it should be enabled, if you have TAC case for that can you share it with me? if not i suggest to open one so we can understand it better.

For any case you may contact me directly via email iliay@checkpoint.com and i will do my best to assist to push it faster.

Thanks,

Ilya 

0 Kudos
genisis__
Advisor

Thanks will reach out to you if we cannot resolve this, presently I've not been engaged to deal with this specific issue.  We are actually planning to move to new openservers running R81.

0 Kudos
PhoneBoy
Admin
Admin

To explain the features:

  • CPSB-ADN is "Advanced Networking and Clustering" (Dynamic Routing + ClusterXL)
  • CPSB-ACCL is "Acceleration" (i.e. SecureXL)

At one time, these were extra (paid-for) features, but all modern Open Server SKUs include them.
Not having a license for ACCL would explain why SecureXL is disabled.

Something else interesting about your license:

  • Only 500 hosts can be behind your gateway (i.e. visible from interfaces marked internal)
  • You cannot route traffic between interfaces marked external

@genisis__ I would strongly consider trading this license in for something modern, possibly with support for more cores.

0 Kudos
genisis__
Advisor

Already suggested this .

0 Kudos
PhoneBoy
Admin
Admin

The ability to permanently disable SecureXL was removed in R80.20.
If the solution to your problem involves disabling SecureXL, please open a TAC case.

View solution in original post

the_rock
Leader
Leader

It can be done easily, but its not recommended at all...all you need to do is edit /etc/rc.local and add line fwaccel off, save and thats it. Survives the reboot and disabled sxl. Personally, I would not suggest it, but it does work. I tested in R80.30, R80.40 and R81, no issues.

0 Kudos