This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2017-11-02 01:23 AM

Enforce SecureXL template?

Is there a way to enfocre SecureXLon TCP connections?

There is a way in sk104468 to do it the other way around. There you can enforce that SecureXL will not be applied.

But I am looking for a way to to it the other way around so I can make sure that additional blades are not causing me a big performance penalty on a high bandwidth connection.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2017-11-02 05:25 AM

SecureXL has two separate but related components:

Packet/Throughput Acceleration: Ability to move packets more efficiently through the firewall via the four possible paths; they are in decreasing order of efficiency: SXL, PXL, F2F, and F2F with a process space trip.

Session Rate Acceleration/Templating: Ability to "cache" rulebase lookups in SecureXL and avoid lots of expensive full rulebase lookups, especially useful in environments with a high new connection rate.

My book covers how to optimize SecureXL for best operation, R80.10 is strongly recommended as there were many, many enhancements to firewall efficiency which invalidated some of the recommendations stated in the first edition of my book.  Bit too complicated to explain it all in a CheckMates post, but the best place to start are these "Super Seven" commands.  Posting the output of these should provide enough detail to make a few general recommendations:

netstat -ni

grep -c ^processor /proc/cpuinfo

fwaccel stat

fwaccel stats -s

fw ctl multik stat

fw ctl affinity -l -r

fw ctl multik get_mode (R77.30) or fw ctl multik dynamic_dispatching get_mode (R80.10+)

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2017-11-06 07:33 AM

It's in the works but will not be general available as I understand the current discussion. As it will have a security impact people may not understand.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-11-06 09:17 AM
In response to Hugo_vd_Kooij

There is actually a way to whitelist a certain protocol & port number in SecureXL such that SecureXL will just handle it with passive streaming in the Accelerated path no matter what, and the Medium/Firewall paths will never even see it.  This is similar to the "application override" feature touted by a competitor's firewall.

It involves some hand-edits to the spii.def and table.def files on the SMS.  I'd rather not post the details since doing this negates almost all protections offered by the firewall, but the whitelisted traffic certainly does pass through the firewall at  ludicrous speed. If you really need this info, just mention the term "spii_dport_white_list" to Check Point TAC.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2017-11-08 12:42 AM
In response to Timothy_Hall

If TAC doesn't. I might have a look to get it through other channels. But from the looks of it it seems to be casting the net too wide to be comfortable. I got 1 SK back on the keyword that seems to indicate there is in fact a bug present.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2017-11-08 12:59 AM
In response to Timothy_Hall

TAC just confirmed that the "spii_dport_white_list" trick does not work here. However we have a go on a more accurate fix that will have a better balance. to match the customer traffic without a big impact on security.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events