This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nik_Bloemers
Advisor
Advisor
‎2020-01-21 12:10 AM

F2F cluster message

Hello Check Mates,

Can anyone explain what the F2F violation 'cluster message' means?

fwaccel stats -p
F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 227              ICMP miss conn 153026
TCP-SYN miss conn 327641              TCP-other miss conn 28868624
UDP miss conn              295417 other miss conn 10604
VPN returned F2F 0              uni-directional viol 0
possible spoof viol 11              TCP state viol 0
out if not def/accl 0              bridge, src=dst 0
routing decision err 0              sanity checks failed 0
fwd to non-pivot 0              broadcast/multicast 0
cluster message 207254     cluster forward 0
chain forwarding 0              F2V conn match pkts 89454
general reason 0              route changes 0

The ATRG sk for SecureXL explains most values, but not this one. I believe this should normally be 0, so I'm wondering why it's quite high.

 

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2020-01-21 12:25 AM

F2F means "forwarded to Firewall", a.k.a "Slow Path". It applies to any packet that cannot or should not be accelerated.

The term is in fact mentioned in multiple guides and SecureKnowledge articles, for example, in sk153832, quoting:

 

"Firewall path / Slow path (F2F) - Packet flow when the SecureXL device is unable to process the packet (refer to sk32578 - SecureXL Mechanism). The packet is passed on to the CoreXL layer and then to one of the Core FW instances for full processing. This path also processes all packets when SecureXL is disabled."

 

Exactly the same statement is used in sk98722.

Nik_Bloemers
Advisor
Advisor
‎2020-01-21 12:40 AM
In response to _Val_

I am well aware of what F2F means, but I want to understand what the 'cluster message' violation reason entails.
_Val_
Admin
Admin
‎2020-01-21 01:16 AM
In response to Nik_Bloemers

@Nik_Bloemers apologies, I must have misread you original questions. 

There are two answers:

1. "Violations" here is not a good term. It generally applies to any packet that SXL cannot accelerate. It is meant as a "violation of acceleration". It does not mean there is anything wrong with the traffic.

2. Cluster messages are all CCP packets. They cannot be accelerates as they should go to CXL for the purposes of sync and health status monitoring. 

Timothy_Hall
MVP Gold
MVP Gold
‎2020-01-21 06:42 AM
In response to Nik_Bloemers

Val is correct, that counter indicates the CCP traffic.  Traffic that is addressed to the firewall itself (i.e. not transiting trying to reach a destination IP that is not the firewall) is never accelerated by SecureXL and always goes F2F.  This is expected behavior.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events