This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arne_Boettger
Collaborator
Collaborator
‎2018-12-20 02:05 AM
Jump to solution

Mapping Rule numbers from R80.20 to fwaccel stat output

Hello,

we have VSX Gateways with R77.30 managed by R80.20. On one VS, acceleration is disabled according to fwaccel stat.

Accelerator Status : on
Accept Templates   : disabled by Firewall
                     disabled from rule #112
Drop Templates     : enabled
NAT Templates      : disabled by user

However, we see no reason for this in rule 1.112, and even moved this rule. The status did not change, neither did the rule number diabling acceleration. We found sk62323, and the note regarding R80 to add/substract one from the rule number. But the surrounding rules also dont look like they could disable acceleration.

How can we map the Rule number from R80.20 Policy to the gateway?

Regards, Arne

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-12-20 06:17 PM
In response to Arne_Boettger
Jump to solution

I believe you’ll find the relevant files in the backward compatibility directories for R77 (not in $FWDIR/conf).

View solution in original post

0 Kudos
6 Replies
Danny
MVP Platinum
MVP Platinum
‎2018-12-20 03:26 AM
Jump to solution

To understand, which rule exactly prevents SecureXL from creating Accept Templates:

  1. Open the policy files on Security Management Server / Domain Management Server:

    • $FWDIR/conf/<Security_Policy_Name>.pf
    • $FWDIR/conf/<Security_Policy_Name>.set
  2. Search for '(rule-N', where N is the rule number in the output of 'fwaccel stat'.

  3. Note the 'name' of the calculated rule within policy files.

  4. Search for 'name' within your SmartConsole rulebase (might be a completely different number to the calculated number within the policy files).
0 Kudos
Arne_Boettger
Collaborator
Collaborator
‎2018-12-20 03:35 AM
In response to Danny
Jump to solution

Hello,

 

there is no $FWDIR/conf/<Security_Policy_Name>.pf File. And the $FWDIR/conf/<Security_Policy_Name>.set was not updated since we upgraded the MDS from R77.30 to R80.20:

-rw-rw-r-- 1 admin root   15528060 Nov 28 12:36 Standard.set

So I guess Policy Compliation changed significantly with R80, not leaving this file any more.

Any other hints or ideas?

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-12-20 03:50 AM
In response to Arne_Boettger
Jump to solution

Try $FWDIR/state/local/FW1/local.rule

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-20 06:17 PM
In response to Arne_Boettger
Jump to solution

I believe you’ll find the relevant files in the backward compatibility directories for R77 (not in $FWDIR/conf).

0 Kudos
Arne_Boettger
Collaborator
Collaborator
‎2018-12-21 12:21 AM
In response to PhoneBoy
Jump to solution

Thank you for the reminder. We did indeed find the file under $R77CMPDIR of the CMA, found that rule #112 was indeed rule #1.112. And seeing the full rule, I realized I had hidden the "time" column in my SmartConsole.

There was a time object limiting validity, and removing this re-enabled acceleration.

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-12-21 01:11 AM
In response to Arne_Boettger
Jump to solution

I'm glad we could help you.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events