An IPS exception will save CPU overhead in the PXL path and probably provide a boost in speed, but will not allow the traffic to take the SXL path for full acceleration.

To make the subject traffic eligible to take the SXL path, define a Threat Prevention (TP) rule at the top of your TP policy matching the traffic, then specify a TP profile in that rule that has IPS UNchecked (I call this a "null TP profile" and it is covered in my book).  Assuming that the connection is not matching a APCL/URLF rule (the subject traffic cannot match any rule invoking APCL/URLF inspection or it will always go PXL), the traffic should then go SXL unless some other violation factor such as fragmentation mentioned by Daniel Taney‌ is present. 

Don't worry about SecureXL templates getting disabled at a certain rule (i.e. "Disabled by rule #" appears in output of fwaccel stat) as that only improves Firewall/Network Policy Layer rule lookup performance, but does not impact what path (SXL/PXL/F2F) the traffic ultimately will take.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Thanks for clarifying a number of my points! I think I missed the "Null TP Profile" suggestion in your book. I'll have to go back and revisit that section. 

Do you still need the "Null TP" rule if IPS is the only blade enabled on the GW?

If you want the traffic to potentially go SXL, yes you'll need a null profile, unless you are using the built-in Optimized/Default_Protection profile which should still allow SXL handling as long as no signature with a Performance Impact higher than Medium has been manually enabled or otherwise activated in that profile.  Be sure to check the Inspection Settings applied to the gateway as well for enabled settings with a High or Critical Performance Impact rating.

Or if you have no TP rule matching the traffic at all that will potentially allow SXL handling as well.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Dear Daniel,

the problem with SXL and exception is described in sk110519. That's one of the limitations....

As Timothy described, exception is not the solution. If you want to go sure that the SXL path is used you need a rule with a profile without any activated feature. Like this one:

Wolfgang

Dear Tim,

thanks for your explanations.

Following my original post.... Dou you know a limitation or are there any experience about the possible throughput of a single connection. What will be possible if it goes SXL path and what if it goes the slowest path ?

regards

Wolfgang

Hi Daniel,

that's what we did. We had some NetApp storage systems they do the replication between more then one system. But they are very powerful. Without IPS we got 2Gb/s throughput for this connection and a 100%CPU. The storage systems can provide more throughput, but the limitation factor is the firewall at the moment.

regards

Wolfgang

Ok... so you already have a Threat Prevention Exception rule in place? Sorry if I missed that in your original post.

A couple of other quick thoughts... do you have a rule somewhere in your rule base above the iSCSI one that is blocking SecureXL? It is getting harder for that to happen since R80.10, but it never hurts to check. Run fwaccel stat and make sure Accept Templates doesn't indicate "Disabled from Rule x". If it does indicate SecureXL is being blocked by a rule, make sure your iSCSI rule isn't below it. If it is, either move it above the rule that is stopping SecureXL or try to address why that rule is problematic for SecureXL processing. 

If you don't see SecureXL being disabled by a rule, I'd run the following to see what path your iSCSI traffic is processing in: fwaccel conns | grep <src ip> | grep <dst ip> 

I believe all dots in the Flags column indicates it is processed in SecureXL, an F means the Firewall (slowest) Path and both an F and S mean the medium path. 

There is a debug method to see why a certain connection is taking a certain path, but that could potentially cause performance issues on the Cluster while it is running. If it gets to that point, I'd recommend engaging TAC or at least running the test off-hours. 

Another reason for high CPU could be packet fragmentation. Check fw ctl pstat and fwaccel stats -p for packet fragments. If you see a high number, run the command a couple times and see if it is consistently incrementing. If packet fragments are a problem, I'd run a packet capture on the Gateway and determine the cause of the fragmenting packets. If your iSCSI traffic is using Jumbo Frames, those frames could be getting fragmented and split up on the Firewall. 

Hope this helps!

-Dan

Sorry for the double replies.. Can you also let us know what type of Check Point appliances are involved and what versions they are running? What types of Interfaces are you using (onboard 1GB, add-on 1GB copper, 10GB, 40GB, etc...)? Are you using bonding groups for link aggregation (802.3ad)? Which interfaces have Multi-Queue enabled?

Deal Daniel,

thanks vor your writing.

We don‘t have a Problem with SecureXL. The overall performance of the gateway is fine.

The gateway we are talking about is a 15400 appliance. We find the throughput values as i wrote in my original post.

playing around with some other hardware  ( 13800, 15600, 21000 ) shows other values but not significant better.

I think there is a limitation for a single connection. As I understand how CheckPoint works.... all traffic for this single connection will be handled only by one CPU. If this CPU goes to 100%, all other connections handled by this CPU, will be affected.

I think the performance of the CPU is the limiting factor? That‘s what I want to know. And maybee a way to not affect other connections if one is consumption so much load. At the moment we are speed down these with QoS, but this is only a workaround.

regards

Wolfgang