Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

R80.20 SecureXL + new chain modules + fw monitor

SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"

There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

 

SecureXL offloading chain modules

 

# fw ctl chain

 

The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).

 

SecureXL inbound (sxl_in)                 > Packet received in SecureXL from network

SecureXL inbound CT (sxl_ct)           > Accelerated packets moved from inbound to outbound processing (post routing)

 

SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processing

SecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet

 

 New vm chain modules in R80.20

 

There are more new chain modules in R80.20

 

vpn before offload (vpn_in)                  > FW inbound preparing the tunnel for offloading the packet (along with the connection)

fw offload inbound (offload_in)            > FW inbound that perform the offload

fw post VM inbound  (post_vm)            > Packet was not offloaded (slow path) - continue processing in FW inbound

 

# fw ctl chain

 

fw monitor chain keys

 

In Firewall kernel (now also SecureXL), each kernel is associated with a key (blue) witch specifies the type of traffic applicable to the chain modul.

 

# fw ctl chain

 

Key Function
ffffffff IP Option Stip/Restore
00000001 new processed flows
00000002 wire mode
00000003 will applied to all ciphered traffic (VPN)
00000000 SecureXL offloading (new in R80.20+)
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
6 Replies
christian_konne
Participant

Is this only valid for R80.20 or also for R80.10?

Cheers

Christian

HeikoAnkenbrand
Champion Champion
Champion

Hi christian,

only R80.20+

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

And R80.30EA

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
TheGrave
Contributor

Doesn't the ffffffff value actually mean that chain applies to all packets?
0 Kudos
_Val_
Admin
Admin

Yes ti does.

0 Kudos
_Val_
Admin
Admin

In fact, here is the list:

in which mode this chain check
1 – stateful mode
2 – wired mode
3 – all packets
fff – al packets (same as 3)

0 is added, as @HeikoAnkenbrand said, but the rest of interpretation is a bit... off. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events