This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2020-01-09 11:41 PM

R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths

 

Disabling SecureXL for traffic sent from/to specific IP

 
Disabling SecureXL for traffic sent from/to specific IP addresses might be needed when it is not possible to disable SecureXL completely due to high traffic load on Security Gateway. This will route all packets through the F2F path (picture 1 green).

Tip 1

How to disable SecureXL for specific IP addresses? Edit the relevant table.def file, define the IP addresses, whose traffic should not be accelerated. More read here sk104468.

Bild1.PNG
Picture 1

Fast Acceleration

 

The Fast Acceleration (picture 2 green) feature lets you define trusted connections to allow bypassing deep packet inspection on R80.20 Take 103/ R80.30 Take 107 and above gateways. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption.

The CLI of the gateway can be used to create rules that allow you to bypass the SecureXL PSLXL path to route all connections through the fast path.

Tip 2

Use this function to exclude IP's or networks from deep inspection.

Bild2.PNG
Picture 2

Feature Attributes:

  • Configured from the gateway's CLI.
  • Can be turned On / Off, Off is the default.
  • Rules can be added / deleted by demand.
  • Configuration (State / rules) survive reboot.
  • Maintain rule hit count (does not survive reboot).
  • Every configuration change done by the user is logged in $FWDIR/log/fw_fast_accel.log file.

Read more here to create fast_accel rules:  sk156672 - SecureXL Fast Accelerator.

Tip 3

Here you can see the complete packet flow in detail: R80.x - Security Gateway Architecture (Logical Packet Flow)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
8 Replies
Joerg_Enge
Participant
‎2020-01-10 12:26 AM

Is there also a hotfix for r80.10 to use fast accel?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-01-10 04:41 AM
In response to Joerg_Enge

Yes this feature exists in R80.10 but the command is sim fastaccel, you will need R80.10 Jumbo HFA 177+ installed to use it.  More info: sk139772: SecureXL Fast Accelerator (sim fastaccel) for Non Scalable Platforms R77.30/R80.10

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Tommy_Forrest
Advisor
‎2020-01-10 08:06 AM

This is super cool!

Would be neat if we could add groups of stuff to table.def.  Like "Skype Traffic".

Then maybe we wouldn't kill all Skype call traffic each time we push policy!

Timothy_Hall
Legend Legend
Legend
‎2020-01-10 09:15 AM
In response to Tommy_Forrest

Maybe, even with traffic matching fast_accel SecureXL still has to be restarted every time policy is pushed in R80.10 and earlier.  Due to the new F2V path in R80.20+, SecureXL is not restarted every time policy is pushed on R80.20+.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
HeikoAnkenbrand
Champion Champion
Champion
‎2020-01-10 11:54 AM
In response to Timothy_Hall

SecureXL has been significantly revised in R80.20.

Yes, it's great that SecureXL is not restarted anymore in R80.20+. 

In R80.40 there will be some new interesting features 🙂

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Equipe_reseau
Participant
‎2021-04-25 08:39 PM
In response to Timothy_Hall

Hello, 

How can we notice the secure Xl was restarted or not ?

Thank you so much .

Thanks

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-04-28 05:05 AM
In response to Equipe_reseau

I looked into this and at least in R80.20+ there does not seem to be any log events kept about SecureXL being enabled/disabled via fwaccel off/on.  SecureXL can't really be completely and permanently disabled in R80.20+ anyway.  In R80.10 and earlier I vaguely remember seeing some kind of message in /var/log/messages any time SecureXL state was toggled, but I may just be remembering the message issued when the SIM driver initializes on bootup.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
mats
Participant
‎2020-05-08 12:19 AM

👍

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events