- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: R80.x - Performance Tuning Tip - Control Secur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths
Disabling SecureXL for traffic sent from/to specific IP |
---|
Disabling SecureXL for traffic sent from/to specific IP addresses might be needed when it is not possible to disable SecureXL completely due to high traffic load on Security Gateway. This will route all packets through the F2F path (picture 1 green).
Tip 1
How to disable SecureXL for specific IP addresses? Edit the relevant table.def file, define the IP addresses, whose traffic should not be accelerated. More read here sk104468.
Picture 1
Fast Acceleration |
---|
The Fast Acceleration (picture 2 green) feature lets you define trusted connections to allow bypassing deep packet inspection on R80.20 Take 103/ R80.30 Take 107 and above gateways. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption.
The CLI of the gateway can be used to create rules that allow you to bypass the SecureXL PSLXL path to route all connections through the fast path.
Tip 2
Use this function to exclude IP's or networks from deep inspection.
Picture 2
Feature Attributes:
- Configured from the gateway's CLI.
- Can be turned On / Off, Off is the default.
- Rules can be added / deleted by demand.
- Configuration (State / rules) survive reboot.
- Maintain rule hit count (does not survive reboot).
- Every configuration change done by the user is logged in $FWDIR/log/fw_fast_accel.log file.
Read more here to create fast_accel rules: sk156672 - SecureXL Fast Accelerator.
Tip 3
Here you can see the complete packet flow in detail: R80.x - Security Gateway Architecture (Logical Packet Flow)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there also a hotfix for r80.10 to use fast accel?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this feature exists in R80.10 but the command is sim fastaccel, you will need R80.10 Jumbo HFA 177+ installed to use it. More info: sk139772: SecureXL Fast Accelerator (sim fastaccel) for Non Scalable Platforms R77.30/R80.10
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is super cool!
Would be neat if we could add groups of stuff to table.def. Like "Skype Traffic".
Then maybe we wouldn't kill all Skype call traffic each time we push policy!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe, even with traffic matching fast_accel SecureXL still has to be restarted every time policy is pushed in R80.10 and earlier. Due to the new F2V path in R80.20+, SecureXL is not restarted every time policy is pushed on R80.20+.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SecureXL has been significantly revised in R80.20.
Yes, it's great that SecureXL is not restarted anymore in R80.20+.
In R80.40 there will be some new interesting features 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
How can we notice the secure Xl was restarted or not ?
Thank you so much .
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I looked into this and at least in R80.20+ there does not seem to be any log events kept about SecureXL being enabled/disabled via fwaccel off/on. SecureXL can't really be completely and permanently disabled in R80.20+ anyway. In R80.10 and earlier I vaguely remember seeing some kind of message in /var/log/messages any time SecureXL state was toggled, but I may just be remembering the message issued when the SIM driver initializes on bootup.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
👍