This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Platinum
MVP Platinum
3 weeks ago

R82 SecureXL Flowchart - non accelerated packets

To gain a better understanding of SecureXL processing in R82, I analyzed SK179432 and SK32578 to determine which packets are not accelerated. The resulting diagram (also available as a PDF) provides an overview of which packets are processed by SecureXL and which are not. This overview is based on R82 and may differ in other versions.

Download PDF: SecureXL.pdf

SecureXL_453634.png

Version:
1.0a                                      initial version                                               11/06/2025
1.0b                                      error fixed                                                    11/07/2025
1.0c                                      additional information from                      11/26/2025
                                             @Timothy_Hall@Thomas_Eichelbu 
                                             added                                                 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Preview file
221 KB
13 Replies
PhoneBoy
Admin
Admin
3 weeks ago

Possible some of this will change in R82.10 also.

HeikoAnkenbrand
MVP Platinum
MVP Platinum
3 weeks ago
In response to PhoneBoy

I will provide a separate version for R82.10 if necessary.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago

Awesome!

Best,
Andy
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
3 weeks ago

I’ve fixed a small error.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Ingard
Participant
3 weeks ago

Are there any other SKs in which limitations of the performance pack are documented?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
3 weeks ago
In response to Ingard

Not an SK, but identifies all known situations where traffic cannot be accelerated at all and remains F2F/slowpath:

https://community.checkpoint.com/t5/General-Topics/Be-Your-Own-TAC-Part-Deux-EMEA-Advanced-Gateway-T...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Thomas_Eichelbu
Advisor
Advisor
3 weeks ago
In response to Timothy_Hall

Hello Team!

one discovery i made with R82 and ISP redundancy.
it seem the packets in ISP Redundancy in HA mode are NOT going F2F, but they will go F2F if ISP Redundancy in Load Sharing used.
take a look:


ISP in HA

ISP link table
---------------------
|Name|Status|Role |
---------------------
|ISP1|OK |Primary|
|ISP2|OK |Backup |
---------------------

[Expert@XXXX:0:ACTIVE]# fw tab -t connections -z | grep ISP | grep 443
-> no results, yes some UDP entries are found, but for example NO https connctions!

STATS for HA Appliance
[Expert@XXXXX:0:ACTIVE]# fwaccel stats -s
Accelerated conns/Total conns : 487/7876 (6%)
LightSpeed conns/Total conns : 0/7876 (0%)
Accelerated pkts/Total pkts : 17176169292/18377243141 (93%)
LightSpeed pkts/Total pkts : 0/18377243141 (0%)
F2Fed pkts/Total pkts : 1201073849/18377243141 (6%)
F2V pkts/Total pkts : 119253995/18377243141 (0%)
CPASXL pkts/Total pkts : 7303913309/18377243141 (39%)
PSLXL pkts/Total pkts : 3846916101/18377243141 (20%)
UDP IS XL pkts/Total pkts : 3738203439/18377243141 (20%)


ISP in LS

ISP link table
------------------------------------
|Name |Status|Role |
------------------------------------
|ISP1 |OK |Load Sharing|
|ISP2 |OK |Load Sharing|
------------------------------------
[Expert@XXXXX:0:ACTIVE]# fw tab -t connections -z | grep ISP | grep 443 | more
0 10.X.X.138 57861 3.120.221.108 443 6 TCP Estab. 7193/7200 N/A ISP redundancy 135 42.19KB 12m46s 7s
0 10.X.X.127 57904 95.101.35.41 443 6 TCP Estab. 7173/7200 N/A ISP redundancy 21.22K 29.68MB 2h43m0s 27s
0 10.X.X.10 65048 104.17.141.192 443 6 TCP None 4/5 N/A ISP redundancy 13 2.91KB 1m41s 1s
0 10.X.X.71 59406 52.98.241.194 443 6 TCP Estab. 7132/7200 N/A ISP redundancy 503 349.41KB 2m51s 1m8s
0 10.X.X.60 47920 213.153.59.88 443 6 TCP Estab. 2456/7200 N/A ISP redundancy 22 6.62KB 1h27m24s 1h19m4s
0 10.X.X.21 53249 52.123.244.49 443 6 TCP Estab. 5351/7200 N/A ISP redundancy 10 2.20KB 30m49s 30m49s

STATS for LW Appliance
[Expert@XXXXX:0:ACTIVE]# fwaccel stats -s
Accelerated conns/Total conns : 66/14845 (0%)
LightSpeed conns/Total conns : 0/14845 (0%)
Accelerated pkts/Total pkts : 9464872527/25360471464 (37%)
LightSpeed pkts/Total pkts : 0/25360471464 (0%)
F2Fed pkts/Total pkts : 15895598937/25360471464 (62%)
F2V pkts/Total pkts : 168358271/25360471464 (0%)
CPASXL pkts/Total pkts : 6124577560/25360471464 (24%)
PSLXL pkts/Total pkts : 1518327241/25360471464 (5%)
UDP IS XL pkts/Total pkts : 1445088274/25360471464 (5%)


so what u say.
so in HA we go at least Medium Path.
in LS all F2F 😞


0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
3 weeks ago
In response to Thomas_Eichelbu

I think the information in the SK179432 and SK32578 is not 100% accurate.
I notice slight deviations in practice. However, the information should be fine as a general guideline.

I think so too; it depends on which mode (UPPAK, KPPAK vs. USFW, KSFW )  the firewall is running in.
There are indeed some behavioral differences that I notice in practice. 

There are also slight behavioral differences in the Performance Pack when using the different clustering options ClusterXL HA/LS (as you, @Thomas_Eichelbu , illustrated well above), ElasticXL and Maestro (for example, with corrected packets).

The 39xx appliances, which don’t have an Intel CPU, are also interesting.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
MVP Platinum
MVP Platinum
3 weeks ago
In response to HeikoAnkenbrand

Looks both were updated on November 6th.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
3 weeks ago
In response to Thomas_Eichelbu

Appliance model number and output of fwaccel stat

If you are in UPPAK mode, it wouldn't surprise me that old features, such as ISP Redundancy, must remain F2F/slowpath regardless of the Load Sharing or Primary/Backup setting.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
3 weeks ago
In response to Timothy_Hall

Hello, 

well all output was made on "Check Point 3800"
R82 HFA 39

Screenshot 2025-11-11 151707.png

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
2 weeks ago
In response to Thomas_Eichelbu

Hi @Thomas_Eichelbu,

Your firewall is operating in KPPAK mode (see picture). 

The following is only a guess:
Check Point is focusing heavily on developing the UPPAK mode. Even in, for example R81.20 with different JHFs, a difference in behavior can be observed. I believe the functions described in the SKs are therefore not 100% accurate. I have also noticed that in KPPAK, after installing a JHF, the behavior of the firewall changed. But with R82.10, there will only be the UPPAK anyway. 

KPPAK_23475493.png

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
Wednesday

Additional information (version 1.0c) from @Timothy_Hall@Thomas_Eichelbu added.     

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events