I will provide a separate version for R82.10 if necessary.

Not an SK, but identifies all known situations where traffic cannot be accelerated at all and remains F2F/slowpath:

https://community.checkpoint.com/t5/General-Topics/Be-Your-Own-TAC-Part-Deux-EMEA-Advanced-Gateway-T...

Hello Team!

one discovery i made with R82 and ISP redundancy.
it seem the packets in ISP Redundancy in HA mode are NOT going F2F, but they will go F2F if ISP Redundancy in Load Sharing used.
take a look:


ISP in HA

ISP link table
---------------------
|Name|Status|Role |
---------------------
|ISP1|OK |Primary|
|ISP2|OK |Backup |
---------------------

[Expert@XXXX:0:ACTIVE]# fw tab -t connections -z | grep ISP | grep 443
-> no results, yes some UDP entries are found, but for example NO https connctions!

STATS for HA Appliance
[Expert@XXXXX:0:ACTIVE]# fwaccel stats -s
Accelerated conns/Total conns : 487/7876 (6%)
LightSpeed conns/Total conns : 0/7876 (0%)
Accelerated pkts/Total pkts : 17176169292/18377243141 (93%)
LightSpeed pkts/Total pkts : 0/18377243141 (0%)
F2Fed pkts/Total pkts : 1201073849/18377243141 (6%)
F2V pkts/Total pkts : 119253995/18377243141 (0%)
CPASXL pkts/Total pkts : 7303913309/18377243141 (39%)
PSLXL pkts/Total pkts : 3846916101/18377243141 (20%)
UDP IS XL pkts/Total pkts : 3738203439/18377243141 (20%)

ISP in LS

ISP link table
------------------------------------
|Name |Status|Role |
------------------------------------
|ISP1 |OK |Load Sharing|
|ISP2 |OK |Load Sharing|
------------------------------------
[Expert@XXXXX:0:ACTIVE]# fw tab -t connections -z | grep ISP | grep 443 | more
0 10.X.X.138 57861 3.120.221.108 443 6 TCP Estab. 7193/7200 N/A ISP redundancy 135 42.19KB 12m46s 7s
0 10.X.X.127 57904 95.101.35.41 443 6 TCP Estab. 7173/7200 N/A ISP redundancy 21.22K 29.68MB 2h43m0s 27s
0 10.X.X.10 65048 104.17.141.192 443 6 TCP None 4/5 N/A ISP redundancy 13 2.91KB 1m41s 1s
0 10.X.X.71 59406 52.98.241.194 443 6 TCP Estab. 7132/7200 N/A ISP redundancy 503 349.41KB 2m51s 1m8s
0 10.X.X.60 47920 213.153.59.88 443 6 TCP Estab. 2456/7200 N/A ISP redundancy 22 6.62KB 1h27m24s 1h19m4s
0 10.X.X.21 53249 52.123.244.49 443 6 TCP Estab. 5351/7200 N/A ISP redundancy 10 2.20KB 30m49s 30m49s

STATS for LW Appliance
[Expert@XXXXX:0:ACTIVE]# fwaccel stats -s
Accelerated conns/Total conns : 66/14845 (0%)
LightSpeed conns/Total conns : 0/14845 (0%)
Accelerated pkts/Total pkts : 9464872527/25360471464 (37%)
LightSpeed pkts/Total pkts : 0/25360471464 (0%)
F2Fed pkts/Total pkts : 15895598937/25360471464 (62%)
F2V pkts/Total pkts : 168358271/25360471464 (0%)
CPASXL pkts/Total pkts : 6124577560/25360471464 (24%)
PSLXL pkts/Total pkts : 1518327241/25360471464 (5%)
UDP IS XL pkts/Total pkts : 1445088274/25360471464 (5%)

so what u say.
so in HA we go at least Medium Path.
in LS all F2F 😞

I think the information in the SK179432 and SK32578 is not 100% accurate.
I notice slight deviations in practice. However, the information should be fine as a general guideline.

I think so too; it depends on which mode (UPPAK, KPPAK vs. USFW, KSFW )  the firewall is running in.
There are indeed some behavioral differences that I notice in practice. 

There are also slight behavioral differences in the Performance Pack when using the different clustering options ClusterXL HA/LS (as you, @Thomas_Eichelbu , illustrated well above), ElasticXL and Maestro (for example, with corrected packets).

The 39xx appliances, which don’t have an Intel CPU, are also interesting.

Looks both were updated on November 6th.

Appliance model number and output of fwaccel stat? 

If you are in UPPAK mode, it wouldn't surprise me that old features, such as ISP Redundancy, must remain F2F/slowpath regardless of the Load Sharing or Primary/Backup setting.

Hello, 

well all output was made on "Check Point 3800"
R82 HFA 39

Hi @Thomas_Eichelbu,

Your firewall is operating in KPPAK mode (see picture). 

The following is only a guess:
Check Point is focusing heavily on developing the UPPAK mode. Even in, for example R81.20 with different JHFs, a difference in behavior can be observed. I believe the functions described in the SKs are therefore not 100% accurate. I have also noticed that in KPPAK, after installing a JHF, the behavior of the firewall changed. But with R82.10, there will only be the UPPAK anyway.