This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Atul_Sharma
Participant
‎2017-05-15 08:31 AM

Secure XL

Secure XL considers Partial connection as an accelerated path, but by definition partial connection means "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

So my confusion is what connection is considered as a partial connection ?

How does the SecureXL know that a particular connection is a partial connection ?

Thanks       

0 Kudos
5 Replies
Brian_Deutmeyer
Collaborator
‎2017-05-21 08:01 PM

Here an old datasheet that might be helpful:

https://www.checkpoint.com/downloads/campaigns/whitepapers/performance-innovations-with-software-bla...

Also, from the admin guide:

Using SecureXL

SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:

  • Slow path - Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
  • Accelerated path - Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
  • Medium path - Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.

The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.

0 Kudos
Atul_Sharma
Participant
‎2017-05-23 02:19 AM
In response to Brian_Deutmeyer

Hi Brian,

Thanks for the response.
I'm still confused about the below query.

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition  "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

0 Kudos
Gal_Katz
Employee
Employee
‎2017-05-22 03:31 AM

Partial connections are used when specific features such as NAT templates and drop templates are used. The idea is to make sure the Performance Pack knows that a connection exists and will not drop an S2C packet of an existing connection on a drop template or re-use a NAT port when opening a new connection if the port is already in use. When SecureXL is being turned on (e.g. after running `fwaccel off` and `fwaccel on`), SecureXL will iterate over the connections tables and will offload partials connections if needed.

0 Kudos
Atul_Sharma
Participant
‎2017-05-23 02:20 AM
In response to Gal_Katz

Hi Gal,

Isn't Anticipated connections prevent dropping of connections due to drop templates ?

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition  "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

0 Kudos
VictorRuiz
Explorer
‎2023-04-13 09:22 AM
In response to Atul_Sharma

Hi Atul_Sharma.

I found information about your question here:

http://dkcheckpoint.blogspot.com/2019/01/r80x-security-gateway-architecture.html

I understood that a partial connection is when a TCP handshake has been established, and a non-partial connection is when this one is about to do a TCP handshake. In other words, a partial connection carries data information, and a non-partial connection carries packets such as SYN, ACK, SYN-ACK, RST, FIN, and FIN-ACK.

 

Regards!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top