Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Atul_Sharma
Participant

Secure XL

Secure XL considers Partial connection as an accelerated path, but by definition partial connection means "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

So my confusion is what connection is considered as a partial connection ?

How does the SecureXL know that a particular connection is a partial connection ?

Thanks       

0 Kudos
5 Replies
Brian_Deutmeyer
Collaborator

Here an old datasheet that might be helpful:

https://www.checkpoint.com/downloads/campaigns/whitepapers/performance-innovations-with-software-bla...

Also, from the admin guide:

Using SecureXL

SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:

  • Slow path - Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
  • Accelerated path - Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
  • Medium path - Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.

The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.

0 Kudos
Atul_Sharma
Participant

Hi Brian,

Thanks for the response.
I'm still confused about the below query.

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition  "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

0 Kudos
Gal_Katz
Employee
Employee

Partial connections are used when specific features such as NAT templates and drop templates are used. The idea is to make sure the Performance Pack knows that a connection exists and will not drop an S2C packet of an existing connection on a drop template or re-use a NAT port when opening a new connection if the port is already in use. When SecureXL is being turned on (e.g. after running `fwaccel off` and `fwaccel on`), SecureXL will iterate over the connections tables and will offload partials connections if needed.

0 Kudos
Atul_Sharma
Participant

Hi Gal,

Isn't Anticipated connections prevent dropping of connections due to drop templates ?

when we see the secureXL connection table, we see tags such as p/P which means partial/not partial.
how secureXL knows that a particular connection is partial or not.

if we go according to the definition  "connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table"

in my opinion, the secureXl queries the firewall maybe ??

0 Kudos
VictorRuiz
Explorer

Hi Atul_Sharma.

I found information about your question here:

http://dkcheckpoint.blogspot.com/2019/01/r80x-security-gateway-architecture.html

I understood that a partial connection is when a TCP handshake has been established, and a non-partial connection is when this one is about to do a TCP handshake. In other words, a partial connection carries data information, and a non-partial connection carries packets such as SYN, ACK, SYN-ACK, RST, FIN, and FIN-ACK.

 

Regards!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events