cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Hello,

 

Is there are alternative way to identify exactly what is causing Accept Templates to be disabled.  The output from the "fwaccel stat" has a  output display issue and does not show me the information.

 

SecureXL.PNGfwaccel stat

 

All I can see is "Layer ---", there is a missing carriage return and then "Drop Templates".

Many thanks,

Michael

0 Kudos
2 Solutions

Accepted Solutions

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Strange, it looks like fwaccel stat is not displaying its output correctly.  Please provide the output of fwaccel templates -s and fwaccel templates -S, as I suspect Accept templating is actually working.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Ah here we go, your policy layer name must be longer than 32 characters.  Shorten it and the fwaccel stat output will start working correctly:

sk145533: "Layer ---" is displayed instead of specific layer name and rule number in output of 'fwac...

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

10 Replies
Highlighted

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Which version do you use ? Afaik, this is the only way to display these layers. Even looks like an issue for TAC to me...

0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution
ZZZZZZZZ> cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 111

[CPFC]
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 111

[FW1]
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 111

FW1 build number:
This is Check Point's software version R80.30 - Build 078
kernel: R80.30 - Build 076

[SecurePlatform]
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 111

[DIAG]
No hotfixes..

[PPACK]
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 111

[CVPN]
No hotfixes..

[CPUpdates]
BUNDLE_CPINFO Take: 50
BUNDLE_INFRA_AUTOUPDATE Take: 19
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 13
BUNDLE_R80_30_JUMBO_HF_MAIN_SC Take: 132
BUNDLE_R80_30_JUMBO_HF_MAIN Take: 111

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[CPDepInst]
No hotfixes..
0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Is the firewall being managed by MDSM/Provider-1, and if so are there global rules being inserted at the top of the policy?  Also please provide the output of enabled_blades.

 

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Hello,

The cluster is not managed as part of a MDM environment, so there are not global rules. the following blades are activated:

blades.PNGBlades

Regards,

Michael

0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Try temporarily disabling Anti-bot, reinstall policy, then check Accept templating status again.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution
Hello Unfortunately no difference after disabling Anti-Bot blade.
0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Are you using any of those in the policy: dhcp-request' / 'dhcp-reply' / 'dhcpv6-request' / 'dhcpv6-reply' / 'dhcpv6-relay?

 

If yes, look here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Strange, it looks like fwaccel stat is not displaying its output correctly.  Please provide the output of fwaccel templates -s and fwaccel templates -S, as I suspect Accept templating is actually working.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution
Thanks, this solved the display issue.
0 Kudos

Re: SecureXL - Alternative method to identify rule causing templates to be disabled

Jump to solution

Ah here we go, your policy layer name must be longer than 32 characters.  Shorten it and the fwaccel stat output will start working correctly:

sk145533: "Layer ---" is displayed instead of specific layer name and rule number in output of 'fwac...

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post