This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2019-03-13 09:19 AM

SecureXL PXL ...

quick one chaps:

Accelerated conns/Total conns : 1287/12967 (9%)
Accelerated pkts/Total pkts   : 14781656997/19848761750 (74%)
F2Fed pkts/Total pkts   : 372423984/19848761750 (1%)
PXL pkts/Total pkts   : 4694680769/19848761750 (23%)
QXL pkts/Total pkts   : 0/19848761750 (0%)

what do you think personally went wrong with my SG so that I've got PXL 23% ?

 

any hints/tips/advise highly appreciated 🙂

Jerry
0 Kudos
13 Replies
Daniel_Taney
Advisor
‎2019-03-13 09:28 AM

What blades are enabled on this GW?

R80 CCSA / CCSE
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 09:30 AM
In response to Daniel_Taney

just FW and VPN not a single other one 🙂 it is a ClusterXL A/S mode R80.10 recent take.
Jerry
0 Kudos
Daniel_Taney
Advisor
‎2019-03-13 09:44 AM
In response to Jerry

What are the main types of traffic going through this FW? For example, could there be a high amount of VoIP or NAT'd traffic passing through?

What model Appliance is the GW running on? If you look at netstat -ni do you see a large amount of RX-DRP on any Interfaces?

 

R80 CCSA / CCSE
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 09:48 AM
In response to Daniel_Taney

Daniel,

 

1. data rather than voice, no SIP really pass-through though

2. appliance 5600 in A/S HA

3. see below, although I don't believe that traffic wise there is something wrong I"m rather thinking about the fwaccell itself that some rules malform secureXL processing with fwk_x

 

Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
Mgmt       1500   0 11494072815      0      0      0 24103977662      0      0      0 BMRU
Sync       1500   0 138483134      0      0      0 375625940      0      0      0 BMRU
eth1-01    1500   0 61789690671      0      0      0 48260619502      0      0      0 BMRU
eth1-01.x  1500   0 3708121712      0      0      0 172286544      0      0      0 BMRU
eth1-01.x  1500   0 12412525      0      0      0  7472255      0      0      0 BMRU
eth1-01.x  1500   0 282997295      0      0      0 24901857      0      0      0 BMRU
eth1-01.x  1500   0 40214932      0      0      0  3581429      0      0      0 BMRU
eth1-01.x  1500   0 27668543605      0      0      0 76275452      0      0      0 BMRU
eth1-01.x  1500   0 326260080      0      0      0 378986686      0      0      0 BMRU
eth1-01.x  1500   0 210683847      0      0      0  4968650      0      0      0 BMRU
eth1-01.x  1500   0 17659464745      0      0      0 54373736      0      0      0 BMRU
eth1-01.x  1500   0  1824139      0      0      0   654386      0      0      0 BMRU
eth1-01.x  1500   0 228405787      0      0      0 34088098      0      0      0 BMRU
eth1-01.x  1500   0 124398097      0      0      0 32073865      0      0      0 BMRU
eth1-01.x  1500   0 794263868      0      0      0  3945996      0      0      0 BMRU
eth1-01.x  1500   0 4759642177      0      0      0 236294641      0      0      0 BMRU
eth3       1500   0 2888482568      0      0      0 2453482378      0      0      0 BMRU
eth4       1500   0 84601735      0      0      0 27402403      0      0      0 BMRU
eth8       1500   0 1268296181      0      0      0 2475779489      0      0      0 BMRU
lo        16436   0  5167245      0      0      0  5167245      0      0      0 LRU

Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 09:49 AM
In response to Daniel_Taney

btw. no SIM affinity in use 🙂 no point, it's not VSX.
Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 09:52 AM
In response to Daniel_Taney

hm, also one more thing to add to the bucket:

drop-reasons I've got 97% as "monitored spoofed" 😞 very weak design though network wise ... cpview rocks!
Jerry
0 Kudos
Daniel_Taney
Advisor
‎2019-03-13 09:56 AM
In response to Jerry

I think that means Anti-Spoofing is set to detect on an Interface. Do you have any Anti-Spoofing events in your fw logs?

R80 CCSA / CCSE
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 09:41 AM
In response to Daniel_Taney

also see enclosed 🙂

Jerry
Capture.PNG
Preview file
15 KB
0 Kudos
Wolfgang
Authority
Authority
‎2019-03-13 10:09 AM

Do you have any rule for Microsoft CIFS-Traffic something like the all_dce_rpc service?

These kind of traffic isn‘t accelerated.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 11:46 AM
In response to Wolfgang

yes they do have lots of SMB/CIFS but ... so many really?

ps. that was a quizz btw. 🙂
Jerry
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-13 01:23 PM

You found more informations to PXL here:

R80.x Security Gateway Architecture (Logical Packet Flow)

R80.x Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Jerry
Mentor
Mentor
‎2019-03-14 01:39 AM
In response to HeikoAnkenbrand

Cheers Heik0, as usual spot-on 🙂
Jerry
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-13 01:27 PM

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top