- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Securexl R80.30
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Securexl R80.30
Hi, i have two firewall with weird numbers :
1 firewall
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth5,eth1,eth6,eth2,eth3,|
| | | |eth4 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
fwaccel stats -s
Accelerated conns/Total conns : 3803/38042 (9%)
Accelerated pkts/Total pkts : 476758453777/898329277875 (53%)
F2Fed pkts/Total pkts : 475374045/898329277875 (0%)
F2V pkts/Total pkts : 3137871726/898329277875 (0%)
CPASXL pkts/Total pkts : 0/898329277875 (0%)
PSLXL pkts/Total pkts : 421095450053/898329277875 (46%)
QOS inbound pkts/Total pkts : 0/898329277875 (0%)
QOS outbound pkts/Total pkts : 0/898329277875 (0%)
Corrected pkts/Total pkts : 0/898329277875 (0%)
enabled_blades
fw vpn mon vpn
2nd firewall (the rule 244 is the last before the drop rule)
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
fwaccel stats -s
Accelerated conns/Total conns : 728/3817 (19%)
Accelerated pkts/Total pkts : 65933847419/111490474546 (59%)
F2Fed pkts/Total pkts : 22602056/111490474546 (0%)
F2V pkts/Total pkts : 81009543/111490474546 (0%)
CPASXL pkts/Total pkts : 0/111490474546 (0%)
PSLXL pkts/Total pkts : 45534025071/111490474546 (40%)
QOS inbound pkts/Total pkts : 28690657512/111490474546 (25%)
QOS outbound pkts/Total pkts : 37344603189/111490474546 (33%)
Corrected pkts/Total pkts : 0/111490474546 (0%)
enabled_blades
fw vpn ips qos mon vpn
Do you have an idea as to why the numbers are so low (especially for Accelerated conns/Total conns) ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's going to reduce the number of fully accelerated connections.
The first firewall has a significant amount of PXL traffic for only having FW, VPN, and Monitoring.
What services are in your policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please disable tls parser on both gw's:
fw ctl set int tls_parser_enable 0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi what is tls_parser ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See this thread, it is a known issue with certain combinations of blades enabled that can cause high PSLXL levels:
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, Thanks for the information. When i will have a maintenance windows, I will apply this modification.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi first, thanks for answer.
On the second firewall i have the blade ips activate but not threat prevention policy push on the gateway and i have a few rule for QoS (<10 rules) but a lots of vpn.
On the first firewall, it s a firewall between internet and our web proxy (we have 50 rule). It 's principaly webservices (http/https).