- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hi, i have two firewall with weird numbers :
1 firewall
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth5,eth1,eth6,eth2,eth3,|
| | | |eth4 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
fwaccel stats -s
Accelerated conns/Total conns : 3803/38042 (9%)
Accelerated pkts/Total pkts : 476758453777/898329277875 (53%)
F2Fed pkts/Total pkts : 475374045/898329277875 (0%)
F2V pkts/Total pkts : 3137871726/898329277875 (0%)
CPASXL pkts/Total pkts : 0/898329277875 (0%)
PSLXL pkts/Total pkts : 421095450053/898329277875 (46%)
QOS inbound pkts/Total pkts : 0/898329277875 (0%)
QOS outbound pkts/Total pkts : 0/898329277875 (0%)
Corrected pkts/Total pkts : 0/898329277875 (0%)
enabled_blades
fw vpn mon vpn
2nd firewall (the rule 244 is the last before the drop rule)
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
fwaccel stats -s
Accelerated conns/Total conns : 728/3817 (19%)
Accelerated pkts/Total pkts : 65933847419/111490474546 (59%)
F2Fed pkts/Total pkts : 22602056/111490474546 (0%)
F2V pkts/Total pkts : 81009543/111490474546 (0%)
CPASXL pkts/Total pkts : 0/111490474546 (0%)
PSLXL pkts/Total pkts : 45534025071/111490474546 (40%)
QOS inbound pkts/Total pkts : 28690657512/111490474546 (25%)
QOS outbound pkts/Total pkts : 37344603189/111490474546 (33%)
Corrected pkts/Total pkts : 0/111490474546 (0%)
enabled_blades
fw vpn ips qos mon vpn
Do you have an idea as to why the numbers are so low (especially for Accelerated conns/Total conns) ?
Hi,
Please disable tls parser on both gw's:
fw ctl set int tls_parser_enable 0.
Hi what is tls_parser ?
See this thread, it is a known issue with certain combinations of blades enabled that can cause high PSLXL levels:
hi, Thanks for the information. When i will have a maintenance windows, I will apply this modification.
hi first, thanks for answer.
On the second firewall i have the blade ips activate but not threat prevention policy push on the gateway and i have a few rule for QoS (<10 rules) but a lots of vpn.
On the first firewall, it s a firewall between internet and our web proxy (we have 50 rule). It 's principaly webservices (http/https).
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY