This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
LaurentFr
Participant
‎2020-04-10 12:35 AM

Securexl R80.30

Hi, i have two firewall with weird numbers :

1 firewall

 fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth5,eth1,eth6,eth2,eth3,|
| | | |eth4 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

 fwaccel stats -s
Accelerated conns/Total conns : 3803/38042 (9%)
Accelerated pkts/Total pkts : 476758453777/898329277875 (53%)
F2Fed pkts/Total pkts : 475374045/898329277875 (0%)
F2V pkts/Total pkts : 3137871726/898329277875 (0%)
CPASXL pkts/Total pkts : 0/898329277875 (0%)
PSLXL pkts/Total pkts : 421095450053/898329277875 (46%)
QOS inbound pkts/Total pkts : 0/898329277875 (0%)
QOS outbound pkts/Total pkts : 0/898329277875 (0%)
Corrected pkts/Total pkts : 0/898329277875 (0%)

enabled_blades
fw vpn mon vpn

 

2nd firewall (the rule 244 is the last before the drop rule)

 fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244 
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.


fwaccel stats -s
Accelerated conns/Total conns : 728/3817 (19%)
Accelerated pkts/Total pkts : 65933847419/111490474546 (59%)
F2Fed pkts/Total pkts : 22602056/111490474546 (0%)
F2V pkts/Total pkts : 81009543/111490474546 (0%)
CPASXL pkts/Total pkts : 0/111490474546 (0%)
PSLXL pkts/Total pkts : 45534025071/111490474546 (40%)
QOS inbound pkts/Total pkts : 28690657512/111490474546 (25%)
QOS outbound pkts/Total pkts : 37344603189/111490474546 (33%)
Corrected pkts/Total pkts : 0/111490474546 (0%)

 enabled_blades
fw vpn ips qos mon vpn

 

Do you have an idea as to why the numbers are so low (especially for Accelerated conns/Total conns) ?

6 Replies
PhoneBoy
Admin
Admin
‎2020-04-10 09:37 PM

IPS and QoS are enabled on the second firewall.
That's going to reduce the number of fully accelerated connections.

The first firewall has a significant amount of PXL traffic for only having FW, VPN, and Monitoring.
What services are in your policy?
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-04-10 09:52 PM
In response to PhoneBoy

Hi,

 

Please disable tls parser on both gw's:

 

fw ctl set int tls_parser_enable 0.

LaurentFr
Participant
‎2020-04-14 01:16 AM
In response to Ilya_Yusupov

Hi what is  tls_parser ? 

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-04-14 05:05 AM
In response to LaurentFr

See this thread, it is a known issue with certain combinations of blades enabled that can cause high PSLXL levels:

https://community.checkpoint.com/t5/General-Topics/First-impressions-R80-30-on-gateway-one-step-forw...

 

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
LaurentFr
Participant
‎2020-04-15 11:38 PM
In response to Timothy_Hall

hi, Thanks for the information. When i will have a maintenance windows, I will apply this modification.

0 Kudos
LaurentFr
Participant
‎2020-04-14 01:15 AM
In response to PhoneBoy

hi first, thanks for answer.

On the second firewall i have the blade ips activate but not threat prevention policy push on the gateway and i have a few rule for QoS (<10 rules) but a lots of vpn.


On the first  firewall, it s a firewall between internet and our web proxy (we have 50 rule). It 's principaly webservices (http/https).

 

0 Kudos
Labels