- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi, i have two firewall with weird numbers :
1 firewall
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth5,eth1,eth6,eth2,eth3,|
| | | |eth4 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
fwaccel stats -s
Accelerated conns/Total conns : 3803/38042 (9%)
Accelerated pkts/Total pkts : 476758453777/898329277875 (53%)
F2Fed pkts/Total pkts : 475374045/898329277875 (0%)
F2V pkts/Total pkts : 3137871726/898329277875 (0%)
CPASXL pkts/Total pkts : 0/898329277875 (0%)
PSLXL pkts/Total pkts : 421095450053/898329277875 (46%)
QOS inbound pkts/Total pkts : 0/898329277875 (0%)
QOS outbound pkts/Total pkts : 0/898329277875 (0%)
Corrected pkts/Total pkts : 0/898329277875 (0%)
enabled_blades
fw vpn mon vpn
2nd firewall (the rule 244 is the last before the drop rule)
fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3,Mgmt |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer FwInternetIPSEC Security disables template offloads from rule #244
Throughput acceleration still enabled.
fwaccel stats -s
Accelerated conns/Total conns : 728/3817 (19%)
Accelerated pkts/Total pkts : 65933847419/111490474546 (59%)
F2Fed pkts/Total pkts : 22602056/111490474546 (0%)
F2V pkts/Total pkts : 81009543/111490474546 (0%)
CPASXL pkts/Total pkts : 0/111490474546 (0%)
PSLXL pkts/Total pkts : 45534025071/111490474546 (40%)
QOS inbound pkts/Total pkts : 28690657512/111490474546 (25%)
QOS outbound pkts/Total pkts : 37344603189/111490474546 (33%)
Corrected pkts/Total pkts : 0/111490474546 (0%)
enabled_blades
fw vpn ips qos mon vpn
Do you have an idea as to why the numbers are so low (especially for Accelerated conns/Total conns) ?
PhoneBoy
Ilya_Yusupov
Hi,
Please disable tls parser on both gw's:
fw ctl set int tls_parser_enable 0.
Hi what is tls_parser ?
Timothy_Hall
See this thread, it is a known issue with certain combinations of blades enabled that can cause high PSLXL levels:
hi, Thanks for the information. When i will have a maintenance windows, I will apply this modification.
hi first, thanks for answer.
On the second firewall i have the blade ips activate but not threat prevention policy push on the gateway and i have a few rule for QoS (<10 rules) but a lots of vpn.
On the first firewall, it s a firewall between internet and our web proxy (we have 50 rule). It 's principaly webservices (http/https).
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY