Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor

TCPDUMP and SecureXL

Hello,

this question is mainly for Tim, but input from others is also appreciated.

Question: Do I need for tcpdump to disable SecureXL (fwaccel off) in order to see all packets?

From Book Max Power R80 - chapter Millisecond in the Life of a Frame - stage 6 - My understanding is that its not needed. Am I right?

Thanks

4 Replies
HeikoAnkenbrand
Champion Champion
Champion

Yes, you must enter "fwaccel off" to see all packages.

If you enter fwaccel off, all packets go through the F2F path and are visible in the software. Thus tcpdump can display the packages correctly.

regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend

Hi Martin,

It depends, but usually tcpdump will show you all packets while SecureXL is enabled.  If I had to put a percentage probability on it I'd say 75%.  Factors that will determine the outcome are:

1) Packets being handled in the Accelerated Path (SXL) vs. Medium (PXL)/Firewall (F2F) paths.  All traffic in the PXL/F2F paths will show up in tcpdump, and considering the typical blades enabled on firewalls today most traffic tends to be handled in PXL.  Traffic to and from the gateway itself (i.e. SSH management, logging, policy loads) and the ICMP protocol are *never* accelerated by SecureXL, will always go F2F, and will appear in tcpdump and fw monitor 100%.

2) Traffic handled in SXL will almost always show up on the inbound interface, but may not appear at all on the outbound interface, or will appear but with some odd issues such as showing pre-NAT addresses like this:

sk100194: TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled

sk100071: "tcpdump" output does not show the NATed IP address correctly


This is due to how SecureXL works with accelerated packets on the outbound side, so if in your tcpdump capture you see NAT oddities or can't seem to see all packets of a connection, don't beat your head against the wall unnecessarily trying to figure out why you can't see everything.

3) If there is hardware acceleration (i.e. 23000 SAM/ADP card) involved, chances are good that tcpdump will not see that traffic at all.  I'm curious to see how this will be handled (or not) on the upcoming Falcon accelerator card.

If you are experiencing problems seeing all traffic with tcpdump (or have a limited time window to execute the tcpdump and want to maximize the chances of getting a complete capture), it is vastly preferable to selectively disable SecureXL for the IP address(es) you want to capture as described here:

sk104468: How to disable SecureXL for specific IP addresses

As described in the SK, this is easily accomplished by editing the table.def file on the SMS and pushing policy to the gateway ahead of time.  Once this is done tcpdump (and fw monitor) will give you a complete capture as all traffic matching the defined exclusion will go F2F.  If the IP address(es) cannot be known ahead of time, it is also possible to define a SecureXL exclusion based on destination port number.  Generally it is not a good idea to completely disable SecureXL via fwaccel off for this purpose, especially on a gateway with more than 8 cores as it may cause severe performance issues.

One last warning: if you are capturing packets that are fragmented, tcpdump will show the individual fragments in their original state, while fw monitor will only show the packets after they have been virtually reassembled for inspection and not how they actually appear on the wire.  Fragmented packets always go F2F unless a SAM/ADP card is present.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Martin_Raska
Advisor
Advisor

Thank you very much Tim for the exhausting explanation.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: R80.x Performance Tuning and Debug Tips – fw monitor 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events