Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

fw monitor/tcpdump and "fwaccel off" - yes or no

I don't recommend doing this "fwaccel off" on a production firewall the performance impact can be noticeable.  I would always recommend disabling SecureXL selectively for the IP addresses you want to capture ahead of time, then you can use tcpdump and/or fw monitor to see all inbound and outbound traffic:

 

sk104468: How to disable SecureXL for specific IP addresses

 

Or if necessary, I look at the utilization of the gateway and decide accordingly.

 

How do you do that?

 

Regards,

Heiko

"fwaccel off" - Execute this command without further check! 13
"fwaccel off" - Execute this command with previous performance check! 38
Disabling SecureXL selectively for IP‘s (sk104468) 9
0 Kudos
7 Replies
Highlighted

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

Heiko Ankenbrand‌, could you please ping me next time you want to post a pool? I want to see why you cannot post those in other places.

BTW, moved to General Topics

0 Kudos
Highlighted

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

Hi Valeri,

I sent you a private mail with a picture. Unfortunately, I can only select the following area at  time: Developers (Code Hub)

I think it's a right issue in JIVE. Thanks for moving to General Product Topics.

Regards,

Heiko

0 Kudos
Highlighted
Employee+
Employee+

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

SecureXL should be disabled to take effective traffic captures. I would not personally recommend single IP disabling as it requires a policy installation which not only restarts SecureXL, but can be very intensive on the firewall and brings in any changes that might be staged in the policy. 

Disabling SecureXL should be taken seriously and if necessary only during scheduled maintenance to allow for performance degradation if the firewall is already under load. 

0 Kudos
Highlighted
Employee
Employee

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

Hi all, 

My name is Coby from R&D and I would like to share with you, fw monitor fans, how we are addressing this issue in the upcoming R80.20.

So in R80.20 fw monitor would have the ability to monitor accelerated traffic. This would be applied by using a new filters interface built for PPAK and FW and requesting to monitor PPAK as well. We would soon publish a SK regarding this and will let you know. 

0 Kudos
Highlighted

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

Thanks Coby Schmidt‌, looking forward to this!

0 Kudos
Highlighted
Employee
Employee

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

In addition to my last correspondence, I warmly recommend using R80.20 EA version for evaluation purpose or to deploy on real production sites.

Please, for further information, don hesitate to contact me offline f - cobys@checkpoint.com

Thanks, Coby!

0 Kudos
Highlighted

Re: fw monitor/tcpdump and "fwaccel off" - yes or no

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: https://community.checkpoint.com/docs/DOC-3351-r80x-performance-tuning-tip-fw-monitor 

Regards

Heiko

0 Kudos