This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-27 02:03 AM

fw monitor/tcpdump and "fwaccel off" - yes or no

I don't recommend doing this "fwaccel off" on a production firewall the performance impact can be noticeable.  I would always recommend disabling SecureXL selectively for the IP addresses you want to capture ahead of time, then you can use tcpdump and/or fw monitor to see all inbound and outbound traffic:

 

sk104468: How to disable SecureXL for specific IP addresses

 

Or if necessary, I look at the utilization of the gateway and decide accordingly.

 

How do you do that?

 

Regards,

Heiko

"fwaccel off" - Execute this command without further check! 13
"fwaccel off" - Execute this command with previous performance check! 38
Disabling SecureXL selectively for IP‘s (sk104468) 9
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
7 Replies
_Val_
Admin
Admin
‎2018-08-27 06:51 AM

Heiko Ankenbrand‌, could you please ping me next time you want to post a pool? I want to see why you cannot post those in other places.

BTW, moved to General Topics

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-27 08:28 AM

Hi Valeri,

I sent you a private mail with a picture. Unfortunately, I can only select the following area at  time: Developers (Code Hub)

I think it's a right issue in JIVE. Thanks for moving to General Product Topics.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Joshua_Hatter
Employee
Employee
‎2018-08-27 08:50 AM

SecureXL should be disabled to take effective traffic captures. I would not personally recommend single IP disabling as it requires a policy installation which not only restarts SecureXL, but can be very intensive on the firewall and brings in any changes that might be staged in the policy. 

Disabling SecureXL should be taken seriously and if necessary only during scheduled maintenance to allow for performance degradation if the firewall is already under load. 

0 Kudos
Coby_Schmidt
Employee
Employee
‎2018-09-03 01:28 AM

Hi all, 

My name is Coby from R&D and I would like to share with you, fw monitor fans, how we are addressing this issue in the upcoming R80.20.

So in R80.20 fw monitor would have the ability to monitor accelerated traffic. This would be applied by using a new filters interface built for PPAK and FW and requesting to monitor PPAK as well. We would soon publish a SK regarding this and will let you know. 

0 Kudos
_Val_
Admin
Admin
‎2018-09-03 01:44 AM

Thanks Coby Schmidt‌, looking forward to this!

0 Kudos
Coby_Schmidt
Employee
Employee
‎2018-09-05 08:39 AM

In addition to my last correspondence, I warmly recommend using R80.20 EA version for evaluation purpose or to deploy on real production sites.

Please, for further information, don hesitate to contact me offline f - cobys@checkpoint.com

Thanks, Coby!

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-11-18 11:53 AM

SecureXL "fwaccel off" does not have to be disabled on R80.20 to run "fw monitor". This is good for performance, so "fw monitor" does not affect performance any more.

More see here: https://community.checkpoint.com/docs/DOC-3351-r80x-performance-tuning-tip-fw-monitor 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events