Solved: Re: how to disable SecureXL for specific src to sp... - Check Point CheckMates

Learn about Check Point
Product Roadmap

REGISTER NOW

Can you identify the
trick from the treat?

START QUIZ

Protect Endpoints from
Ransomware and Phishing Attacks

WATCH NOW

Try out the new
CheckMates Labs!

TRY NOW

The Premier Virtual Event for
Cloud Security

CheckMates Go:
The One Prince Charles Fancies

LISTEN NOW

Dear Team

sk104468 said that we can disable securexl for specific ip address, I want to disable securexl for specific src ip to specific dest ip or specific src networks to specific dest networks,how to do it ,thanks!

1 Solution

Accepted Solutions

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

10 Replies

As far as I know, this is possible for src and dst. More read here sk104468: How to disable SecureXL for specific IP addresses.

Excluded from PSLXL path (src and dst possible): sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
Excluded from SecureXL (only specific ip address possible): sk104468: How to disable SecureXL for specific IP addresses
Excluded SecureXL from VPN: sk151114 - "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above.

More informations here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

@Timo thanks,this is i wanted.

Although Checkpoint says in sk104468 that f2f_addresses( or tcp_f2f_conns/udp_f2f_conns ) should be placed in "table.def" it can be done smarter:

"table.def" is not the best place for it. This file is overwritten on every major upgrade !

Checkpoint has already created a specific file for this $FWDIR/conf/user.def.<FW-version_of_GWs> ( which will be taken over to the next version, too )
(see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

The only thing you have to create (which is not documented) is a "wrapper" around the statment which Tim has written:
e.g. For R80.xx Gateays you have to use $FWDIR/conf/user.def.FW1 file:

#ifndef __user_def__
#define __user_def__

#ifndef IPV6_FLAVOR

//
// User defined INSPECT code
//

f2f_addresses = {<10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>};

// range_src1 = { <10.0.0.0, 10.7.255.254> };
//
// udp_f2f_conns = { <(range_src1), 10.0.134.1, 53>, <(range_src1),10.0.135.1,53> }

#endif /* ifndef IPV6_FLAVOR */

//
// User defined INSPECT code
//

@Timothy_Hall It seems no working:

[Expert@SH-5600:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 251
<00000001, 0000ffff>
<01010100, 010101ff>
<02020200, 020202fe>

Looks like it is working fine to me, the fw tab output values are in hexadecimal. You need to run fw tab -t udp_f2f_conns to see the UDP entries.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

Is there a way to have multiple entries?

I'd like to exclude a range of source IPs from multiple destination hosts and I wondered what the format would be for that?

e.g. the following seems clear enough if I want to exclude source 10.0.0.0/24 to destination 1.1.1.1 on tcp port 443

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <1.1.1.1>, <443> };

However if I also wanted to exclude the destination 2.2.2.2 how would this look?

Please read sk104468

Thanks _Val_ I did read sk104468 first and have successfully applied this with multiple entries for f2f_addresses however it doesn't give the format for multiple tcp_f2f_conns

I need to add some additional entries and I could just add them to the f2f_addresses however 90% of the traffic is from a source that is working perfectly fine with SecureXL enabled, so I only want to specifically disable it for the affected traffic flows, hence wanting to use tcp_f2f_conns

Something like this should work:

tcp_f2f_conns =
{
<A.A.A.A, B.B.B.B, 443>,
<C.C.C.C, D.D.D.D, 80>
};