This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeff_Gao
Advisor
‎2020-09-19 12:54 AM
Jump to solution

how to disable SecureXL for specific src to specific dst

Dear Team

    sk104468 said that we can disable securexl for specific ip address, I want to disable securexl for specific src ip to specific dest ip  or specific src networks to specific dest networks,how to do it ,thanks!

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2020-09-19 06:30 AM
Jump to solution

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

11 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-19 01:16 AM
Jump to solution

Hi @Jeff_Gao 

As far as I know, this is possible for src and dst. More read here sk104468: How to disable SecureXL for specific IP addresses.

Excluded from PSLXL path (src and dst possible):                        sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
Excluded from SecureXL (only specific ip address possible):      sk104468: How to disable SecureXL for specific IP addresses 
Excluded SecureXL from VPN:                                                          sk151114 - "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above.

More informations here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-09-19 06:30 AM
Jump to solution

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Jeff_Gao
Advisor
‎2020-09-19 06:34 AM
In response to Timothy_Hall
Jump to solution

@Timo thanks,this is i wanted.

0 Kudos
Martin_Hofbauer
Contributor
Contributor
‎2020-09-21 06:22 AM
In response to Timothy_Hall
Jump to solution

Although Checkpoint says in sk104468 that f2f_addresses( or tcp_f2f_conns/udp_f2f_conns )  should be placed in "table.def"  it can be done smarter:

"table.def" is not the best place for it. This file is overwritten on every major upgrade !

Checkpoint has already created a specific file for this $FWDIR/conf/user.def.<FW-version_of_GWs>  ( which will be taken over to the next version, too )
(see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

The only thing you have to create (which is not documented) is a "wrapper" around the statment which Tim has written:
e.g. For R80.xx Gateays you have to use $FWDIR/conf/user.def.FW1  file:

 

#ifndef __user_def__
#define __user_def__

#ifndef IPV6_FLAVOR

//
// User defined INSPECT code
//

f2f_addresses = {<10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>};


// range_src1 = { <10.0.0.0, 10.7.255.254> };
//
// udp_f2f_conns = { <(range_src1), 10.0.134.1, 53>, <(range_src1),10.0.135.1,53> }

 

#endif /* ifndef IPV6_FLAVOR */


//
// User defined INSPECT code
//




Jeff_Gao
Advisor
‎2020-09-21 07:27 PM
In response to Timothy_Hall
Jump to solution

@Timothy_Hall  It seems no working:

1.png

[Expert@SH-5600:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 251
<00000001, 0000ffff>
<01010100, 010101ff>
<02020200, 020202fe>

Timothy_Hall
Legend Legend
Legend
‎2020-09-22 05:23 AM
In response to Jeff_Gao
Jump to solution

Looks like it is working fine to me, the fw tab output values are in hexadecimal.  You need to run fw tab -t udp_f2f_conns to see the UDP entries.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
juppo
Explorer
‎2021-04-27 04:17 AM
In response to Timothy_Hall
Jump to solution

Is there a way to have multiple entries?

I'd like to exclude a range of source IPs from multiple destination hosts and I wondered what the format would be for that?

e.g. the following seems clear enough if I want to exclude source 10.0.0.0/24 to destination 1.1.1.1 on tcp port 443

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <1.1.1.1>, <443> };

However if I also wanted to exclude the destination 2.2.2.2 how would this look?

0 Kudos
_Val_
Admin
Admin
‎2021-04-27 07:19 AM
In response to juppo
Jump to solution

Please read sk104468

0 Kudos
juppo
Explorer
‎2021-04-27 07:39 AM
In response to _Val_
Jump to solution

Thanks _Val_ I did read sk104468 first and have successfully applied this with multiple entries for f2f_addresses however it doesn't give the format for multiple tcp_f2f_conns

I need to add some additional entries and I could just add them to the f2f_addresses however 90% of the traffic is from a source that is working perfectly fine with SecureXL enabled, so I only want to specifically disable it for the affected traffic flows, hence wanting to use tcp_f2f_conns

0 Kudos
_Val_
Admin
Admin
‎2021-04-27 07:52 AM
In response to juppo
Jump to solution

Something like this should work:

tcp_f2f_conns =
{
<A.A.A.A, B.B.B.B, 443>,
<C.C.C.C, D.D.D.D, 80>
};

0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2025-02-20 01:15 PM
In response to Timothy_Hall
Jump to solution

Hi and thank you,

Does this syntax need to be INSIDE the f2f_addresses = {} brackets?  Looks like they are NOT needed in a post further down.

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

Also, I was wondering if you could have src or dst as ANY.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top