This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeff_Gao
Advisor
‎2020-09-19 12:54 AM
Jump to solution

how to disable SecureXL for specific src to specific dst

Dear Team

    sk104468 said that we can disable securexl for specific ip address, I want to disable securexl for specific src ip to specific dest ip  or specific src networks to specific dest networks,how to do it ,thanks!

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2020-09-19 06:30 AM
Jump to solution

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

View solution in original post

0 Kudos
10 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-19 01:16 AM
Jump to solution

Hi @Jeff_Gao 

As far as I know, this is possible for src and dst. More read here sk104468: How to disable SecureXL for specific IP addresses.

Excluded from PSLXL path (src and dst possible):                        sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
Excluded from SecureXL (only specific ip address possible):      sk104468: How to disable SecureXL for specific IP addresses 
Excluded SecureXL from VPN:                                                          sk151114 - "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above.

More informations here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-09-19 06:30 AM
Jump to solution

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
Jeff_Gao
Advisor
‎2020-09-19 06:34 AM
In response to Timothy_Hall
Jump to solution

@Timo thanks,this is i wanted.

0 Kudos
Martin_Hofbauer
Contributor
Contributor
‎2020-09-21 06:22 AM
In response to Timothy_Hall
Jump to solution

Although Checkpoint says in sk104468 that f2f_addresses( or tcp_f2f_conns/udp_f2f_conns )  should be placed in "table.def"  it can be done smarter:

"table.def" is not the best place for it. This file is overwritten on every major upgrade !

Checkpoint has already created a specific file for this $FWDIR/conf/user.def.<FW-version_of_GWs>  ( which will be taken over to the next version, too )
(see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

The only thing you have to create (which is not documented) is a "wrapper" around the statment which Tim has written:
e.g. For R80.xx Gateays you have to use $FWDIR/conf/user.def.FW1  file:

 

#ifndef __user_def__
#define __user_def__

#ifndef IPV6_FLAVOR

//
// User defined INSPECT code
//

f2f_addresses = {<10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>};


// range_src1 = { <10.0.0.0, 10.7.255.254> };
//
// udp_f2f_conns = { <(range_src1), 10.0.134.1, 53>, <(range_src1),10.0.135.1,53> }

 

#endif /* ifndef IPV6_FLAVOR */


//
// User defined INSPECT code
//




Jeff_Gao
Advisor
‎2020-09-21 07:27 PM
In response to Timothy_Hall
Jump to solution

@Timothy_Hall  It seems no working:

1.png

[Expert@SH-5600:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 251
<00000001, 0000ffff>
<01010100, 010101ff>
<02020200, 020202fe>

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-09-22 05:23 AM
In response to Jeff_Gao
Jump to solution

Looks like it is working fine to me, the fw tab output values are in hexadecimal.  You need to run fw tab -t udp_f2f_conns to see the UDP entries.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
juppo
Explorer
‎2021-04-27 04:17 AM
In response to Timothy_Hall
Jump to solution

Is there a way to have multiple entries?

I'd like to exclude a range of source IPs from multiple destination hosts and I wondered what the format would be for that?

e.g. the following seems clear enough if I want to exclude source 10.0.0.0/24 to destination 1.1.1.1 on tcp port 443

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <1.1.1.1>, <443> };

However if I also wanted to exclude the destination 2.2.2.2 how would this look?

0 Kudos
_Val_
Admin
Admin
‎2021-04-27 07:19 AM
In response to juppo
Jump to solution

Please read sk104468

0 Kudos
juppo
Explorer
‎2021-04-27 07:39 AM
In response to _Val_
Jump to solution

Thanks _Val_ I did read sk104468 first and have successfully applied this with multiple entries for f2f_addresses however it doesn't give the format for multiple tcp_f2f_conns

I need to add some additional entries and I could just add them to the f2f_addresses however 90% of the traffic is from a source that is working perfectly fine with SecureXL enabled, so I only want to specifically disable it for the affected traffic flows, hence wanting to use tcp_f2f_conns

0 Kudos
_Val_
Admin
Admin
‎2021-04-27 07:52 AM
In response to juppo
Jump to solution

Something like this should work:

tcp_f2f_conns =
{
<A.A.A.A, B.B.B.B, 443>,
<C.C.C.C, D.D.D.D, 80>
};

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events