Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Gao
Advisor

how to disable SecureXL for specific src to specific dst

Jump to solution

Dear Team

    sk104468 said that we can disable securexl for specific ip address, I want to disable securexl for specific src ip to specific dest ip  or specific src networks to specific dest networks,how to do it ,thanks!

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
10 Replies
HeikoAnkenbrand
Champion
Champion

Hi @Jeff_Gao 

As far as I know, this is possible for src and dst. More read here sk104468: How to disable SecureXL for specific IP addresses.

Excluded from PSLXL path (src and dst possible):                        sk156672 - SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above
Excluded from SecureXL (only specific ip address possible):      sk104468: How to disable SecureXL for specific IP addresses 
Excluded SecureXL from VPN:                                                          sk151114 - "fwaccel off" does not affect disabling acceleration of VPN tunnels in R80.20 and above.

More informations here:
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103

0 Kudos
Timothy_Hall
Champion
Champion

Actually sk104468 says this is possible with these directives, although I've never used them:

tcp_f2f_conns = { <src, dest, dport> };
udp_f2f_conns = { <src, dest, dport> };

You can use ranges as well, so you can do something like this in table.def:

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

udp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>, <1, 65535> };

ICMP always goes F2F so there is no directive for that protocol.

Just tried it in my lab and it seems to work, first line of output is port range, second is source IP range, third is destination IP range:

[Expert@R81:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 254
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

[Expert@R81:0]# fw tab -t udp_f2f_conns
localhost:
-------- udp_f2f_conns --------
static, id 255
<00000001, 0000ffff>
<0a000000, 0a0000ff>
<c0a80000, c0a800ff>

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Jeff_Gao
Advisor

@Timo thanks,this is i wanted.

0 Kudos
Martin_Hofbauer
Participant

Although Checkpoint says in sk104468 that f2f_addresses( or tcp_f2f_conns/udp_f2f_conns )  should be placed in "table.def"  it can be done smarter:

"table.def" is not the best place for it. This file is overwritten on every major upgrade !

Checkpoint has already created a specific file for this $FWDIR/conf/user.def.<FW-version_of_GWs>  ( which will be taken over to the next version, too )
(see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

The only thing you have to create (which is not documented) is a "wrapper" around the statment which Tim has written:
e.g. For R80.xx Gateays you have to use $FWDIR/conf/user.def.FW1  file:

 

#ifndef __user_def__
#define __user_def__

#ifndef IPV6_FLAVOR

//
// User defined INSPECT code
//

f2f_addresses = {<10.0.0.0, 10.0.0.255>, <192.168.0.0, 192.168.0.255>};


// range_src1 = { <10.0.0.0, 10.7.255.254> };
//
// udp_f2f_conns = { <(range_src1), 10.0.134.1, 53>, <(range_src1),10.0.135.1,53> }

 

#endif /* ifndef IPV6_FLAVOR */


//
// User defined INSPECT code
//




Jeff_Gao
Advisor

@Timothy_Hall  It seems no working:

1.png

[Expert@SH-5600:0]# fw tab -t tcp_f2f_conns
localhost:
-------- tcp_f2f_conns --------
static, id 251
<00000001, 0000ffff>
<01010100, 010101ff>
<02020200, 020202fe>

0 Kudos
Timothy_Hall
Champion
Champion

Looks like it is working fine to me, the fw tab output values are in hexadecimal.  You need to run fw tab -t udp_f2f_conns to see the UDP entries.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
juppo
Explorer

Is there a way to have multiple entries?

I'd like to exclude a range of source IPs from multiple destination hosts and I wondered what the format would be for that?

e.g. the following seems clear enough if I want to exclude source 10.0.0.0/24 to destination 1.1.1.1 on tcp port 443

tcp_f2f_conns = { <10.0.0.0, 10.0.0.255>, <1.1.1.1>, <443> };

However if I also wanted to exclude the destination 2.2.2.2 how would this look?

0 Kudos
_Val_
Admin
Admin

Please read sk104468

0 Kudos
juppo
Explorer

Thanks _Val_ I did read sk104468 first and have successfully applied this with multiple entries for f2f_addresses however it doesn't give the format for multiple tcp_f2f_conns

I need to add some additional entries and I could just add them to the f2f_addresses however 90% of the traffic is from a source that is working perfectly fine with SecureXL enabled, so I only want to specifically disable it for the affected traffic flows, hence wanting to use tcp_f2f_conns

0 Kudos
_Val_
Admin
Admin

Something like this should work:

tcp_f2f_conns =
{
<A.A.A.A, B.B.B.B, 443>,
<C.C.C.C, D.D.D.D, 80>
};

0 Kudos