Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Leader
Leader

performance optimization via "SecureXL Fast Accelerator"

Hello CheckMates,

I want to get safe with my understanding of the 

SecureXL Fast Accelerator 

If I define a network, host, port or anything possible via the "fw ctl fast_accel" command, these matching packets are going straight the fastest path with no deep inspection ?

Meaning no AV, no AB, no IPS, no URLF, no APPCL, no service inspection, no TP etc. will be done for these packets regardless if these blades are enabled ?

Wolfgang

Tags (2)
0 Kudos
5 Replies
Highlighted
Admin
Admin

Your understanding is correct. Here is the quote from SK: "The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection".

 

If there is part of the traffic which can be trusted by definition, you can then bypass deep inspection for such traffic altogether. 

Highlighted
Champion
Champion

What Val said.  A warning from the third edition of my book about fast_accel:

bang.jpgWhile using the fast_accel feature ensures highly efficient handling of the
matched traffic in the SXL path, doing so ignores portions of your security policy and
can disable almost all firewall inspection of that traffic. As such a variety of bad things
can happen inside traffic streams that have been essentially whitelisted by this feature,
and a careful risk analysis is necessary before using it. It is NOT RECOMMENDED to
use fast_accel if one or both of the systems involved are not trusted and/or under your
organization’s direct administrative control.

As discussed in my CPX 2020 speech Big Game Hunting: Elephant Flows, typically fast_accel is used in the context of elephant flows (heavy connections) to make them go faster and keep from stomping on "mice" connections.  Note that there is an alternative solution from R&D that allows the processing/handling of elephant flows to be "spread around" more than one worker core, thus allowing them to go faster without limiting inspection of them with fast_accel.  See my preso for more details about this new feature and how to contact R&D to obtain it.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Leader
Leader

Thanks @Timothy_Hall and @_Val_ for your reply.

I'm aware of the risks. We want to use this for some hosts they did storage and database replications.

Wolfgang

0 Kudos
Highlighted
Champion
Champion

I knew you were aware of the risks, but I feel duty-bound to bring them up whenever fast_accel is mentioned for those who might read this thread later.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Leader
Leader

@Timothy_Hall  👍😊

0 Kudos