cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Wolfgang
Gold

performance optimization via "SecureXL Fast Accelerator"

Hello CheckMates,

I want to get safe with my understanding of the 

SecureXL Fast Accelerator 

If I define a network, host, port or anything possible via the "fw ctl fast_accel" command, these matching packets are going straight the fastest path with no deep inspection ?

Meaning no AV, no AB, no IPS, no URLF, no APPCL, no service inspection, no TP etc. will be done for these packets regardless if these blades are enabled ?

Wolfgang

Tags (2)
0 Kudos
5 Replies
Highlighted

Re: performance optimization via "SecureXL Fast Accelerator"

Your understanding is correct. Here is the quote from SK: "The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection".

 

If there is part of the traffic which can be trusted by definition, you can then bypass deep inspection for such traffic altogether. 

Re: performance optimization via "SecureXL Fast Accelerator"

What Val said.  A warning from the third edition of my book about fast_accel:

bang.jpgWhile using the fast_accel feature ensures highly efficient handling of the
matched traffic in the SXL path, doing so ignores portions of your security policy and
can disable almost all firewall inspection of that traffic. As such a variety of bad things
can happen inside traffic streams that have been essentially whitelisted by this feature,
and a careful risk analysis is necessary before using it. It is NOT RECOMMENDED to
use fast_accel if one or both of the systems involved are not trusted and/or under your
organization’s direct administrative control.

As discussed in my CPX 2020 speech Big Game Hunting: Elephant Flows, typically fast_accel is used in the context of elephant flows (heavy connections) to make them go faster and keep from stomping on "mice" connections.  Note that there is an alternative solution from R&D that allows the processing/handling of elephant flows to be "spread around" more than one worker core, thus allowing them to go faster without limiting inspection of them with fast_accel.  See my preso for more details about this new feature and how to contact R&D to obtain it.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Wolfgang
Gold

Re: performance optimization via "SecureXL Fast Accelerator"

Thanks @Timothy_Hall and @Val_Loukine for your reply.

I'm aware of the risks. We want to use this for some hosts they did storage and database replications.

Wolfgang

0 Kudos

Re: performance optimization via "SecureXL Fast Accelerator"

I knew you were aware of the risks, but I feel duty-bound to bring them up whenever fast_accel is mentioned for those who might read this thread later.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Wolfgang
Gold

Re: performance optimization via "SecureXL Fast Accelerator"

@Timothy_Hall  👍😊

0 Kudos