Templates are used for acceleration purposes and are applied in the lowest possible layer (in the TCP/IP stack), on the interfaces (think about Layer 2).
Acceleration means that packets can move from the ingress port to the egress port and leave the firewall with as little as possible resource utilisation or software processing (rule matching or analysis for routing decisions). The packets are then on the Fast Path.
Templates are records of allow (accept), block or NAT decisions that the firewall has made and the template entry/record is created when a connection attempt is made (when a client tries to connect through the firewall to the server (C2S)) and a rule was matched because of the connection attempt.
For example if a client connects through the firewall to a web server.
The SYN packet that the client sends to the server is processed by the firewall and is allowed by a rule (that process sends the SYN packet on the Slow Path/Firewall Path which is slower and more resource intensive (the routing decision is also made after the FW decision process (the slow path)) .
The Connections table is updated with the record of the C2S and S2C (IPs and Ports, protocols and directions). The Templates are then updated (all but the client source port are recorded in the accept template).
The template entry (record) is made in order to apply acceleration for future new connections between the client and the server and is dependent on the initial C2S connection.
So, continuing with that example, if the client has an established connection to the web server and then the client makes a brand new connection to the web server (the only difference is the new source port) then the firewall can accelerate the first packet (the SYN packet) without having to send it on the Slow Path, and of course the rest of the packets between C&S are accelerated for the new connection.
In other words:
If the rule that was matched had the Accept action then the template records the C2S and S2C (for the responses from the server) in a similar way to the connections table records the connections state/details (for allowed (and therefor established) connections).
Look here for the official explanation:
SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
- Accelerated path - Packets and connections that are processed immediately by SecureXL and are not processed by the Firewall.
- Medium path - Packets that require deeper inspection. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.
- Slow path - Packets and connections that are inspected by the Firewall Rule Base, and are not processed by SecureXL.
The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.
Also see the attached PDF (if it is uploaded and attached successfully)