Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
listtc
Explorer
Jump to solution

SecureXL NAT Template on SMB (1100) gateway

So on a small single core gateway (1130) I have SecureXL running for what its worth but the NAT Template is disabled.

Is it worth turning it on?

Is it worth running SecureXL at all?

0 Kudos
1 Solution

Accepted Solutions
HristoGrigorov

On a contrary, when centrally managed there are few tricks to optimize SecureXL, especially when HTTPS-I is involved. I managed to optimize SecureXL so much that the load dropped like in half now. What I did was to very carefully read Timothy Hall's posts here about it and then do a little bit of experimentation. 😀 I may write about my finding next week if I have the time... 

View solution in original post

0 Kudos
8 Replies
G_W_Albrecht
Legend
Legend

Usually, you do not use Hide NAT or Static NAT with need of a high session rate on 1100 appliances ! So NAT templates are not necessary. Running SecureXL, on the other hand, can be very valuable - but the performance gain also depends much on the used traffic mix.

CCSE CCTE CCSM SMB Specialist
0 Kudos
listtc
Explorer
I have 2 of the 1100s both supporting 20 user offices with general internet behind Hide NAT.
Typically under 3000 connections.
Just trying to do best optimisation for this units until I can replace them
0 Kudos
G_W_Albrecht
Legend
Legend

I would advise to stay away from NAT templates as long as there are no traffic issues - i would not think that it could gain perceptible performance gains, but when in strong need, it could be tested. With 1100s, you usually just keep SecureXL on and forget all optimization...

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
Other than avoiding services that can't be accelerated by SecureXL (especially when centrally managed), there's not much in the way of performance optimization you can do on the SMB appliances.
0 Kudos
HristoGrigorov

On a contrary, when centrally managed there are few tricks to optimize SecureXL, especially when HTTPS-I is involved. I managed to optimize SecureXL so much that the load dropped like in half now. What I did was to very carefully read Timothy Hall's posts here about it and then do a little bit of experimentation. 😀 I may write about my finding next week if I have the time... 

0 Kudos
listtc
Explorer
I'm reading Tim Hall's book avidly and going through the whole estate from 13500s to 1130s.
the 1100 need to be retied but in the meantime....
0 Kudos
HristoGrigorov

Yeah, Tim's book is like the holy bible of CheckPoint firewalls. Don't dare to call yourself CPFW admin if you've never read it. 😁

0 Kudos
PhoneBoy
Admin
Admin
You can still do some level of performance troubleshooting.
I did take Tim's commands and make an SMB version here: https://community.checkpoint.com/t5/SMB-Appliances-and-SMP/Super-Seven-Performance-Assessment-Comman...

You certainly can't change the core split because there's not enough cores for that.
And certainly a lot of the stuff unrelated to Check Point is also relevant.

In any case, I'd love to see what you came up with in general.
I'm sure folks would benefit from it, and maybe Tim could borrow a few notes for the next version(s) of his book. 😁
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events