This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Seeger
Collaborator
‎2020-05-09 05:13 AM

Disabling SecureXL on SMB Appliance (R80.20.5)?

Hi,

how can I exclude IP addresses or ranges from SecureXL on the SMB appliances with R80.20.5?

My management is R80.40.

I followed sk104468 and edited "table.def" but when I check according to the SK on the gateway I get the following result:

# fw tab -t f2f_addresses
localhost:
 Table f2f_addresses not loaded: Invalid argument

My best guess is that I got hold of the wrong "table.def" as there are several available:

/opt/CPsuite-R80.40/fw1/lib/table.def
/opt/CPR7520CMP-R80.40/lib/table.def
/opt/CPR7540CMP-R80.40/lib/table.def
/opt/CPR76CMP-R80.40/lib/table.def
/opt/CPSFWR77CMP-R80.40/lib/table.def
/opt/CPSFWR80CMP-R80.40/lib/table.def
/opt/CPR77CMP-R80.40/lib/table.def
/opt/CPR75CMP-R80.40/lib/table.def
/opt/CPNGXCMP-R80.40/lib/table.def
/opt/CPSG80CMP-R80.40/lib/table.def
/opt/CPR71CMP-R80.40/lib/table.def
/opt/CPSG80R75CMP-R80.40/lib/table.def

I used the first one as it seemed the obvious choice for R80 policy targets. Unluckily sk98339 is not updated to include R80.40 as management or R80.20 SMB as target yet.

Yours, Martin

P.S. If the question is "Why the hell do I want to disable SecureXL?" In my setup some services are not working properly. When I disable SecureXL to debug the connections, they start working. Unluckily I have not found a way to disable SecureXL permanently. When I do "fwaccel off" it turns itself "on" again after a few hours (I have no idea how or why).

P.P.S. Migrated from a 1470 with R77.20 to a 1550 with R80.20.5 about a week ago. This has been a lot more painful than expected. But I want to play with Layered Policies, so I have to go that way.

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-05-09 07:04 AM

Believe the correct one for SMB devices running R80 is: /opt/CPSFWR80CMP-R80.40/lib/table.def

And yes, with the redesign of SecureXL IN R80.20, we don't allow permanent disabling of SecureXL any longer (applies to regular gateways too).
We consider things solved by disabling SecureXL to be bugs that need to be fixed.
0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 12:30 AM
In response to PhoneBoy

Hi,

yes, I would agree that those are things that are needed to be fixed. But I don't want to open two many SRs in parallel, so I was looking for a quick fix.

I take a look what happens when I use that table.de and will report here.

Thank you!

Yours, Martin

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2020-05-11 01:32 AM
In response to Martin_Seeger

It may also be worthwhile testing with the latest Build 992001169 (refer sk164912).

CCSM R77/R80/ELITE
0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 02:06 AM
In response to Chris_Atkinson

Thank you! 

I hadn't seen that a new version is out.

Unluckily the RSS-Feeds from SecureKnowledge is currently broken (SR 6-0001991921 is already open):  https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fsupportcenter.checkpoint.com%2Fsupportcent...

Through the RSS feed I usually see every new version coming out (every changed SK generates an entry).

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-05-11 02:14 AM
In response to Chris_Atkinson

I would suggest the easy way from https://community.checkpoint.com/t5/SMB-Appliances-and-SMP/SecureXL-amp-CoreXL-on-SMB-devices/td-p/3...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 02:49 AM
In response to G_W_Albrecht

Yep, I had a similar "fix". But that felt very "hacky" to me. Furthermore with R80.20.05 SecureXL re-enables itself after a few hours, so I had to start a background process that would disable it automagically again.

At that point I created this thread, as wrestling for control with your own system is never a good idea ;-).
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-11 04:34 PM
In response to Martin_Seeger

It's better to use table.def to disable SecureXL acceleration for traffic from a problematic host than disable it globally. 🙂
0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 02:00 AM
In response to PhoneBoy

Yes, that was the correct table.def

0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 03:21 AM
In response to Martin_Seeger

Brute force approach at the moment:

# fw tab -t f2f_addresses
localhost:
-------- f2f_addresses --------
static, id 250
<00000000, ffffffff>

Will report on the effect later tonight.
0 Kudos
Martin_Seeger
Collaborator
‎2020-05-11 06:19 AM
In response to PhoneBoy

With the correct table.def my workaround is functional. SecureXL is "enabled" but my services are working. Managed to squeeze in a reboot to update to the newest firmware.

The hard part will be to remove the exceptions for SecureXL step by step and locate the real problems.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events