Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend
Jump to solution

SecureXL & CoreXL on SMB devices

SecureXL & CoreXL on SMB devices is very poorly documented, so i have collected corresponding information to present it here:

 

1. SecureXL

The 1400/1100/1200R/700/600 series supports SecureXL and it is active by default. The SecureXL Drop Templates Optimization feature and the SecureXL penalty box mechanism are not supported, Accept Templates are on, but NAT Templates are off by default – to enable them, you have to add two lines to .pfrm2.0/opt/fw1/boot/modules/fwkern.conf  (see sk71200😞

 

cphwd_nat_templates_support=1 
cphwd_nat_templates_enabled=1

( Out of my personal experience, enabling these templates may be dangerous - with firmware > R77.20.60, i have experienced autonomous reboots that only stopped after removing the fwkern.conf file... )

 

VPN traffic may be slow or show the error:  "Virtual defragmentation error: Timeout". With SecureXL inactive, the ipsec_dont_fragment parameter is on by default and this behaviour does not occur. If the GW receives a packet of (nearly) MTU size, it discards the packet and sends the ICMP "packet too big" message instead of fragmenting it. With SecureXL active you would have to enable the sim_keep_DF_flag SecureXL kernel parameter in $PPKDIR/boot/modules/simkern.conf (see sk92465 Slow Site-to-Site VPN affected by Virtual Defragmentation😞

 

[Expert@Appliance]# touch $FWDIR/modules/simkern.conf
[Expert@Appliance]# echo 'sim_keep_DF_flag=1' >> $FWDIR/modules/simkern.conf
[Expert@Appliance]# cat $FWDIR/modules/simkern.conf
[Expert@Appliance]# reboot

SecureXL should never be disabled except when doing debugs. There is no way to disable SecureXL in the WebGUI, but sk65015 shows how it can be achieved on CLI:

GW-620> fwaccel off 

This command switches off SecureXL until the next reboot and can be used to set it to "on again. To disable SecureXL permanently (only when being instructed by CP TAC to do so), you would have to follow these steps (see also sk52520😞

 

On the 1400/1100/1200R/700/600 appliance, go to /pfrm2.0/etc/ directory:

[Expert@Appliance]# cd /pfrm2.0/etc/

Create the special file:

[Expert@Appliance]# touch userScript

(Note: the name contains Captial 'S'.)

Edit the file in Vi editor:

[Expert@Appliance]# vi userScript

userScript must be in shell script format:

#!/bin/sh

Add the full path to the command 'fwaccel off':

/opt/fw1/bin/fwaccel off

Set the file permissions:

[Expert@Appliance]# chmod 777 userScript

Reboot the appliance. SecureXL should be off now - check with 'fwaccel stat' command.

 

2. CoreXL

The 7x0/14x0 appliances have two cores and can use the 'sim affinity' command to assign interfaces to cores. But this setting should be tried very carefully only !

 

Command 'sim affinity -l'  lists the interfaces that can be assigned to one of two cores. As that command on SMB devices does not survive reboot, you have to add a line to userScript:

printf '\n1\n' | sim affinity –s

This sets the first IF listed to the default and the second to 1. On 14x0 units only, CoreXL is supported (check with fw ctl mutik stat), and so two SNDs and two fw_worker processes exist (a 7x0 only has one fw_worker process, regardless of using the same hardware). It usually makes no sense to manually configure CoreXL on two-core-systems like the 14x0, but sk98737 ATRG: CoreXL is partly usable (although its supported OSs do not list GAiA Embedded). To change CoreXL settings use the command:

fw ctl affinity

 Also see this list SMB documents for more. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Regarding CoreXL i have stated above that it makes no sense to touch it - this part of the article is for documentation. I have also re-worked the SecureXL part so no one can assume that the most important procedure is to be able to disable SecureXL permanently


To disable SecureXL is no good idea at all (if not forced by higher command).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Usually on devices with less than 4 cores, you don't want to mess with CoreXL.

SecureXL, I can see some use cases where you might need to disable it.

That said, if you need to disable SecureXL to make something work, you should probably be engaging with the TAC.

G_W_Albrecht
Legend Legend
Legend

Regarding CoreXL i have stated above that it makes no sense to touch it - this part of the article is for documentation. I have also re-worked the SecureXL part so no one can assume that the most important procedure is to be able to disable SecureXL permanently


To disable SecureXL is no good idea at all (if not forced by higher command).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
dede79
Contributor

Actually - since PPPoE is not supportet together with SecureXL it must be disabled in that case, right?

0 Kudos
HristoGrigorov

There is no $PPKDIR defined on my SMB. Shall I replace it with $FWDIR instead ?

0 Kudos
HristoGrigorov

Another may be stupid question but...

I have enabled SecureXL on the active cluster member and it hanged in a minute or so. I had to power cycle it. Is it possible that this was caused by the fact that SXL was disable at the same time on the standby member?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Thank you for the remark - i have updated the syntax to Enbedded GAiA as found in sk92465, using $FWDIR/modules/simkern.conf instead of $PPKDIR/boot/modules/simkern.conf.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

SecureXL is always on - except you deactivated it manually... But i would rather not mess around with units in production.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

It was permanently disabled and now I tried to enable it again Smiley Happy Unfortunately I do not have test appliances to try it there.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Why ? Did TAC make you do that ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

Umm, it was long time ago. I remember I had some problem with spontaneous reboots and disabled it temporarily. I wonder why it hangs when I enable it again. Couldn't find anything related in the logs. 

Martin_Seeger
Collaborator

Remark: I had the same problem, but selected a different approach. I defined exceptions for SecureXL in table.def (and use all IP addresses as exception). See details in https://community.checkpoint.com/t5/SMB-Appliances-and-SMP/Disabling-SecureXL-on-SMB-Appliance-R80-2... or in sk104468. The advantage is that you do not touch the SMB appliance, the disadvantage is that this solution does apply to all SMB gateways (can be remidiated by selecting a better table.def).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events