This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Champion
Champion
‎2022-02-02 12:21 PM

Accelerated Policy Install & SecureXL Templates - Strange Interaction

When setting up the new CCSE R81.10 class lab exercises I ran into this somewhat strange interaction between the new Accelerated Policy Install feature and SecureXL templates which does not appear to be documented.

The lab scenario was adding the ALL_DCE_RPC service to a policy rule then install policy, and once this was done as expected all SecureXL templating is halted at that rule (#4 in this case) as shown by fwaccel stat:

acc1.png

Next step was to remove the ALL_DCE_RPC service from rule #4 and reinstall policy (which turned out to be accelerated), but once this was finished fwaccel stat was then showing the following, indicating that all SecureXL Accept/NAT templating was COMPLETELY dead and not just disabled from rule #4:

acc2.png

Needless to say this had me scratching my head trying to figure out what happened.  However once I realized that the prior policy installation was accelerated, it was just a matter of forcing an unaccelerated policy install (even with no other changes), which is performed by right-clicking on the gateway icon on the Install Policy screen like this and then hitting the Install button:

acc3.png

Once that was done normal SecureXL templating was restored.  Hopefully this will help someone else as fwaccel stat simply showing that templates were "disabled by firewall" with no further information was a tad confusing.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
7 Replies
Kim_Moberg
Advisor
‎2022-02-02 12:34 PM

@Timothy_Hall 

I thougth it was a RnD easter eeg feature to force non accellerated policy ??

 

Best Regards
Kim
Kim_Moberg
Advisor
‎2022-02-02 12:38 PM

@Timothy_Hall 

I ser page 14 tells more about this non accelerated access policy. 😂

http://downloads.checkpoint.com/dc/download.htm?ID=108670

Best Regards
Kim
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2022-02-02 12:58 PM
In response to Kim_Moberg

Hi @Timothy_Hall ,

 

Can you please share which JHF is installed? as i tried same procedure now in my lab and it works fine, unless i'm missing some steps in your scenario:).

 

Thanks,

Ilya 

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-02-02 01:17 PM
In response to Ilya_Yusupov

R81.10 Jumbo HFA Take 30

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2022-02-02 01:33 PM
In response to Timothy_Hall

@Timothy_Hall ,

 

Thanks indeed replicates, i will take it tomorrow with our RnD to resolved it.

 

Thanks again for your feedback !!!

0 Kudos
the_rock
Champion
Champion
‎2022-02-02 03:55 PM
In response to Ilya_Yusupov

I also saw same behavior in R81.10 lab (2 single gateways + mgmt).

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-02-11 07:15 AM
In response to Ilya_Yusupov

I'd also like to request a way to permanently disable accelerated policy installs due to my latest run in with this feature:

https://community.checkpoint.com/t5/Security-Gateways/Accelerated-Policy-Install-amp-AD-Query-Wizard...

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com