- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
When setting up the new CCSE R81.10 class lab exercises I ran into this somewhat strange interaction between the new Accelerated Policy Install feature and SecureXL templates which does not appear to be documented.
The lab scenario was adding the ALL_DCE_RPC service to a policy rule then install policy, and once this was done as expected all SecureXL templating is halted at that rule (#4 in this case) as shown by fwaccel stat:
Next step was to remove the ALL_DCE_RPC service from rule #4 and reinstall policy (which turned out to be accelerated), but once this was finished fwaccel stat was then showing the following, indicating that all SecureXL Accept/NAT templating was COMPLETELY dead and not just disabled from rule #4:
Needless to say this had me scratching my head trying to figure out what happened. However once I realized that the prior policy installation was accelerated, it was just a matter of forcing an unaccelerated policy install (even with no other changes), which is performed by right-clicking on the gateway icon on the Install Policy screen like this and then hitting the Install button:
Once that was done normal SecureXL templating was restored. Hopefully this will help someone else as fwaccel stat simply showing that templates were "disabled by firewall" with no further information was a tad confusing.
I thougth it was a RnD easter eeg feature to force non accellerated policy ??
I ser page 14 tells more about this non accelerated access policy. 😂
http://downloads.checkpoint.com/dc/download.htm?ID=108670
Hi @Timothy_Hall ,
Can you please share which JHF is installed? as i tried same procedure now in my lab and it works fine, unless i'm missing some steps in your scenario:).
Thanks,
Ilya
R81.10 Jumbo HFA Take 30
Thanks indeed replicates, i will take it tomorrow with our RnD to resolved it.
Thanks again for your feedback !!!
I also saw same behavior in R81.10 lab (2 single gateways + mgmt).
I'd also like to request a way to permanently disable accelerated policy installs due to my latest run in with this feature:
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY