Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

Accelerated Policy Install & SecureXL Templates - Strange Interaction

When setting up the new CCSE R81.10 class lab exercises I ran into this somewhat strange interaction between the new Accelerated Policy Install feature and SecureXL templates which does not appear to be documented.

The lab scenario was adding the ALL_DCE_RPC service to a policy rule then install policy, and once this was done as expected all SecureXL templating is halted at that rule (#4 in this case) as shown by fwaccel stat:

acc1.png

Next step was to remove the ALL_DCE_RPC service from rule #4 and reinstall policy (which turned out to be accelerated), but once this was finished fwaccel stat was then showing the following, indicating that all SecureXL Accept/NAT templating was COMPLETELY dead and not just disabled from rule #4:

acc2.png

Needless to say this had me scratching my head trying to figure out what happened.  However once I realized that the prior policy installation was accelerated, it was just a matter of forcing an unaccelerated policy install (even with no other changes), which is performed by right-clicking on the gateway icon on the Install Policy screen like this and then hitting the Install button:

acc3.png

Once that was done normal SecureXL templating was restored.  Hopefully this will help someone else as fwaccel stat simply showing that templates were "disabled by firewall" with no further information was a tad confusing.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
7 Replies
Kim_Moberg
Advisor

@Timothy_Hall 

I thougth it was a RnD easter eeg feature to force non accellerated policy ??

 

Best Regards
Kim
Kim_Moberg
Advisor

@Timothy_Hall 

I ser page 14 tells more about this non accelerated access policy. 😂

http://downloads.checkpoint.com/dc/download.htm?ID=108670

Best Regards
Kim
0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @Timothy_Hall ,

 

Can you please share which JHF is installed? as i tried same procedure now in my lab and it works fine, unless i'm missing some steps in your scenario:).

 

Thanks,

Ilya 

0 Kudos
Timothy_Hall
Champion
Champion

R81.10 Jumbo HFA Take 30

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Ilya_Yusupov
Employee
Employee

@Timothy_Hall ,

 

Thanks indeed replicates, i will take it tomorrow with our RnD to resolved it.

 

Thanks again for your feedback !!!

0 Kudos
the_rock
Champion
Champion

I also saw same behavior in R81.10 lab (2 single gateways + mgmt).

0 Kudos
Timothy_Hall
Champion
Champion

I'd also like to request a way to permanently disable accelerated policy installs due to my latest run in with this feature:

https://community.checkpoint.com/t5/Security-Gateways/Accelerated-Policy-Install-amp-AD-Query-Wizard...

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com