This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juan_
Collaborator
‎2021-03-15 11:34 AM

Assign IPs or Network to a fw_worker

Hi Guys,

I guess my answer is NO since i've never heard of this before.

But i'm having a rather peculiar issue i need to workaround.

I'd need to assign a network or an IP to a specific worker since the normal hashing or dynamic dispatching won't work in this case.

Is it possible?

Many thanks!

0 Kudos
8 Replies
HristoGrigorov
Mentor
Mentor
‎2021-03-15 11:58 AM

May be first explain what you are trying to achieve ? Do you want to have dedicated fw worker that is processing only traffic from/to single network/IP and nothing else ?

0 Kudos
Juan_
Collaborator
‎2021-03-15 12:04 PM
In response to HristoGrigorov

Hi Hristo,

Doesn't matter if its nothing else, but i'd like to have a rule like

"srcip:192.168.70.20 > fw_1"

"srcip=192.168.60.0/24 > fw_2" 

Issue am having is due to asymmetric routing. When inbound and outbound flows (different connections to the Ckp) fall in the same core it fails, but if it falls in different cores it works. That's the reason why i need this. 

 


The application/network design doesn't allow to fix the reason for the asymmetry in the first place unfortunately. 

 

Drop beign: dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2021-03-15 12:15 PM
In response to Juan_

And by "fails" you mean packets are dropped because of stateful inspection ?

0 Kudos
Juan_
Collaborator
‎2021-03-15 12:20 PM
In response to HristoGrigorov

No, it sees it as a new connection since the IPs change (there is NAT involved), it's also UDP traffic.

But when it tries to rearm the NAT outbound back it sees the inbound connection and it fails to create the link, when inbound and outbound fall in the same core.


0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-15 06:03 PM
In response to Juan_

Have you opened a TAC case on this?
As far as I know, there's no way to manually influence the CoreXL hashing algorithm.

0 Kudos
Juan_
Collaborator
‎2021-03-16 02:16 AM
In response to PhoneBoy

Yes, case opened some time ago.. i've been labbing the issue heavily and it appears this is the culprit. Waiting on TAC to see if there is any possible workaround. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-16 09:46 AM
In response to Juan_

Just to caution you: this could be a "workaround' for the true issue.
Which is probably why R&D needs to have a closer look at this. 

Timothy_Hall
Legend Legend
Legend
‎2021-03-16 11:37 AM

The Dynamic Dispatcher can be bypassed for certain ports as described here, which was mentioned starting in the second edition of my book as an undocumented feature at that time:

sk108894: Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynami...

When the bypass is active the old hash function will allocate which firewall worker gets the new connection, you don't get to pick which firewall worker instance.  I don't see any exposed mechanism for doing what you want by IP address.

What happens if you fast_accel the traffic through SecureXL? sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above  Even though there are multiple cores assigned to SND/IRQ functions, it is really still just one instance of the sim (SecureXL Implementation Module) driver in the kernel and might help avoid the asymmetry you are seeing.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events