Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader

Clarification about SecureXL

As SecureXL has evolved dramatically in recent times, I'd like to make sure of the following. I've read some posts and SK but didn't come to a definitive conclusion.

Let's say I have 100 rules, and rule 50 has an unsupported SecureXL service.

 

fwaccel stat will say:

Layer "Policy_Name" disables template offloads from rule #50.

Throughput acceleration still enabled.

So if rule 50 or more is matching heavy traffic, a SecureXL template would never be created and its traffic would go F2F, causing a potential CPU load issue. But then what does the "throughput acceleration still enabled" means in this case?

5 Replies
G_W_Albrecht
Legend Legend
Legend

See sk162492: When disabling SecureXL with "fwaccel off" in R80.20 and above, traffic is still being acc...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin

Acceleration with templates is also known as "session rate acceleration". This means, the very first packet is accepted by SXL on behalf of FW, based on an acceleration template. Rules below one blocking templates can and in most cases will be accelerated after the first packet going though FWK. That means, throughput acceleration is still available.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Alex-,

Accept Template in R80.20 and higher: 

Feature that accelerates the speed, at which a connection is established by matching a new connection to a set of attributes. When a new connection matches the Accept Template, subsequent connections are established without performing a rule match and therefore are accelerated. Accept Templates are generated from active connections according to policy rules. Currently, Accept Template acceleration is performed only on connections with the same destination port (using wildcards for source ports).

In practice, with R80.20 and higher, I can no longer see big differences in performance whether accept templates match or not. Most packages are added to the SecureXL connection table via SecureXL offloading and reinjection if this is possible for the connection. After that, the SecureXL connection table is the selection factor for the next package.

Packet flow:

securxl_8020.PNG

CPU cores are divided into two groups: SND (SecureXL) and Firewall instances (CoreXL). Each group handles different tasks.

Tasks distribution:

Task R80.10 R80.20+
Accept templates matching (new connection) & offload to SecureXL SND Firewall
Nat templates matching (new connection) & offload to SecureXL SND Firewall

 

More read here:
- R80.x - Performance Tuning Tip - SND vs. CoreXL 
- R80.x - Security Gateway Architecture (Logical Packet Flow)
- R80.x - Top 25 Gateway Tuning Tips
- Best Practices - Security Gateway Performance
- ATRG: SecureXL for R80.20 and higher
- Performance Tuning R81 Administration Guide -> SecureXL 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Alex-
Leader Leader
Leader

Thanks all for the information. Am I then right in supposing the "disabled as of rule X" can mostly be considered as informative and can be addressed whenever possible but not as a priority.

0 Kudos
PhoneBoy
Admin
Admin

It’s relevant for new connection establishment rate which benefits from a SecureXL accept template being present.
So…it depends.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events