Disabling SecureXL for certain connections is not a solution that can be considered as 'permanent'?

No, if you have to disable SecureXL it's a bug or misconfiguration that should be taken with TAC.

Our CP is in R82 version, managed by a Smar-1 Cloud.
Then the TAC has to give us a solution, since it is not recommended to have the SXL off right?

I would follow sk @Tal_Paz-Fridman provided. What is the exact issue when sxl is enabled? Yes, it can be disabled permanently, but I would NOT do that.

Andy

It may be the constant workaround - disabling SecureXL completely is no way to go. But a TAC case might be the proper process - but try to exclude the traffic now quickly so you can turn SecureXL on again.

Thats a good idea.

Andy

Hello,

Is there any way to “validate” if the SXL is “dumping” traffic, when it is active?

It seems that tshoot commands like tcpdump or fw ctl zdebug, don't exactly “see” traffic that may be being dropped by the SXL.

So, what commands can help you, to validate if SXL is being the problem for a particular traffic?

You need to use the command fw ctl zdebug + drop to also see any drops occurring in SecureXL, although they are usually much more rare than drops in the main INSPECT code.

The best way to determine if SecureXL is the source of your problem is to leave the questionable connections in the slowpath (no offloading to the Medium or Fast paths allowed) and see if the situation improves.  sk104468: How to exclude traffic from SecureXL

It's a little weird.

I used the command you recommend, my destination was an IP camera.

When we have the SXL enabled on the CP, the CCTV server cannot see the video from the camera, but the command

fw ctl zdebug + drop | grep <IP CAMERA> ... at that time it shows me nothing.

It is as if for the FW everything is working fine.

Then, when we disable the SXL, immediately the CCTV server retrieves the video from the camera.

Only the “fw ctl zdebug + drop” is the command that helps to detect if it is the SXL that is giving problems?

When sxl is on, you probably would need to do sxl debugs.

Andy

@Matlu 

FYI

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topic...

If you see nothing in the fw ctl zdebug + drop that means no Check Point code (SecureXL/INSPECT) is dropping that traffic. 

Also I have to ask, are you on a Quantum Force 9000/19000/29000 or Lightspeed appliance?

Is this traffic multicast?  It could be getting dropped in the Gaia OS itself due to some kind of problematic interaction with SecureXL.  Only way to know for sure is set up a fw monitor -F with SecureXL enabled and see if the problematic traffic is hitting inspection points iI but failing to re-enter at o.  There have been issues in the past with SecureXL and multicast.

Tim - valid point about mcast, we had issues in the past where the Checkpoint was a RP and after engaging TAC it was determined this was a bug, but we never had issues with mcast being passed through the appliances, assuming correct policy is in place.

Hey bro,

Any luck with this or still same issue?

Andy

Here's a good place to start:

SecureXL Debug Procedure

However as everyone has suggested, best to engage TAC, ensure your running latest recommended Jumbo etc as this will be a first step suggestion from TAC.

Last time I had an issue with SecureXL it was on R7x.x and the issue was resolve by upgrading to the latest version at the time.