This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2025-03-12 07:04 PM

Error due to SecureXL

Hello, everyone.

One question, is it advisable to disable SecureXL?

We have a problem in which our CCTV server cannot 'visualize' the IP cameras it has hooked.

The only way to solve the error, and have video of the IP cameras is if we disable SecureXL.

Is this something 'expected' in CP equipment? I am referring to the fact that SecureXL is often the cause of problems with certain types of traffic.

What would be the right way to fix this error permanently?
I currently have version R81.20.

Regards.

0 Kudos
18 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-12 07:25 PM

The software is coded and tested with the assumption that SXL is enabled. It is not recommended to leave it off. Highly recommended to tackle this one with TAC so that we can fix it properly.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-12 08:06 PM
In response to emmap

Disabling SecureXL for certain connections is not a solution that can be considered as 'permanent'?

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-12 10:15 PM
In response to Matlu

No, if you have to disable SecureXL it's a bug or misconfiguration that should be taken with TAC.

CCSM R77/R80/ELITE
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-13 04:37 AM
In response to Chris_Atkinson

Our CP is in R82 version, managed by a Smar-1 Cloud.
Then the TAC has to give us a solution, since it is not recommended to have the SXL off right?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-03-13 04:45 AM
In response to Matlu

I would follow sk @Tal_Paz-Fridman provided. What is the exact issue when sxl is enabled? Yes, it can be disabled permanently, but I would NOT do that.

Andy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-03-13 03:29 AM
In response to Matlu

It may be the constant workaround - disabling SecureXL completely is no way to go. But a TAC case might be the proper process - but try to exclude the traffic now quickly so you can turn SecureXL on again.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-03-13 03:15 AM

I also suggest contacting TAC to resolve the issue.

A workaround could be to exclude specific traffic from SecureXL:

https://support.checkpoint.com/results/sk/sk104468

 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2025-03-13 12:55 PM

Hi @Matlu 

Maybe fast_accel worths a try

https://support.checkpoint.com/results/sk/sk156672

----------------
\m/_(>_<)_\m/
the_rock
MVP Gold
MVP Gold
‎2025-03-13 01:07 PM
In response to AkosBakos

Thats a good idea.

Andy

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-13 02:40 PM
In response to AkosBakos

Hello,

Is there any way to “validate” if the SXL is “dumping” traffic, when it is active?

It seems that tshoot commands like tcpdump or fw ctl zdebug, don't exactly “see” traffic that may be being dropped by the SXL.

So, what commands can help you, to validate if SXL is being the problem for a particular traffic?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-13 02:53 PM
In response to Matlu

You need to use the command fw ctl zdebug + drop to also see any drops occurring in SecureXL, although they are usually much more rare than drops in the main INSPECT code.

The best way to determine if SecureXL is the source of your problem is to leave the questionable connections in the slowpath (no offloading to the Medium or Fast paths allowed) and see if the situation improves.  sk104468: How to exclude traffic from SecureXL

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2025-03-13 03:04 PM
In response to Timothy_Hall

It's a little weird.

I used the command you recommend, my destination was an IP camera.

When we have the SXL enabled on the CP, the CCTV server cannot see the video from the camera, but the command

fw ctl zdebug + drop | grep <IP CAMERA> ... at that time it shows me nothing.

It is as if for the FW everything is working fine.

Then, when we disable the SXL, immediately the CCTV server retrieves the video from the camera.

Only the “fw ctl zdebug + drop” is the command that helps to detect if it is the SXL that is giving problems?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-03-13 03:35 PM
In response to Matlu

When sxl is on, you probably would need to do sxl debugs.

Andy

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-13 04:42 PM
In response to Matlu

If you see nothing in the fw ctl zdebug + drop that means no Check Point code (SecureXL/INSPECT) is dropping that traffic. 

Also I have to ask, are you on a Quantum Force 9000/19000/29000 or Lightspeed appliance?

Is this traffic multicast?  It could be getting dropped in the Gaia OS itself due to some kind of problematic interaction with SecureXL.  Only way to know for sure is set up a fw monitor -F with SecureXL enabled and see if the problematic traffic is hitting inspection points iI but failing to re-enter at o.  There have been issues in the past with SecureXL and multicast.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-03-14 07:21 AM
In response to Timothy_Hall

Tim - valid point about mcast, we had issues in the past where the Checkpoint was a RP and after engaging TAC it was determined this was a bug, but we never had issues with mcast being passed through the appliances, assuming correct policy is in place.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-03-14 09:50 AM
In response to Matlu

Hey bro,

Any luck with this or still same issue?

Andy

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-03-13 02:59 PM
In response to Matlu

Here's a good place to start:

SecureXL Debug Procedure

However as everyone has suggested, best to engage TAC, ensure your running latest recommended Jumbo etc as this will be a first step suggestion from TAC.

Last time I had an issue with SecureXL it was on R7x.x and the issue was resolve by upgrading to the latest version at the time.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events