This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Cripps
Advisor
‎2022-02-09 01:59 AM

Ethernet-Over-IP = bane of my life

Anyone been involved with handling ethernet-over-ip through a firewall? Currently we have two two CPU cores handling this traffic as it is a bidirectional tunnel and this isn't hogging CPU performance but adding unnecessary load to CPU cores. Anyone seen this before or worked on it? 

 

It needs to traverse an inside interface through the routing engine to an DMZ interface and doesn't appear to be being handled well at all by SecureXL if not at all.

Labels
0 Kudos
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-02-09 02:18 AM

Depending on security requirements perhaps look at if fast accel might be an effective solution per sk156672.

Mind you this is a sledge hammer approach and should be diagnosed further prior with TAC.

In future releases we are introducing new features to contend with large flows per:

https://community.checkpoint.com/t5/Security-Gateways/Quantum-HyperFlow-Now-in-EA/td-p/138544

CCSM R77/R80/ELITE
0 Kudos
Tom_Cripps
Advisor
‎2022-02-09 02:57 AM
In response to Chris_Atkinson

Will take a look more into that SK, seems some what feasible

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-09 07:55 AM

Only TCP and UDP-based sessions can be accelerated by SecureXL.  If your Ethernet-over-IP implementation is using GRE for the transport, it cannot be accelerated at all and must go F2F.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Tom_Cripps
Advisor
‎2022-02-10 04:46 AM
In response to Timothy_Hall

I don't believe it is. The traffic is a Cisco Mobility Anchor configuration if you are familiar with that concept. 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-02-10 04:55 AM
In response to Tom_Cripps

CAPWAP used to be UDP iirc but that's different to EoIP unless I'm missing something...

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-02-10 04:59 AM
In response to Tom_Cripps

Looks like these are the ports/protocols involved with Cisco Mobility Groups:

  • UDP 16666 for tunnel control traffic

  • IP protocol 97 for user data traffic

  • UDP 161 and 162 for SNMP

I just tried to add these first two to the fast_accel table on R80.40, and it allowed me to do so.  Whether it will actually work is another matter so you'll just have to try it and see what happens, you can use fwaccel conns to see if these Mobility connections are fully accelerated.  Very curious to see if the IP Protocol 97 one works as my understanding is that SecureXL can only handle TCP and UDP in the accelerated path, but perhaps fast_accel rules are an exception to that:

[Expert@R8040GW:0]# fw ctl fast_accel show_table

------------------------------------ FIREWALL FAST ACCEL TABLE ------------------------------------
# Source IP Destination IP D-Port Protocol Hit count
---- ------------------ ------------------ ------ -------- -----------
1) 1.1.1.1/32 2.2.2.0/24 16666 17 0
2) 1.1.1.1/32 2.2.2.0/24 any 97 0

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events