This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BrianHansen
Participant
2 weeks ago
Jump to solution

Lightspeed acceleration disabled

Hello,

I am trying to find out why LightSpeed acceleration is disabled on an appliance with lightspeed interfaces.

Version: R81.20 take 118

Running: Firewall/CoreXL in userspace and SecureXL in Kernel Space (Recommended by CP support due to performance issues with SecureXL in userspace, at this customer implementation)

I currently suspect that "Accept Templates : disabled by Firewall" this is causing Lightspeed acceleration to be disabled as well.

If this assumption is correct, then I think that this is a major limiting factor for using LightSpeed acceleration, as most of customers, that I have worked for has one or more rules in their policy, which disables accept templates, as there are quite a log list of features, which causes templating to be disabled.

fwaccel stat:

# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name     |Status     |Interfaces               |Features                      |
+---------------------------------------------------------------------------------+
|0 |KPPAK    |enabled    |Mgmt,eth3-01,Sync,       |Acceleration,Cryptography     |
|  |         |           |eth3-02,eth1-01,eth4-01, |                              |
|  |         |           |eth1-02                  |Crypto: Tunnel,UDPEncap,MD5,  |
|  |         |           |                         |SHA1,3DES,DES,AES-128,AES-256,|
|  |         |           |                         |ESP,LinkSelection,DynamicVPN, |
|  |         |           |                         |NatTraversal,AES-XCBC,SHA256, |
|  |         |           |                         |SHA384,SHA512                 |
+---------------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
                   Layer Network disables template offloads from rule #826
                   Throughput acceleration still enabled.
Drop Templates   : enabled
NAT Templates    : disabled by Firewall
                   Layer Network disables template offloads from rule #826
                   Throughput acceleration still enabled.
LightSpeed Accel : disabled

Best regards

Brian Hansen

 

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

Yes, Lightspeed is reliant on SecureXL accelerating connections.
Makes sense it would be disabled when templates are disabled.

View solution in original post

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
In response to BrianHansen
Jump to solution

Please review sk179432 to understand this further, UPPAK is needed.

Look for this row in the tables specifically:

Firewall Blade with Hardware Acceleration

CCSM R77/R80/ELITE

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

Yes, Lightspeed is reliant on SecureXL accelerating connections.
Makes sense it would be disabled when templates are disabled.

BrianHansen
Participant
2 weeks ago
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Thank you for commenting.

I now managed to fix templating, but still LightSpeed accel is disabled. Any other ideas?

LightSpeed.png

Best Regards

Brian Hansen

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
Jump to solution

The gateway should be running in UPPAK mode to fully leverage Lightspeed benefits.

What were the performance issues you encountered prior?

CCSM R77/R80/ELITE
BrianHansen
Participant
2 weeks ago
In response to Chris_Atkinson
Jump to solution

Hi Chris,

Also thank you for commenting 🙂
Unfortunately these performance issues and CP support involvement, was before my time with this customer and I do not know the specifics.
Although, I have also read that SecureXL in userspace should be preferred and also the default settings with new clean installs, then I do not expect it to be the reason that LightSpeed accel is disabled.

Is it your understanding that it could be the reason for the disabled state or "just" that it would be best to run in userspace ?

Best Regards

Brian Hansen 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
In response to BrianHansen
Jump to solution

Please review sk179432 to understand this further, UPPAK is needed.

Look for this row in the tables specifically:

Firewall Blade with Hardware Acceleration

CCSM R77/R80/ELITE
Jan_Kleinhans
Advisor
2 weeks ago
In response to BrianHansen
Jump to solution

Apart from using UPPAK. Is your customer using VSX?

0 Kudos
BrianHansen
Participant
2 weeks ago
In response to Jan_Kleinhans
Jump to solution

No they are not

0 Kudos
the_rock
MVP Platinum
MVP Platinum
2 weeks ago
Jump to solution

I totally get the point Phoneboy made. That makes 100% sense.

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events