- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello,
We have two 15400 gateways in Active/Standby Cluster XL configuration with the FW, IPS, URL Filtering, App Control,
AV, AB, and VPN blades active and R77.30. We have several connections that run during the day for significant file transfers to various backup systems. These connections establish under the PXL path as I haven't worked out which blade is preventing the SecureXL path yet for these transfers (I have exclusions set in IPS and AV blades, but need to test an App Control/URL Filtering change tomorrow).
We observed that if a cluster fail-over occurs, the connection is moves onto the secondary member under the SecureXL path and the transfer speed increases 2-4x and CPU usage drops from 95+ percent to <50%. We were wondering if anyone else has seen this behavior and is supposed to be normal? If the connection is terminated and restarted, it will come up under the PXL path.
Thanks,
Scott L.
Wow, that's an interesting one! https://community.checkpoint.com/people/thalld401179d-0d5b-369d-a0f2-387c3ef54533 question! I'm keen to hear the answer
I think I found the answer to my own question.
Partial connection - Connection that exists in the Firewall Connections Table, but not in the SecureXL Connections Table (versions R70 and above).
This is found in SK98348 Best Practices - Security Gateway Performance. I interpret this to mean that PXL connections are moved to SXL connections upon fail-over to maintain connection state.
We just inadvertently ran into this as we were moving tens of TB of data and the connection eventually caused the gateway to run out of memory and fail-over (all 24 GB).
From testing last week, we were able to figure out how to keep this connection out of the App Control blade, thanks to posts from Tim in the PXL Medium path thread. We are still working on the Threat Prevention blade yet for exclusion as this blade still causes the connection to drop to PXL. We still have a few things to try yet.
As a side note, our memory issue is probably because of running old Jumbo 216. I see they fixed some issues in the newer versions for App Control with memory usage. The memory issue is not present if the connection is running SXL path.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY