Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Collins
Contributor

R80.20 SIT Tunnel

Jump to solution

So I appreciate this is an edge case, but is a feature of Gaia is hampered by standard configuration in R80.20.

I have a SIT tunnel in partnerships with HE tunnel provider, for a routed IPv6 subnet. As with R80.20 you cannot permenantly disable SecureXL, yet SecureXL does not work with a SIT tunnel configured on the device.

I have to manually disable SecureXL for IPv6 each time the system reboots.


I wanted to know if this is something other people have had an issue with and if Check Point are aware of issues with SIT tunnels + SecureXL in R80.20. I've traditionally always had to disable SecureXL to get this to work.

I've tried adding a crontab that disables SecureXL at reboot "@reboot /opt/CPsuite-R80.20/fw1/bin/fwaccel6 off > /dev/null 2>&1" but this doesn't seem to work.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

Oh my lord - this is available in a much, much easier way !

- open GAiA WebGUI

- go to System Management > Job Scheduler

- click Scheduled Jobs > Add

- you already do know which Command to Run 😉

- select "At startup"

- be Happy !

View solution in original post

15 Replies
G_W_Albrecht
Legend
Legend

Afaik SecureXL can be permanently disabled through the CPconfig utility. See sk41397 How to enable/disable Check Point SecureXL via CLI.

0 Kudos
Daniel_Collins
Contributor

Can't be permenantly disabled on R80.20 sadly Smiley Sad no option in cpconfig.

0 Kudos
G_W_Albrecht
Legend
Legend

You could try something: On boot, the bash script$FWDIR/bin/fwstart is called. Here we find the line:

$CPDIR/bin/cpprod_util FwSetSecureXL 1

If you do

[Expert@Hostname]# cp $FWDIR/bin/fwstart  $FWDIR/bin/fwstart_ORIGINAL

and change that to

$CPDIR/bin/cpprod_util FwSetSecureXL 0

in $FWDIR/bin/fwstart, it is set to off instead...

Daniel_Collins
Contributor

I shall give that a try, thank you!

0 Kudos
Daniel_Collins
Contributor

So I gave that a try. It seemed to break a lot of things..

It looked like it didn't load the driver at all, and I can only guess that R80.20 relies on it moreso than before - no network traffic passing through the box. Had to revert back for the moment - good shout though.

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, and we both are throughly convinced that it is not supported 😉

Daniel_Collins
Contributor

I'd thought as much, making these sorts of changes - It's not for a critical environment so I'm happy to do things like this, as remembering to flip SXL off each time at boot is more of a pain.

More of a moan towards CP for having conflicting features!

0 Kudos
G_W_Albrecht
Legend
Legend

Oh my lord - this is available in a much, much easier way !

- open GAiA WebGUI

- go to System Management > Job Scheduler

- click Scheduled Jobs > Add

- you already do know which Command to Run 😉

- select "At startup"

- be Happy !

View solution in original post

Daniel_Collins
Contributor

Yep that's what I've done!

Here's my script:


#!/bin/sh
source /etc/profile.d/CP.sh
/opt/CPsuite-R80.20/fw1/bin/fwaccel off > /dev/null 2>&1
/opt/CPsuite-R80.20/fw1/bin/fwaccel6 off > /dev/null 2>&1
exit

Seems to work, SXL flipped back on again a while afters but I think it's unrelated.. I swear the cron scheduler never used to provide the option of "At startup" although @reboot has been around since - forever..

0 Kudos
G_W_Albrecht
Legend
Legend

Yes, i just did remember in the back of my mind something similar, had a look there and - emacs !

0 Kudos
G_W_Albrecht
Legend
Legend

So you could mark mine as the correct answer  !

0 Kudos
Mark_Colatosti
Contributor

Wow, I somewhat randomly came across this thread when searching to see if there was any way to allow SecureXL to run, but not actually do anything as I would like to have the monitoring visibility of SNMP and Netflow but without the random network communication breakage that seems to resul with it on when using NAT and routed vpnt to vpnt traffic (ie. a WAN tier transport devices and even my client "VPN hub" tier devices).  It's an unpleasant surprise to find that the option to turn of secureXL is gone in R80.20 and up versions, but obviously much better than finding out as a surprise after upgrading to R80.20.   Did you end up getting a satisfactory solution to this or am I staying on R80.10 for a number of my devices, also bad?

Any details as to how you resolved is appreciated, as well as how stable the solution appears to be.

 

0 Kudos
HeikoAnkenbrand
Champion
Champion

FYI:
SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor", The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing.

More infos here:

R80.x Security Gateway Architecture (Logical Packet Flow)

 

Phil_Mac
Explorer

Tried this on an R80.30 box.

You need to allow adequate time between the cron job running and SXL SND coming up as the former comes before the latter during boot; adding a sleep achieves this (thanks Tyler).

#!/bin/sh
sleep 60
source /etc/profile.d/CP.sh
/opt/CPsuite-R80.30/fw1/bin/fwaccel off > /dev/null 2>&1
/opt/CPsuite-R80.30/fw1/bin/fwaccel6 off > /dev/null 2>&1
exit

0 Kudos
Phil_Mac
Explorer

echo "fwaccel off" >> /etc/init.d/cpboot

0 Kudos