Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sam_huang
Participant

R80.20 Securexl not disable

Will R80.20! How do we completely shut down securexl

0 Kudos
Reply
8 Replies
G_W_Albrecht
Champion
Champion

I know, in cpconfig this option is no longer available ! Find the reference in Next Generation Security Gateway Guide R80.20 p.235 - there is no possibility anymore to permanently disable SecureXL. Of course, you could write a cron job script testing the SecureXL state and issuing fwaccel off if needed, as any reboot will turn SecureXL on again.

0 Kudos
Reply
sam_huang
Participant

Can you tell me how to add this script?

0 Kudos
Reply
PhoneBoy
Admin
Admin

If the problem can be solved by disabling SecureXL, then it's a bug and it needs to be brought through the TAC.

Why are you asking for SecureXL to be permanently disabled?

0 Kudos
Reply
PhoneBoy
Admin
Admin

You can't completely shut down SecureXL in R80.20.

For what reason do you wish to shut down SecureXL?

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

More infos to R80.20+ SecureXL you found here:

R80.20 SecureXL + new chain modules + fw monitor 

Do not turn SecureXL off completely.

Disable SecureXL for singel IP addresses with problems.

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

0 Kudos
Reply
Marko_Keca
Contributor

I also need option to permanently disable SecureXL as it produces lots of problems when HTTPS inspection is enabled.

I have at least two customers who are running HTTPS inspection without problems when SecureXL is disabled. They have strong enough boxes that acceleration is not needed at this point.

So turning off SecureXL permanently is must have feature by my opinion.

Disabling SecureXL for specific IP addresses sounds promising but it is unusable until network addresses are permited, so we can exclude whole subnets from acceleration.

Regards,
--
Marko

 

Timothy_Hall
Champion
Champion

If you find yourself having to disable SecureXL in R80.20+, the best course of action is to open a TAC case so the problem can be identified and fixed.  Disabling SecureXL long-term in R80.20+ is not a good idea and will eventually get you into further trouble.

However in the interim, there is a workaround for disabling SecureXL upon bootup on R80.20+ in this thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

While your box may be "strong enough" to handle the workload without the SecureXL functions throughput acceleration and rulebase accept templating (session rate acceleration), keep in mind that disabling SecureXL will also disable automatic interface affinity and Multi-Queue.  This will cause all SoftIRQ processing for all interfaces to happen on the lowest-numbered SND/IRQ core, typically CPU #0 which can easily get overloaded in this situation.  After disabling SecureXL keep an eye on the RX-DRP counter reported by command netstat -ni, if the RX-DRP rate rises above 0.1% on any interface you will need to define manual interface affinity via the fw ctl affinity -i command and the fwaffinity.conf file (not the sim affinity command since SecureXL is disabled) to manually spread SoftIRQ processing around on the SND/IRQ cores.  Disabling SecureXL and defining manual interface affinity is not a path I would recommend going down if it can be avoided.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com