This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sam_huang
Participant
‎2019-02-21 09:36 AM
Jump to solution

R80.20 Securexl not disable

Will R80.20! How do we completely shut down securexl

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2019-08-07 05:30 AM
In response to Marko_Keca
Jump to solution

If you find yourself having to disable SecureXL in R80.20+, the best course of action is to open a TAC case so the problem can be identified and fixed.  Disabling SecureXL long-term in R80.20+ is not a good idea and will eventually get you into further trouble.

However in the interim, there is a workaround for disabling SecureXL upon bootup on R80.20+ in this thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

While your box may be "strong enough" to handle the workload without the SecureXL functions throughput acceleration and rulebase accept templating (session rate acceleration), keep in mind that disabling SecureXL will also disable automatic interface affinity and Multi-Queue.  This will cause all SoftIRQ processing for all interfaces to happen on the lowest-numbered SND/IRQ core, typically CPU #0 which can easily get overloaded in this situation.  After disabling SecureXL keep an eye on the RX-DRP counter reported by command netstat -ni, if the RX-DRP rate rises above 0.1% on any interface you will need to define manual interface affinity via the fw ctl affinity -i command and the fwaffinity.conf file (not the sim affinity command since SecureXL is disabled) to manually spread SoftIRQ processing around on the SND/IRQ cores.  Disabling SecureXL and defining manual interface affinity is not a path I would recommend going down if it can be avoided.

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

View solution in original post

8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-02-22 04:39 AM
Jump to solution

I know, in cpconfig this option is no longer available ! Find the reference in Next Generation Security Gateway Guide R80.20 p.235 - there is no possibility anymore to permanently disable SecureXL. Of course, you could write a cron job script testing the SecureXL state and issuing fwaccel off if needed, as any reboot will turn SecureXL on again.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
sam_huang
Participant
‎2019-03-04 08:38 PM
In response to G_W_Albrecht
Jump to solution

Can you tell me how to add this script?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-04 09:55 PM
In response to sam_huang
Jump to solution

If the problem can be solved by disabling SecureXL, then it's a bug and it needs to be brought through the TAC.

Why are you asking for SecureXL to be permanently disabled?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-23 03:43 AM
Jump to solution

You can't completely shut down SecureXL in R80.20.

For what reason do you wish to shut down SecureXL?

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2019-03-10 01:59 AM
Jump to solution

More infos to R80.20+ SecureXL you found here:

R80.20 SecureXL + new chain modules + fw monitor 

Do not turn SecureXL off completely.

Disable SecureXL for singel IP addresses with problems.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2019-03-10 03:03 AM
In response to HeikoAnkenbrand
Jump to solution

SK: 

How to disable SecureXL for specific IP addresses 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Marko_Keca
Contributor
‎2019-08-07 03:54 AM
In response to HeikoAnkenbrand
Jump to solution

I also need option to permanently disable SecureXL as it produces lots of problems when HTTPS inspection is enabled.

I have at least two customers who are running HTTPS inspection without problems when SecureXL is disabled. They have strong enough boxes that acceleration is not needed at this point.

So turning off SecureXL permanently is must have feature by my opinion.

Disabling SecureXL for specific IP addresses sounds promising but it is unusable until network addresses are permited, so we can exclude whole subnets from acceleration.

Regards,
--
Marko

 

Timothy_Hall
MVP Gold
MVP Gold
‎2019-08-07 05:30 AM
In response to Marko_Keca
Jump to solution

If you find yourself having to disable SecureXL in R80.20+, the best course of action is to open a TAC case so the problem can be identified and fixed.  Disabling SecureXL long-term in R80.20+ is not a good idea and will eventually get you into further trouble.

However in the interim, there is a workaround for disabling SecureXL upon bootup on R80.20+ in this thread:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-SIT-Tunnel/m-p/28139

While your box may be "strong enough" to handle the workload without the SecureXL functions throughput acceleration and rulebase accept templating (session rate acceleration), keep in mind that disabling SecureXL will also disable automatic interface affinity and Multi-Queue.  This will cause all SoftIRQ processing for all interfaces to happen on the lowest-numbered SND/IRQ core, typically CPU #0 which can easily get overloaded in this situation.  After disabling SecureXL keep an eye on the RX-DRP counter reported by command netstat -ni, if the RX-DRP rate rises above 0.1% on any interface you will need to define manual interface affinity via the fw ctl affinity -i command and the fwaffinity.conf file (not the sim affinity command since SecureXL is disabled) to manually spread SoftIRQ processing around on the SND/IRQ cores.  Disabling SecureXL and defining manual interface affinity is not a path I would recommend going down if it can be avoided.

 

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events