This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CheckPointerXL
Advisor
Advisor
‎2021-03-25 12:11 PM
Jump to solution

SecureXL Fast Accelerator - Need to clarify packet flow

Hi all,

taking a look to this packet flow:

 

R80.20 Logical Packet Flow fast accel 0.1a.JPG

 

From the diagram I understand that if i put a rule in the fast accelaration table, not explicitally permitted in the rulebase, it is accepted.

Well, I just did a test, allowing A->B in the fast accel table, but it was dropped by clean up in the rulebase.

Only allowing connection in rule base, let it hit the Fast Accel Table

 

Anyone can clarify this? So first connection have to be checked in rulebase like traditional secureXL ?

thank you

1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2021-03-28 11:21 AM
Jump to solution

Hi @CheckPointerXL 

It is not possible to create a packet flow overview with all paths. You are right. "Fast Acceleration Rules" only work for allow packets. This is a schematic overview in my article R80.x - Performance Tuning Tip - SecureXL Fast Accelerator  (R80.20 JHF103+)

It is also important whether it is the first package or a subsequent package. "Fast Acceleration Rules" only work for subsequence packets which are normally sent to PSLXL path (medium path). If "Fast Acceleration Rules" are used, the packets are sent to the acceleration path and not to the PSLXL path.

 

accel_path_d_2b.PNG

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
genisis__
MVP Silver
MVP Silver
‎2021-03-27 11:07 AM
Jump to solution

A rule would still be required in the FW blade, but if you have additional security blades enabled (example IPS/AV/ABOT), these would be by-passed; in the logs you would simply see a entry indicating the traffic was fastaccel.

It's one of the reason only trusted traffic should be added, and keep in mind there is a limited number of rules you can add to fastaccel table.

The above is my understanding, happy to be corrected.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2021-03-27 01:58 PM
In response to genisis__
Jump to solution

hi Genesis,

Thank you for your reply. 

Of course i Agree the way you described which correspond with the result of my lab test.

What i can't understand is that diagram (and the ones found in sk156672 too). Waching them I think is clear that Fast accel table is something with no relation and to an upper level from the rulebase.

Definitively, it seems both are not pertinent with how FW works.

Any speech is appreciated

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-03-28 05:14 AM
In response to CheckPointerXL
Jump to solution

Starting in R80.20, the first packet of every new connection goes to a worker instance for an Accept Template check and if there is no matching template, a Firewall/Network Layer rulebase lookup happens next.  If the connection is accepted by the template/rulebase and fast_accel is present for that connection's attributes, the connection is usually reinjected back into SecureXL for subsequent handling in the accelerated path.  This reinjection can also happen for a non-fast_accel'ed connection that does not require any deep inspection handling; fast_accel just makes this much more likely.

Note that if there is an inspection condition present that requires use of the F2F/slowpath handling for that connection, the fast_accel will not be applied even if present and the connection will still go F2F on a Firewall Worker.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
PhoneBoy
Admin
Admin
‎2021-03-28 10:49 AM
Jump to solution

Keep in mind that diagram is not an official diagram.

“Fast Accel” specifically impacts the decision to send something to PXL/Medium Path.
Anything that matches a Fast Accel rule that would normally go to the PSL/Medium Path instead goes to the Accelerated Path.
Traffic can still hit the F2F/Slow Path for other reasons.
And, in all cases, you still need to have an Access Policy rule that permits the traffic.
And, as noted elsewhere, you should only Fast Accel trusted connection flows.

HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2021-03-28 11:21 AM
Jump to solution

Hi @CheckPointerXL 

It is not possible to create a packet flow overview with all paths. You are right. "Fast Acceleration Rules" only work for allow packets. This is a schematic overview in my article R80.x - Performance Tuning Tip - SecureXL Fast Accelerator  (R80.20 JHF103+)

It is also important whether it is the first package or a subsequent package. "Fast Acceleration Rules" only work for subsequence packets which are normally sent to PSLXL path (medium path). If "Fast Acceleration Rules" are used, the packets are sent to the acceleration path and not to the PSLXL path.

 

accel_path_d_2b.PNG

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
CheckPointerXL
Advisor
Advisor
‎2021-03-29 12:02 AM
Jump to solution

Hi @HeikoAnkenbrand @PhoneBoy @Timothy_Hall ,

thank you for your precious feedback. 

I think now is more difficult to mislead who is approaching 'fast accel' in detail.

 

Best regards

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events