This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2023-07-21 07:16 AM
Jump to solution

SecureXL Templates show disabled

I'm doing some testing with SecureXL in our lab. Currently, output of fwaccel stat reads:

xxxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer XXXXX_Policy Access Control disables template offloads from rule #106
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer XXXXXX_Policy Access Control disables template offloads from rule #106
Throughput acceleration still enabled.
LightSpeed Accel : disabled
xxxxxxxx>

And output of fwaccel stats -s:
xxxxxx> fwaccel stats -s
Accelerated conns/Total conns : 25/1401 (1%)
LightSpeed conns/Total conns : 0/1401 (0%)
Accelerated pkts/Total pkts : 2389860528/3129456116 (76%)
LightSpeed pkts/Total pkts : 0/3129456116 (0%)
F2Fed pkts/Total pkts : 739595588/3129456116 (23%)
F2V pkts/Total pkts : 176413090/3129456116 (5%)
CPASXL pkts/Total pkts : 0/3129456116 (0%)
PSLXL pkts/Total pkts : 2246244373/3129456116 (71%)
CPAS pipeline pkts/Total pkts : 0/3129456116 (0%)
PSL pipeline pkts/Total pkts : 0/3129456116 (0%)
CPAS inline pkts/Total pkts : 0/3129456116 (0%)
PSL inline pkts/Total pkts : 0/3129456116 (0%)
QOS inbound pkts/Total pkts : 0/3129456116 (0%)
QOS outbound pkts/Total pkts : 0/3129456116 (0%)
Corrected pkts/Total pkts : 0/3129456116 (0%)
xxxxxxxxx>

And output of fwaccel templates -s:
xxxxxxxxx> fwaccel templates -s

Total number of templates: 198
xxxxxxxxxx>

Rule #106 contains the service object ALL_DCE_RPC, so I understand why this disables templates. When I replace that serivce object with the application control object DCE-RPC Protocol, I get this:

xxxxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Drop Templates : disabled
NAT Templates : disabled by Firewall
LightSpeed Accel : disabled
xxxxxxxxx>

and
xxxxxxxx> fwaccel stats -s
Accelerated conns/Total conns : 25/2067 (1%)
LightSpeed conns/Total conns : 0/2067 (0%)
Accelerated pkts/Total pkts : 2389988257/3129646869 (76%)
LightSpeed pkts/Total pkts : 0/3129646869 (0%)
F2Fed pkts/Total pkts : 739658612/3129646869 (23%)
F2V pkts/Total pkts : 176421134/3129646869 (5%)
CPASXL pkts/Total pkts : 0/3129646869 (0%)
PSLXL pkts/Total pkts : 2246359221/3129646869 (71%)
CPAS pipeline pkts/Total pkts : 0/3129646869 (0%)
PSL pipeline pkts/Total pkts : 0/3129646869 (0%)
CPAS inline pkts/Total pkts : 0/3129646869 (0%)
PSL inline pkts/Total pkts : 0/3129646869 (0%)
QOS inbound pkts/Total pkts : 0/3129646869 (0%)
QOS outbound pkts/Total pkts : 0/3129646869 (0%)
Corrected pkts/Total pkts : 0/3129646869 (0%)
xxxxxxxxx>

and
xxxxxxx> fwaccel templates -s

Total number of templates: 260
xxxxxxxx>

The output of fwaccel stats -s and fwaccel templates -s seems to show SecureXL operating as expected, but notice the output of fwaccel stat shows all templates as disabled. Bug? I am running R81.10 with Jumbo HFA Take 95

 

Dave

0 Kudos
2 Solutions

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 08:15 AM
Jump to solution

Force a full policy install to the gateway as shown below and check it again, it is likely that your last policy reinstallation was accelerated:

force_unaccel.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-22 08:24 AM
In response to the_rock
Jump to solution

Your "Borat" solution really bugged me and I started to wonder if the relevant content in my Gateway Performance Optimization Course was complete and correct on this topic, so I labbed it up this morning. 

As a DCE/RPC object, snmpXdmid definitely stopped templating.  The other offender turned out to be the service of type Other "SNMP-Read-Only" which invokes raw INSPECT code in its advanced properties.  While this situation was already mentioned in my course material, I have enhanced it with a screenshot and some revised content based on your experience.  Here are the updated pages, thanks for helping make the course better:

templates1.pngtemplates2.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

22 Replies
the_rock
MVP Gold
MVP Gold
‎2023-07-21 07:46 AM
Jump to solution

I tested in R81.20 and same thing. I know of below sk, but I already have that configured

https://support.checkpoint.com/results/sk/sk71200

Andy

Best,
Andy
0 Kudos
David_C1
Advisor
‎2023-07-21 07:57 AM
In response to the_rock
Jump to solution

Thanks Andy. I noticed that sk is for NAT templates only, and for R80.20 and lower. It's odd, hoping it is just a display bug. When I was doing my testing, I had three rules with the ALL_DCE_RPC service. I removed one at a time, checked fwaccel stat each time. After I removed the first two, I saw the rule which disabled templates change. It was only after I removed the third and last instance that all templates showed as disabled. I even re-added the ALL_DCE_RPC service to the last rule, and the output of fwaccel stat returned to what I expected.

Dave

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-21 07:58 AM
In response to David_C1
Jump to solution

Yea...I dont believe your version is the issue. Lets see if someone can confirm this.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 08:15 AM
Jump to solution

Force a full policy install to the gateway as shown below and check it again, it is likely that your last policy reinstallation was accelerated:

force_unaccel.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Gold
MVP Gold
‎2023-07-21 08:31 AM
In response to Timothy_Hall
Jump to solution

Just tested, same thing.

Andy

Best,
Andy
0 Kudos
David_C1
Advisor
‎2023-07-21 08:44 AM
In response to Timothy_Hall
Jump to solution

I don't even have that option for a policy install:

 

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 09:34 AM
In response to David_C1
Jump to solution

Right-click on the gateway object on the Install Policy screen and you'll see the hidden checkbox.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
David_C1
Advisor
‎2023-07-21 09:48 AM
In response to Timothy_Hall
Jump to solution

Hey that worked. I now have:

xxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
LightSpeed Accel : disabled
xxxxxxx>

Curiously enough, on my other lab firewalls (same version) I essentially went through the process, and fwaccel stat showed "enabled" for Accept and NAT templates as expected.

Dave

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-21 09:57 AM
In response to David_C1
Jump to solution

This is my output, even after disabling accelerated policy push

Andy

R81.20 jumbo 24

 

[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 10:35 AM
In response to the_rock
Jump to solution

Disabling accelerated policy push does not rectify a situation where a specific rule is being called out as halting templating, only the situation where "Accept Templates : disabled by Firewall" is being reported by fwaccel stat with no specific rule number displayed.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Gold
MVP Gold
‎2023-07-21 10:36 AM
In response to Timothy_Hall
Jump to solution

Right...I also followed things from below link, but same issue

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Accept-Templates-are-still-disabled-even-after...

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 11:14 AM
In response to the_rock
Jump to solution

Your message concerning templating is not the same as the thread OP, please provide a screenshot of rule 16 in your policy.  Accept Templates and NAT Templates will follow each other exactly, the issue with templating stopping is always in the Firewall/Network policy layer. 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Gold
MVP Gold
‎2023-07-21 11:20 AM
In response to Timothy_Hall
Jump to solution

Attached

Andy

Best,
Andy
Preview file
177 KB
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 11:41 AM
In response to the_rock
Jump to solution

Almost certainly service snmpXdmid is causing templating to stop at that rule, since it is DCE/RPC.  Also possibly service dhcpv6-relay which is allowing replies on any port and is also using a custom INSPECT protocol handler.  Any chance you can try pulling those two services out of that rule and move them further down?  There could possibly be other services in that same rule causing templating to stop as well, but those two in particular stand out to me.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Gold
MVP Gold
‎2023-07-21 12:32 PM
In response to Timothy_Hall
Jump to solution

No dice...removed all snmp and dhcp services, same issue.

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-21 12:40 PM
In response to Timothy_Hall
Jump to solution

Screw it...I removed all services, left services as "any"...bam, as Borat would say "GREAT SUCCESS' lol

Now, shows enabled

[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#

 

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-22 08:24 AM
In response to the_rock
Jump to solution

Your "Borat" solution really bugged me and I started to wonder if the relevant content in my Gateway Performance Optimization Course was complete and correct on this topic, so I labbed it up this morning. 

As a DCE/RPC object, snmpXdmid definitely stopped templating.  The other offender turned out to be the service of type Other "SNMP-Read-Only" which invokes raw INSPECT code in its advanced properties.  While this situation was already mentioned in my course material, I have enhanced it with a screenshot and some revised content based on your experience.  Here are the updated pages, thanks for helping make the course better:

templates1.pngtemplates2.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Gold
MVP Gold
‎2023-07-22 09:13 AM
In response to Timothy_Hall
Jump to solution

Thanks for all your hard work on that Tim! By the way, I found it odd that when I removed ALL dhcp and snmp services, it was still not working, so that logically tells me there had to be another service causing it.

Andy

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-22 09:39 AM
In response to the_rock
Jump to solution

That may have been because you weren't forcing a unaccelerated policy install every time.  When I put your screenshotted list of services in a single rule and subtracted the snmpXdmid and SNMP-Read-Only services, templates started working.  Putting either one of them back in the rule stopped it; this was under R81.20 GA.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-22 09:40 AM
In response to Timothy_Hall
Jump to solution

I definitely disabled accelerated policy install every time, 100%. I will try this again Monday in the lab.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-07-22 10:17 AM
In response to Timothy_Hall
Jump to solution

K, just tested again quick and got the proper results. THANKS A BUNCH! 👍

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-07-21 09:58 AM
In response to David_C1
Jump to solution

Yes, because the other firewalls received a full nonaccelerated policy install based on the number of changes you made.  But this one's last policy installation was transparently accelerated; you can only determine this if you look at the details of the install policy task where you will see a lightning bolt icon instead of the normal down-arrow. 

I've also seen other situations where CLI-level changes to the gateway or SMS don't "take" if the policy installation happens to be accelerated.  A forced full policy installation fixes it.  

sk169096: Accelerated Install Policy for Access Control Policy

sk168055: SmartConsole shows "Security Gateway and Security Management policy versions are incompati...

sk180414: Accelerated policy installation fails with "Policy installation failed on gateway. If the ...

I've gotten to the point where if I make any kind of configuration change that was not performed in the SmartConsole itself yet requires a policy reinstallation to take effect, I always force a full unaccelerated installation as a matter of course.  There is no way to permanently disable accelerated policy installs, nor any way to make that hidden checkbox "sticky".

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events