- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
I'm doing some testing with SecureXL in our lab. Currently, output of fwaccel stat reads:
xxxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer XXXXX_Policy Access Control disables template offloads from rule #106
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer XXXXXX_Policy Access Control disables template offloads from rule #106
Throughput acceleration still enabled.
LightSpeed Accel : disabled
xxxxxxxx>
And output of fwaccel stats -s:
xxxxxx> fwaccel stats -s
Accelerated conns/Total conns : 25/1401 (1%)
LightSpeed conns/Total conns : 0/1401 (0%)
Accelerated pkts/Total pkts : 2389860528/3129456116 (76%)
LightSpeed pkts/Total pkts : 0/3129456116 (0%)
F2Fed pkts/Total pkts : 739595588/3129456116 (23%)
F2V pkts/Total pkts : 176413090/3129456116 (5%)
CPASXL pkts/Total pkts : 0/3129456116 (0%)
PSLXL pkts/Total pkts : 2246244373/3129456116 (71%)
CPAS pipeline pkts/Total pkts : 0/3129456116 (0%)
PSL pipeline pkts/Total pkts : 0/3129456116 (0%)
CPAS inline pkts/Total pkts : 0/3129456116 (0%)
PSL inline pkts/Total pkts : 0/3129456116 (0%)
QOS inbound pkts/Total pkts : 0/3129456116 (0%)
QOS outbound pkts/Total pkts : 0/3129456116 (0%)
Corrected pkts/Total pkts : 0/3129456116 (0%)
xxxxxxxxx>
And output of fwaccel templates -s:
xxxxxxxxx> fwaccel templates -s
Total number of templates: 198
xxxxxxxxxx>
Rule #106 contains the service object ALL_DCE_RPC, so I understand why this disables templates. When I replace that serivce object with the application control object DCE-RPC Protocol, I get this:
xxxxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Drop Templates : disabled
NAT Templates : disabled by Firewall
LightSpeed Accel : disabled
xxxxxxxxx>
and
xxxxxxxx> fwaccel stats -s
Accelerated conns/Total conns : 25/2067 (1%)
LightSpeed conns/Total conns : 0/2067 (0%)
Accelerated pkts/Total pkts : 2389988257/3129646869 (76%)
LightSpeed pkts/Total pkts : 0/3129646869 (0%)
F2Fed pkts/Total pkts : 739658612/3129646869 (23%)
F2V pkts/Total pkts : 176421134/3129646869 (5%)
CPASXL pkts/Total pkts : 0/3129646869 (0%)
PSLXL pkts/Total pkts : 2246359221/3129646869 (71%)
CPAS pipeline pkts/Total pkts : 0/3129646869 (0%)
PSL pipeline pkts/Total pkts : 0/3129646869 (0%)
CPAS inline pkts/Total pkts : 0/3129646869 (0%)
PSL inline pkts/Total pkts : 0/3129646869 (0%)
QOS inbound pkts/Total pkts : 0/3129646869 (0%)
QOS outbound pkts/Total pkts : 0/3129646869 (0%)
Corrected pkts/Total pkts : 0/3129646869 (0%)
xxxxxxxxx>
and
xxxxxxx> fwaccel templates -s
Total number of templates: 260
xxxxxxxx>
The output of fwaccel stats -s and fwaccel templates -s seems to show SecureXL operating as expected, but notice the output of fwaccel stat shows all templates as disabled. Bug? I am running R81.10 with Jumbo HFA Take 95
Dave
Force a full policy install to the gateway as shown below and check it again, it is likely that your last policy reinstallation was accelerated:
Your "Borat" solution really bugged me and I started to wonder if the relevant content in my Gateway Performance Optimization Course was complete and correct on this topic, so I labbed it up this morning.
As a DCE/RPC object, snmpXdmid definitely stopped templating. The other offender turned out to be the service of type Other "SNMP-Read-Only" which invokes raw INSPECT code in its advanced properties. While this situation was already mentioned in my course material, I have enhanced it with a screenshot and some revised content based on your experience. Here are the updated pages, thanks for helping make the course better:
I tested in R81.20 and same thing. I know of below sk, but I already have that configured
https://support.checkpoint.com/results/sk/sk71200
Andy
Thanks Andy. I noticed that sk is for NAT templates only, and for R80.20 and lower. It's odd, hoping it is just a display bug. When I was doing my testing, I had three rules with the ALL_DCE_RPC service. I removed one at a time, checked fwaccel stat each time. After I removed the first two, I saw the rule which disabled templates change. It was only after I removed the third and last instance that all templates showed as disabled. I even re-added the ALL_DCE_RPC service to the last rule, and the output of fwaccel stat returned to what I expected.
Dave
Yea...I dont believe your version is the issue. Lets see if someone can confirm this.
Force a full policy install to the gateway as shown below and check it again, it is likely that your last policy reinstallation was accelerated:
Just tested, same thing.
Andy
I don't even have that option for a policy install:
Right-click on the gateway object on the Install Policy screen and you'll see the hidden checkbox.
Hey that worked. I now have:
xxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
LightSpeed Accel : disabled
xxxxxxx>
Curiously enough, on my other lab firewalls (same version) I essentially went through the process, and fwaccel stat showed "enabled" for Accept and NAT templates as expected.
Dave
This is my output, even after disabling accelerated policy push
Andy
R81.20 jumbo 24
[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#
Disabling accelerated policy push does not rectify a situation where a specific rule is being called out as halting templating, only the situation where "Accept Templates : disabled by Firewall" is being reported by fwaccel stat with no specific rule number displayed.
Right...I also followed things from below link, but same issue
Andy
Your message concerning templating is not the same as the thread OP, please provide a screenshot of rule 16 in your policy. Accept Templates and NAT Templates will follow each other exactly, the issue with templating stopping is always in the Firewall/Network policy layer.
Almost certainly service snmpXdmid is causing templating to stop at that rule, since it is DCE/RPC. Also possibly service dhcpv6-relay which is allowing replies on any port and is also using a custom INSPECT protocol handler. Any chance you can try pulling those two services out of that rule and move them further down? There could possibly be other services in that same rule causing templating to stop as well, but those two in particular stand out to me.
No dice...removed all snmp and dhcp services, same issue.
Screw it...I removed all services, left services as "any"...bam, as Borat would say "GREAT SUCCESS' lol
Now, shows enabled
[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+
Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#
Your "Borat" solution really bugged me and I started to wonder if the relevant content in my Gateway Performance Optimization Course was complete and correct on this topic, so I labbed it up this morning.
As a DCE/RPC object, snmpXdmid definitely stopped templating. The other offender turned out to be the service of type Other "SNMP-Read-Only" which invokes raw INSPECT code in its advanced properties. While this situation was already mentioned in my course material, I have enhanced it with a screenshot and some revised content based on your experience. Here are the updated pages, thanks for helping make the course better:
Thanks for all your hard work on that Tim! By the way, I found it odd that when I removed ALL dhcp and snmp services, it was still not working, so that logically tells me there had to be another service causing it.
Andy
That may have been because you weren't forcing a unaccelerated policy install every time. When I put your screenshotted list of services in a single rule and subtracted the snmpXdmid and SNMP-Read-Only services, templates started working. Putting either one of them back in the rule stopped it; this was under R81.20 GA.
I definitely disabled accelerated policy install every time, 100%. I will try this again Monday in the lab.
Andy
K, just tested again quick and got the proper results. THANKS A BUNCH! 👍
Yes, because the other firewalls received a full nonaccelerated policy install based on the number of changes you made. But this one's last policy installation was transparently accelerated; you can only determine this if you look at the details of the install policy task where you will see a lightning bolt icon instead of the normal down-arrow.
I've also seen other situations where CLI-level changes to the gateway or SMS don't "take" if the policy installation happens to be accelerated. A forced full policy installation fixes it.
sk169096: Accelerated Install Policy for Access Control Policy
I've gotten to the point where if I make any kind of configuration change that was not performed in the SmartConsole itself yet requires a policy reinstallation to take effect, I always force a full unaccelerated installation as a matter of course. There is no way to permanently disable accelerated policy installs, nor any way to make that hidden checkbox "sticky".
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
18 | |
12 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY