Thanks Andy. I noticed that sk is for NAT templates only, and for R80.20 and lower. It's odd, hoping it is just a display bug. When I was doing my testing, I had three rules with the ALL_DCE_RPC service. I removed one at a time, checked fwaccel stat each time. After I removed the first two, I saw the rule which disabled templates change. It was only after I removed the third and last instance that all templates showed as disabled. I even re-added the ALL_DCE_RPC service to the last rule, and the output of fwaccel stat returned to what I expected.

Dave

Yea...I dont believe your version is the issue. Lets see if someone can confirm this.

Just tested, same thing.

Andy

I don't even have that option for a policy install:

Right-click on the gateway object on the Install Policy screen and you'll see the hidden checkbox.

Hey that worked. I now have:

xxxxx> fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth1,eth2,eth3,eth4,Sync,|Acceleration,Cryptography |
| | | |Mgmt | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
LightSpeed Accel : disabled
xxxxxxx>

Curiously enough, on my other lab firewalls (same version) I essentially went through the process, and fwaccel stat showed "enabled" for Accept and NAT templates as expected.

Dave

This is my output, even after disabling accelerated policy push

Andy

R81.20 jumbo 24

[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
Drop Templates : enabled
NAT Templates : disabled by Firewall
Layer firewall_layer disables template offloads from rule #16
Throughput acceleration still enabled.
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#

Disabling accelerated policy push does not rectify a situation where a specific rule is being called out as halting templating, only the situation where "Accept Templates : disabled by Firewall" is being reported by fwaccel stat with no specific rule number displayed.

Right...I also followed things from below link, but same issue

Andy

https://community.checkpoint.com/t5/Security-Gateways/Accept-Templates-are-still-disabled-even-after...

Your message concerning templating is not the same as the thread OP, please provide a screenshot of rule 16 in your policy.  Accept Templates and NAT Templates will follow each other exactly, the issue with templating stopping is always in the Firewall/Network policy layer. 

Attached

Andy

Almost certainly service snmpXdmid is causing templating to stop at that rule, since it is DCE/RPC.  Also possibly service dhcpv6-relay which is allowing replies on any port and is also using a custom INSPECT protocol handler.  Any chance you can try pulling those two services out of that rule and move them further down?  There could possibly be other services in that same rule causing templating to stop as well, but those two in particular stand out to me.

No dice...removed all snmp and dhcp services, same issue.

Screw it...I removed all services, left services as "any"...bam, as Borat would say "GREAT SUCCESS' lol

Now, shows enabled

[Expert@quantum-firewall:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+---------------------------------------------------------------------------------+
|0 |KPPAK |enabled |eth0,eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | | |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,3DES,DES,AES-128,AES-256,|
| | | | |ESP,LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256, |
| | | | |SHA384,SHA512 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : enabled
NAT Templates : enabled
LightSpeed Accel : disabled
[Expert@quantum-firewall:0]#

Thanks for all your hard work on that Tim! By the way, I found it odd that when I removed ALL dhcp and snmp services, it was still not working, so that logically tells me there had to be another service causing it.

Andy

That may have been because you weren't forcing a unaccelerated policy install every time.  When I put your screenshotted list of services in a single rule and subtracted the snmpXdmid and SNMP-Read-Only services, templates started working.  Putting either one of them back in the rule stopped it; this was under R81.20 GA.

I definitely disabled accelerated policy install every time, 100%. I will try this again Monday in the lab.

Andy

K, just tested again quick and got the proper results. THANKS A BUNCH! 👍

Yes, because the other firewalls received a full nonaccelerated policy install based on the number of changes you made.  But this one's last policy installation was transparently accelerated; you can only determine this if you look at the details of the install policy task where you will see a lightning bolt icon instead of the normal down-arrow. 

I've also seen other situations where CLI-level changes to the gateway or SMS don't "take" if the policy installation happens to be accelerated.  A forced full policy installation fixes it.  

sk169096: Accelerated Install Policy for Access Control Policy

sk168055: SmartConsole shows "Security Gateway and Security Management policy versions are incompati...

sk180414: Accelerated policy installation fails with "Policy installation failed on gateway. If the ...

I've gotten to the point where if I make any kind of configuration change that was not performed in the SmartConsole itself yet requires a policy reinstallation to take effect, I always force a full unaccelerated installation as a matter of course.  There is no way to permanently disable accelerated policy installs, nor any way to make that hidden checkbox "sticky".