This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ratnesh_Singh
Explorer
‎2021-02-01 11:28 PM

SecureXL

Hi Team,

I have doubt related to SecureXL .If we have already connection table in firewall kernel,then what is the need of  maintaining secureXL connection table? 

0 Kudos
5 Replies
Danny
Champion Champion
Champion
‎2021-02-01 11:45 PM

The SecureXL connections table 'fwaccel conns' shows all connections handled by SecureXL while the connections kernel table also shows those not handled by SecureXL. Also check sk104468.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-02-02 01:37 AM

Look here: sk98348: Best Practices - Security Gateway Performance

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-02-02 06:06 AM

When a packet arrives at the firewall, it always hits the SecureXL Implementation Module (sim) kernel driver running on an SND/IRQ core first.  In R80.20+ if the packet's attributes match a connection in the SecureXL state table (fwaccel conns - in other words SecureXL is handling that connection), SecureXL commences direct processing on that packet.  If the packet does not match a connection in the SecureXL state table because it is the first packet of a new connection, or it is part of an existing unaccelerated connection that is not being handled by SecureXL, the packet is sent up to a Firewall Worker/Instance which is maintaining its own state table (fw tab -t connections).  There is a notification mechanism to sync certain operations between the two separate tables.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-02-02 06:44 AM
In response to Timothy_Hall

It's probably worth noting the SecureXL table is simpler, so it's faster to check. That's ultimately the reason for maintaining the tables separately.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-02 12:33 PM

One of the original design goals of SecureXL was to provide acceleration for connections in hardware independent from the main CPU of the system.
This necessitates a separate connection table for the accelerator device itself.
There are no hardware accelerator cards that we sell currently, though they have been sold in the past. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events