This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MarcuzShinz
Contributor
Contributor
‎2025-03-20 02:25 AM

Traffic sync between 2 AIX servers is slow when handled by checkpoint 9400

Dear Guy,

Have a nice day!

We are currently deploying Check Point 9400 and encountering issues with the synchronization traffic of AIX servers. These servers synchronize using the ssh_v2 service. Let me describe the previous situation:

  1. Previously, the customer used Check Point 4800 with only the Firewall Blade enabled. They had two systems in DC and DR, each containing AIX servers that synchronized data daily. When this traffic was processed by Check Point 4800, it reached approximately 200Mb/s.
  2. After replacing Check Point 4800 with Check Point 9400, also with only the Firewall Blade enabled, the synchronization traffic between AIX servers across the DC and DR sites dropped to 20~30Mb/s.

Has anyone encountered this issue before? please see the image attached

Preview file
69 KB
Preview file
75 KB
Preview file
84 KB
Preview file
263 KB
0 Kudos
13 Replies
PhoneBoy
Admin
Admin
‎2025-03-20 05:40 AM

What was the version running on the 4800 versus what is running on the 9400?
Sounds like the traffic might be hitting F2F path for some reason.
You might try to use fast_accel to ensure the flow is accelerated: https://support.checkpoint.com/results/sk/sk156672

MarcuzShinz
Contributor
Contributor
‎2025-03-20 06:11 AM
In response to PhoneBoy

Dear PhoneBoy,

Version on cp4800 is R77.30, on cp9400 is R81.20.

I have checked on cp4800 with command fwaccel stat, securexl stopped the first rule.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-03-20 06:50 AM
In response to MarcuzShinz

Open an SR# with CP TAC to get this resolved asap.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
MarcuzShinz
Contributor
Contributor
‎2025-03-20 06:57 AM
In response to G_W_Albrecht

Sure, I opened case with TAC but they response very slow, two week but they cannot resolved the issue.

0 Kudos
JaAnd
Contributor
‎2025-03-21 02:52 PM
In response to PhoneBoy

I fully agree that Fast_Accel rules might be the right way to go, as I have successfully used it to boost performance in backups, and also in some VoIP areas. As always use with care, as it makes affected traffic processed faster, but not without a cost - bypassing most of the wonderfulness of Check Point's security oriented code 😉

I am also waiting if the same will be ever possible with Maestro FF, as currently it only supports traffic that is not traversing local networks. Who knows, what feature GAIA releases will bring to us.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-03-20 05:52 AM

When SecureXL works in the User Mode (UPPAK), the Security Gateway performance for the Slow Path traffic (F2F) is lower compared to the Kernel Mode (KPPAK).

Suggest ensuring the policy is constructed / optimized in a manner to avoid scenarios impacting SecureXL.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-03-20 07:09 AM

We need to know what path your replication connection is operating in.  Start a replication connection and make sure it is alive by running fw ctl multik gconn.  If you can't see the connection here it is not alive.

Next run the following while the connection is alive:

fw tab -t connections -z

fwaccel conns

netstat -ni

If you see the replication connection in the output of the first command, the traffic is slowpath and a reason will be provided.  fast_accel will not work for this traffic.

If you can't find the connection in the output of the first command it will be shown by the second one which means medium or fastpath. 

Please post the output of wherever you find the connection, along with the third command.  If fwaccel stat is complaining about stopping on rule #1 it is referring to accept templating which has nothing do with which path the connection ends up in.  With just the firewall blade enabled it should be fastpath but Core Activations & Inspection Settings can interfere with this.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
MarcuzShinz
Contributor
Contributor
‎2025-03-20 06:53 PM
In response to Timothy_Hall

Since we have clear source and destination, how can we check with these commands.

0 Kudos
MarcuzShinz
Contributor
Contributor
‎2025-03-20 07:03 PM
In response to Timothy_Hall

I got cpinfo on both devices while processing traffic, about securexl it shows as below

on cp-4800

2025-03-21_085719.png

on cp-9400

2025-03-21_085823.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-03-21 06:40 AM
In response to MarcuzShinz

Nothing is wrong with SecureXL on your new box (it is still in KPPAK mode for some reason), please provide the outputs I requested in my prior message.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
MarcuzShinz
Contributor
Contributor
‎2025-03-24 11:03 PM
In response to Timothy_Hall

Dear Legend,

I provide about image output of command your share. Vlan of server DR iss vlan 160 and server is 172.29.4.3. Server on DC is 172.27.4.10 & 172.27.4.11

Preview file
208 KB
Preview file
198 KB
Preview file
329 KB
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-03-26 07:40 PM
In response to MarcuzShinz

Based on your outputs the problematic traffic is already in the fastpath, assuming you did not already explicitly force it there with a fast_accel rule.  Your network interfaces are running clean.  I don't see how the firewall can be the cause of your performance issues for this traffic, however I don't understand why KPPAK mode is still being utilized over UPPAK mode for your Quantum Force appliance unless you are not running the latest recommended Jumbo HFA for R81.20.  Are you?  Did you set KPPAK mode explicitly?

If you are running the latest recommended Jumbo HFA for R81.20, TAC will have to look at this...but my gut instinct is that the firewall is not responsible for the slow performance.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lesley
Authority Authority
Authority
‎2025-03-21 12:32 PM
In response to Timothy_Hall

Share this output and:

cpinfo -y all (to see if you have a Jumbo installed and if so a new one)

enabled_blades double check that only fw is enabled

ethtool -g INTERFACE (to checkt he rx buffers) this is follow-up question depending on nestat -ni output

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events