This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rafal_N
Contributor
‎2020-12-11 12:27 PM

fw ctl fast_accel - some traffic still going slow path

Hi Team,

I'm using fast_accel for few months and it works fine with backup traffic, cifs/smb etc but in heavy_conection there are still traffic to DB servers. Issue is with internal traffic ms sql (tcp 1433). It still produce some CPU spikes.

Some days ago I found out fw_mux command and it looks that every connection with tcp 1433 it is not accelerated. Can any one help me figure out what can cause that?? 

 

R80.30 take 219 kernel 2.6

 

fw ctl fast_accel show_state
fw fast_accel: The feature state is: enabled.

 

------------------------------------ FIREWALL FAST ACCEL TABLE ------------------------
# Source IP Destination IP D-Port Protocol Hit count
---- ------------------ ------------------ ------ -------- -----------
19) 192.168.184.0/22 192.168.184.0/22 any 6 9686885
20) 192.168.0.0/16 192.168.0.0/16 1433 6 0

 

Two examples form fw_mux

Connection: <dir 0, 192.168.184.90:41622 -> 192.168.186.20:1433 IPP 6>
VM_Connection: <dir 1, 192.168.184.90:41622 -> 192.168.186.20:1433 IPP 6>
Info:
Path: Slow, Streaming mode: PSL, InZone: INTERNAL_ZONE, OutZone: UNDEFINED_ZONE, Num of registered apps: 2
Rule id: 59, ref count: 2, mux state flags: VM_CONN_WAS_SET ,INSPECT_C2S ,INSPECT_S2C.
APPS:
ADVP: app_flags: INSPECT_BOTH, C2S byte skip: 0, S2C byte skip: 0
TIER1: app_flags: NO_FLAGS, C2S byte skip: 0, S2C byte skip: 0

Connection: <dir 0, 192.168.100.95:40600 -> 192.168.186.20:1433 IPP 6>
VM_Connection: <dir 1, 192.168.100.95:40600 -> 192.168.186.20:1433 IPP 6>
Info:
Path: Slow, Streaming mode: PSL, InZone: INTERNAL_ZONE, OutZone: UNDEFINED_ZONE, Num of registered apps: 2
Rule id: 59, ref count: 2, mux state flags: VM_CONN_WAS_SET ,INSPECT_C2S ,INSPECT_S2C.
APPS:
ADVP: app_flags: INSPECT_BOTH, C2S byte skip: 0, S2C byte skip: 0
TIER1: app_flags: NO_FLAGS, C2S byte skip: 0, S2C byte skip: 0

Any ideas? hints where should I look for?

Best regards,

Rafal 

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-12-11 05:58 PM

Is it all connections on 1433 not being accelerated or specific ones?
Recommend a TAC case here.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-12-12 05:36 AM

If traffic has to go F2F/slowpath, it cannot be forced into the SXL/accelerated path with fast_accel and will still go F2F.  If you can figure out why the SQL traffic is going F2F and fix that, fast_accel should start working. 

First off, may I ask how you are getting that "fw_mux" output?  I don't recognize it.

To get the traffic out of F2F, check the following two things:

1) In the service matching TCP port 1433 try removing any overrides like this, as it is fairly typical to override and increase the session timeout beyond the default on SQL services:

SQL.png

 

2) If you have IPS enabled, check for enabled IPS signatures involving SQL that have a Performance Impact rating of Critical or High.  Try disabling them in whatever IPS profile(s) your gateway is using, as one or more of these signatures may be pulling that SQL traffic into F2F.  Here are the relevant signatures I see here in my lab:

SQL_IPS.png

If neither of these suggestions help or are not relevant to your environment, please provide the output of command enabled_blades so I can see what features you have enabled.

Beyond that TAC will need to run a kernel debug to determine why this SQL traffic is going F2F.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Rafal_N
Contributor
‎2020-12-13 11:26 AM
In response to Timothy_Hall

Hi Timothy,

I'm glad that once I can share something with You 🙂

Output is form fw_mux command that is not documented. I get know about it on TAC Academy with really good coach Alon form CheckPoint HQ. As You probably notice there is no connections with flag F listed any more in fwaccel conns. The only way I know to print all connections F2F and PXL is that new command (fw_mux all > file.txt)

I try to debug a little more with TAC because service looks very standard as in default settings, IPS exceptions between this internal networks is added and yet with 1433 there is a problem. Was hoping that somebody can read something more form that output. Later I try to play with kernel debug but I have to do it some filters.

Best regards,

Rafal

0 Kudos
miguel
Participant
‎2021-10-28 08:41 AM
In response to Rafal_N

Hi Rafal,

Did you find any solution to this? I am just starting to try to accelerate ms-sql-s (1433) myself and see 0 hits in 'fw ctl fast_accel show_table' output. I'll open a TAC case as well.

Thanks,

0 Kudos
Rafal_N
Contributor
‎2021-10-28 09:12 AM
In response to miguel

Just check history SR with TAC we had some remote sessions. Didn't find any solution other then clearing all connection form connections table. Please be careful because it will cause all connection to be reestablish. 

fw tab -t connections -x

I'm not sure if I solve it at all but I can share with You SR number (pm) and maybe there will be some internal notes made by TAC engineer.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events