r81 take 77

the problem seems not related to the https rules order. the rule set is very simple with rules 1 to 5 that bypass several hosts by source, by destination ip or by url then we have an ispection rule for some dangerous categories and at the end the bypass for any as suggested in the following link

Solved: Re: HTTPS Inspection Setup - Check Point CheckMates

the problem cause seems related to the high percentage of traffic that pass through the slow path.

sk32578 describes common scenarios causing F2F traffic processing e.g. PPPoE connections and the use of certain object types / IPS protections (sk105079) etc.

As Tim said high F2F stats are also expected on a standby member of a cluster.

SQLNET2 traffic may also be a factor per sk179919.

the problem seems not related to the https rules order. the rule set is very simple with rules 1 to 5 that bypass several hosts by source, by destination ip or by url then we have an ispection rule for some dangerous categories and at the end the bypass for any as suggested in the following link

Solved: Re: HTTPS Inspection Setup - Check Point CheckMates

the problem cause seems related to the high percentage of traffic that pass through the slow path.

As I mentioned earlier HTTPS Inspection by itself does not typically cause high F2F.  It is almost certainly due to the configuration of your IPS blade.  Try the following technique which is mentioned in my Gateway Performance Optimization Course during your firewall's busiest period if possible, keeping in mind doing so may expose your organization to attacks, use at your own risk!

fwaccel stats -s (note F2F percentage)

ips off -n

fwaccel stats -r

(wait 120 seconds)

fwaccel stats -s (has F2F dropped substantially?  If so IPS is to blame)

ips on

i reset the stats, disabled ips but I still have 78% F2F

as you see I can't run the hcp for TP so I run all available tests

[Expert@checkpoint-1:0]# hcp --enable-product "Threat Prevention"
[Expert@checkpoint-1:0]# hcp -r "Threat Prevention"
Requested test cannot be executed on current system. Please run 'hcp -r all' to see the results for all available tests.

[Expert@checkpoint-1:0]# hcp -r all
Test name Status
============================================================
ARP Cache Limit...................................[PASSED]
Bond Health.......................................[SKIPPED]
CPview Diagnostic.................................[INFO]
Check Point Processes.............................[PASSED]
Cluster...........................................[PASSED]
Connectivity to UC................................[PASSED]
Core Dumps........................................[ERROR]
Custom Applications RegEx.........................[PASSED]
Debug flags - FW..................................[PASSED]
Debug flags - fwaccel.............................[ERROR]
Disk Space........................................[PASSED]
Dynamic Objects Database..........................[PASSED]
FW Configuration File Sanity......................[ERROR]
FW tables limit...................................[ERROR]
File Descriptors..................................[PASSED]
Gaia DB...........................................[PASSED]
Hardware validation...............................[PASSED]
IPv4 forwarding...................................[PASSED]
Identity Awareness - Sharing mechanism error......[PASSED]
Identity Awareness - tables limit.................[PASSED]
Identity Awareness - tables mismatch..............[PASSED]
Interface Errors..................................[ERROR]
Kernel crash......................................[PASSED]
Local Logging.....................................[PASSED]
MAC magic.........................................[ERROR]
MTU...............................................[PASSED]
Memory Usage......................................[PASSED]
Neighbour table overflow..........................[PASSED]
SIM Configuration File Sanity.....................[PASSED]
SSD Health........................................[ERROR]
SecureXL status...................................[PASSED]
Soft lockup.......................................[PASSED]
Software Version..................................[PASSED]
Transceivers Support..............................[PASSED]
Zombie processes..................................[PASSED]

Generating Topology...............................[Done]
Generating Story..................................[Done]
Generating Charts.................................[Done]

any suggestions?

Those "Threat Prevention" reports won't work on any version lower than R81.20.

also, look into the errors you already have

It does run on R81.10 JHF78.

Although with a recursion error meant to be fixed in the next release, as stated by an employee in this post.

@_Val_ ...Are you 100% sure thats the case? We had clients run them back in R80.20 and worked just fine.

Next step to determine mysterious F2F is a debug, schedule a maintenance window for this!  First determine a connection and its attributes that always seems to go F2F using some of the commands I mentioned earlier in this thread like fw_mux all.  Let's suppose that it is traffic sourced from 10.1.1.201 to both destinations 192.168.11.101 and 192.168.12.101 on port 8000.  The following commands are from my Gateway Optimization Course and are run in a live lab exercise:

fw ctl debug 0
fw ctl debug -buf 8192
fw ctl set str simple_debug_filter_saddr_1 10.1.1.201
fw ctl set str simple_debug_filter_daddr_1 192.168.11.101
fw ctl set str simple_debug_filter_daddr_2 192.168.12.101
fw ctl set int simple_debug_filter_dport_1 8000
fw ctl debug -m fw + connstats
fw ctl kdebug -T -f > /var/log/f2f.log (this command will run until manually terminated)

Start a NEW connection going F2F matching this criteria.  Once this has been done run fw ctl debug 0 (VERY IMPORTANT).  Now grep the output f2f.log file for string "accelerated, reason" to see why it went F2F (note that there must be a space character after the comma).

i run the debug as you explained 

traffic is not accelerated, reason="SPII active"

what does it mean?

@;1827982694;13Feb2023 15:10:37.615351;[cpu_1];[fw4_1];fwconn_stats_opq_update_offload_stats: connection stats app updated successfully. conn <dir 0, 192.168.111.154:61576 -> 172.115.78.107:443 IPP 6> is not accelerated, reason="SPII active", sxl_dev_id=4;

An IPS ThreatCloud Protection, Core Activation, or even an Inspection Setting is calling for inspection that must occur in the Medium Path which is preventing full acceleration; it has nothing to do with HTTPS Inspection beyond making the decrypted traffic available to be scanned by the IPS blade.  Any signature with a Performance Impact of Medium/High/Critical could be causing it.  You could use fast_accel to force this traffic into the fully-accelerated path if you want sk156672: SecureXL Fast Accelerator (fw fast_accel) for R80.20 and above.  If you have stopped IPS with the ips off command and the traffic is still not accelerated in your debug, it is likely an Inspection Setting that is the culprit.

Not trying to hijack your post but to add that I am having a similar issue and might be related.

Env:
Maestro R81.10 JHF 78

Mostly all blades enabled AND HTTPSi

Issue:

Usually F2F 95%

Have unloaded amw policy and checked stats and it certainly decreases, but F2F still around 65%, too much.

Main violation is TCP-other miss conn

In cpview, offload decision says SPII Active

Run debug:

fwaccel dbg + offload

fwaccel dbg + pkt + f2f

And I see:

---

;cphwd_chain_to_vm_connkey: obtained vm_connkey <dir 1, x:58180 -> x:443 IPP 6>;
@;235926526; 8Feb2023 15:47:37.404890;[vs_0];[tid_2];[fw4_2];cphwd_chain_to_vm_connkey: obtained vm_connkey <dir 1, x:58180 -> 52.97.211.226:443 IPP 6>;
@;235926526; 8Feb2023 15:47:37.404895;[vs_0];[tid_2];[fw4_2];cpxl_chain_handler: entered (conn <dir 0, 10.x7:58180 -> 52.x6:443 IPP 6>);
@;235926526; 8Feb2023 15:47:37.404897;[vs_0];[tid_2];[fw4_2];cphwd_is_conn_already_offloaded: conn_already_offloaded=0, reoffload_conn=0, created_from_template=0, policy_id=354827077, up_policy_id=1675859405;
@;235926526; 8Feb2023 15:47:37.404898;[vs_0];[tid_2];[fw4_2];cphwd_chain_to_vm_connkey: obtained vm_connkey <dir 1, 1x:58180 -> 52.x:443 IPP 6>;
@;235926526; 8Feb2023 15:47:37.404900;[vs_0];[tid_2];[fw4_2];cphwd_is_non_accelerated_conn: entered...orig_conn=<dir 0, 1x:58180 -> 52.x:443 IPP 6>, vm_conn=<dir 1, 10.x7:58180 -> 52.9x:443 IPP 6>;
@;235926526; 8Feb2023 15:47:37.404903;[vs_0];[tid_2];[fw4_2];cphwd_conn_should_accelerate_by_features: spii is active -> not offloading;
@;235926526; 8Feb2023 15:47:37.404904;[vs_0];[tid_2];[fw4_2];cphwd_handle_conn_acceleration: cphwd_conn_should_accelerate_by_features - not accelerating;
@;235926526; 8Feb2023 15:47:37.404912;[vs_0];[tid_2];[fw4_2];cpxl_chain_handler: connection <dir 0, x58180 -> 5x6:443 IPP 6> will not be accelerated;

---

and then for return traffic:

---

;pkt_handle_no_match: connection <52.x,443,10.x,55119,6> not found -> forwarding to firewall;

---

Flags for slow connections if it means anything to somebody

---

Path: Slow, InZone: INTERNAL_ZONE, OutZone: EXTERNAL_ZONE, Flags: 0x4b01
C2S side:
TCP State: PSL_TCP_ESTABLISHED, Number of segments: 0, Hold: 0, Side flags: 0x2c4
S2C side:
TCP State: PSL_TCP_ESTABLISHED, Number of segments: 0, Hold: 0, Side flags: 0x2c4
Application info:
MUX_PASSIVE, Flags: 0x13

---

Connection matches an HTTPSi bypass rule as well.

Currently with TAC but still early stages.. they are still beating around the bush

SPII = IPS.

Amw unload does not stop IPS.  After ips off -n and stats reset you may need to wait longer if you have long running connections as they will continue F2F until they end.

Any debug or way to find out the protection causing it?

Yes, run hcp's "secret" Threat Prevention reports:

hcp --enable-product "Threat Prevention"

hcp -r "Threat Prevention"

You may need to update to the latest version of hcp and/or these reports may not be supported on R81.10.  I am currently attending CPX Denver for Partners in person and will post the relevant pages from my Gateway Performance Optimization course later today.

Just to make sure, this "secret" is not much of a secret, since you just published it here, @Timothy_Hall, and also teach them in your class.

However, this specific command and some other, similar ones, are intended for TAC exclusive use. There are some performance-related reasons for that. It is an issue of responsibility and liability.

That said, some strictly internal tools of Check Point keep leaking into the public space, which is not always good and sometimes even dangerous, if used without understanding and caution (like zdebug)

Thanks for this, I was wondering if we can obtain HCP update take 59 or release 59 for troubleshooting in anyway. I got a case that is time sensitive and needs to progress. 

So far all symptoms match to some IPS core protection, but we need to determine which protection is culprit. The kernel debug does show phwd_conn_should_accelerate_by_features: spii is active -> not offloading for my customer has well. 

Not surprising that you suspect an IPS Core protection, those signatures have all kinds of wacky behavior.  Here is a list of all the Medium or higher ones that could be causing it, you can try manually disabling these one by one:

Or better yet try creating an exception for all Core Activations as shown below, but for IPS Core Activations specifically I'm not sure if the Any exception will suddenly make the traffic eligible for full acceleration, or just change the final decision from Prevent to something else and have no effect on acceleration.  If you try it be sure to install both the Access Control & Threat Prevention policies after creating this exception, and note that Core Activations Fingerprint Scrambling, LAND, and teardrop will not be included in this exception and you may need to manually disable those.

Here are the pages from my Gateway Performance Optimization course covering the secret hcp TP reports with screenshots, as you can see there is a vast wealth of useful information.

Same error for me.. HCP take 58 / R80.10 JHF 78

Sorry for the inconvenience,

We fixed the issue and it will integrated in the next HCP version (59).

Thankyou, that is great. 
Great product, keep up the good work

HCP 59 was released and Threat Prevention report works 🙂

Have a few more interesting bits but still don't fully get there:

fw_spii_is_activated: spii matrix includes application not registered over PSL = 726, returning SPII is activated.;

ips_cmi_handler_match_cb_ex: conn=dir 0, 10.x.x.x:57715 -> 195.122.177.135:443 IPP 6 ctx=404 sig_id=3797 prot_id=0x655c1477 (type=1 h=1603)cmi_execute_inspect: Executing handler 'HTTP_SLOW_matchcode' (id 1603) on context 404; log_id=0 session_id=0;

ips_get_tp_action_by_prot_id: ipspkg prot_id(32bit)=0x47a40e5d severity=4 performance=5 confidence=0 flags=0xa;

fw_spii_add_inspection: SPII message writen (726, 0, 0);

So how to know what application is not registered on PSL?

Is there perhaps a table?

Is 726 a meaningful reference number?

No but 0x655c1477 and 0x47a40e5d may be, run ips protection 0x655c1477 & ips protection 0x47a40e5d to see what protections those are.

To add to what Tim gave you, below is what you need:

[Expert@quantum-firewall:0]# ips protection 0x655c1477
Web Servers Slow HTTP Denial of Service
[Expert@quantum-firewall:0]# ips protection 0x47a40e5d
TCP Window Size Enforcement
[Expert@quantum-firewall:0]#

You can also refer to post I made about it, hope it will help you.

Cheers,

Andy

https://community.checkpoint.com/t5/Security-Gateways/Searching-for-IPS-protections-via-ssh/m-p/1712...