This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2020-02-13 01:36 AM

performance optimization via "SecureXL Fast Accelerator"

Hello CheckMates,

I want to get safe with my understanding of the 

SecureXL Fast Accelerator 

If I define a network, host, port or anything possible via the "fw ctl fast_accel" command, these matching packets are going straight the fastest path with no deep inspection ?

Meaning no AV, no AB, no IPS, no URLF, no APPCL, no service inspection, no TP etc. will be done for these packets regardless if these blades are enabled ?

Wolfgang

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2020-02-13 02:48 AM

Your understanding is correct. Here is the quote from SK: "The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection".

 

If there is part of the traffic which can be trusted by definition, you can then bypass deep inspection for such traffic altogether. 

lolith
Participant
‎2022-03-16 12:33 PM
In response to _Val_

Hi, 

 

Just one query on this. If we put an exception for a particular traffic to bypass all deep inspection blades (AV, AB, IPS, URLF, APPCL,) in TP policy , would we still need to consider putting that traffic under fast_accel? Or after putting this exception, that traffic should always go accelerated path.

Reason: When doing fwaccel conns, we don't see that exception traffic as PXLSL. However, when we put that in fast_accel table, we see significant improvement of traffic flow.

 

Regards,

Lolith

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-03-16 04:32 PM
In response to lolith

It will depend heavily on which blades you have enabled. 

While you can easily exclude all TP enforcement with a "null" TP profile in an explicit TP policy rule, guaranteeing this in an Access Control policy layer with APCL/URLF is much tougher.  You cannot define an explicit rule in an APCL/URLF layer that is equivalent to a TP null profile rule.   Essentially the traffic must "fall off" the end of the APCL/URLF layer/sub-layer and hit the implicit cleanup rule of Accept to help ensure it will be fully accelerated.  fast_accel can make sure that this occurs for traffic that would otherwise go PXL/Medium Path, but always remember that traffic requiring CPAS or F2F handling cannot be forced into the fully-accelerated path with fast_accel.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
lolith
Participant
‎2022-03-17 03:02 AM
In response to Timothy_Hall

We only have IPS blade enabled and that was the whole confusion around this. How come the null profile is not making sure that the traffic is going through fast path. In my experiance the traffic flow improved after we put that explicity under fast_accel table.

Any explanation for this behaviour? Note, we are running R80.40 with latest jumbo take.

 

regards,

Lolith

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-03-17 09:10 AM
In response to lolith

Probably lots of CIFS/microsoft-ds traffic which will almost always go Medium Path unless forced into full acceleration.  See here:

https://community.checkpoint.com/t5/General-Topics/First-impressions-R80-30-on-gateway-one-step-forw...

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-02-13 05:17 AM

What Val said.  A warning from the third edition of my book about fast_accel:

bang.jpgWhile using the fast_accel feature ensures highly efficient handling of the
matched traffic in the SXL path, doing so ignores portions of your security policy and
can disable almost all firewall inspection of that traffic. As such a variety of bad things
can happen inside traffic streams that have been essentially whitelisted by this feature,
and a careful risk analysis is necessary before using it. It is NOT RECOMMENDED to
use fast_accel if one or both of the systems involved are not trusted and/or under your
organization’s direct administrative control.

As discussed in my CPX 2020 speech Big Game Hunting: Elephant Flows, typically fast_accel is used in the context of elephant flows (heavy connections) to make them go faster and keep from stomping on "mice" connections.  Note that there is an alternative solution from R&D that allows the processing/handling of elephant flows to be "spread around" more than one worker core, thus allowing them to go faster without limiting inspection of them with fast_accel.  See my preso for more details about this new feature and how to contact R&D to obtain it.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Wolfgang
Authority
Authority
‎2020-02-13 06:01 AM
In response to Timothy_Hall

Thanks @Timothy_Hall and @_Val_ for your reply.

I'm aware of the risks. We want to use this for some hosts they did storage and database replications.

Wolfgang

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-02-13 06:38 AM
In response to Wolfgang

I knew you were aware of the risks, but I feel duty-bound to bring them up whenever fast_accel is mentioned for those who might read this thread later.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
Wolfgang
Authority
Authority
‎2020-02-13 06:45 AM
In response to Timothy_Hall

@Timothy_Hall  👍😊

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events