Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

HTTPS-Inspected traffic should be in the CPASXL path.

There are a variety of things that can cause high F2F, usually legacy features or signatures that are enabled.  Looking at your enabled blades, I'd say you almost certainly have an IPS signature enabled causing the high F2F.   Suggestions:

1) SYN Attack used to cause large amounts of traffic to go F2F, but that was resolved in R80.20.  Please post output of fwaccel synatk config so we can see if it is properly being handled in SecureXL.  Also provide output of fwaccel stats -p.

2) Do you have any of these IPS signatures enabled (these are quoted from my Max Power book):

- IP ID Masking/Fingerprint Scrambling
- Time to Live (TTL) Masking/Fingerprint Scrambling
- ASCII Only Response Headers
- Network Quota (check out the “Rate Limiting” feature in Chapter 12 for a much
more efficient way to enforce quotas)
- ClusterXL Load Sharing Sticky Decision Function (SDF), which only applies to
Load Sharing Multicast ClusterXL deployments; note that enabling the Mobile
Access Blade forces the use of SDF on a Load Sharing Multicast cluster.

3) Try disabling the IPS checkbox on your gateway and reinstalling policy.  Then run fwaccel stats -r, wait 10 minutes, and run fwaccel stats -s.  Did the F2F % drop a lot?  If so we need to focus on your IPS config. Note that doing this will expose your organization to attacks while IPS is disabled.

4) The next step is labor intensive, and involves running fwaccel conns and fw ctl multik gconn.  Starting in R80.30 connections handled in F2F are no longer listed in the output of fwaccel conns but all connections appear in the output of fw ctl multik gconn.  You should be able to do some crunching and figure out what kind of connections are listed by the latter command but not the former; the attributes of these F2F connections (internal/external IP, port numbers, etc.) should give you some hints about why F2F is necessary.

5) Bit of a long shot, but make sure you do not have wire mode enabled on any of your VPN Communities.  Also do you have a large percentage of protocols traversing the firewall that are not TCP or UDP-based?  All those protocols cannot be accelerated.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Who rated this post