- Products
- Learn
- Local User Groups
- Partners
- More
This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Eastern Africa
- Israel
- Nordics
- Middle East and Africa
- Balkans
- Italy
- Bulgaria
- Cyprus
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Who rated this post
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SecureXL was significantly revamped in R80.20, which accounts for the behavioral changes of fwaccel off. The big change is that in R80.20+ the first new packet of every connection ALWAYS goes to a worker/instance core. This did not used to be the case prior to R80.20, where matching an Accept template in sim/SecureXL itself could authorize the connection and it would never touch a worker/instance core if it could be handled in fastpath.
When the new connection's first packet passes through sim/SecureXL and hits the worker core, it first checks if the connection matches a previously-created Accept template; if not it performs a full firewall/network rulebase lookup in slowpath/F2F. If the connection is allowed, an Accept template is created to potentially match future substantially significant connections. Next the worker core looks at what level of inspection will be required for this connection, and determines which path the connection should use for the rest of its duration: offload into fastpath, offload into medium path, or remain in F2F/slowpath. In my Gateway Performance Optimization Class we run a special debug to observe precisely why the worker core selected a certain path; very useful to determine exactly why certain connections seem to always be doomed to the F2F/slowpath.
With all that said, when you run fwaccel off here is what happens in R80.20+:
- Accept templates are not checked nor created
- Full firewall/network policy lookup is always performed on the worker cores
- Offload decision for all NEW connections is always remain F2F/slowpath
- Existing connections stay in whatever path they were in before, and do not suddenly start going F2F/slowpath like they used to prior to R80.20
Performance should not improve when you run fwaccel off, unless you have an insufficient number of SND cores which are choking on a large amount of fastpath traffic; when fwaccel off is run all new connections will go F2F/slowpath which the Dynamic Dispatcher will evenly distribute among multiple worker/instance cores.
Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
©1994-2025 Check Point Software Technologies Ltd. All rights reserved.
Copyright
Privacy Policy
About Us
UserCenter