This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
MVP Gold
MVP Gold
‎2023-06-26 05:22 AM
In response to Fabz

SecureXL was significantly revamped in R80.20, which accounts for the behavioral changes of fwaccel off.  The big change is that in R80.20+ the first new packet of every connection ALWAYS goes to a worker/instance core.  This did not used to be the case prior to R80.20, where matching an Accept template in sim/SecureXL itself could authorize the connection and it would never touch a worker/instance core if it could be handled in fastpath.

When the new connection's first packet passes through sim/SecureXL and hits the worker core, it first checks if the connection matches a previously-created Accept template; if not it performs a full firewall/network rulebase lookup in slowpath/F2F.  If the connection is allowed, an Accept template  is created to potentially match future substantially significant connections.  Next the worker core looks at what level of inspection will be required for this connection, and determines which path the connection should use for the rest of its duration: offload into fastpath, offload into medium path, or remain in F2F/slowpath.  In my Gateway Performance Optimization Class we run a special debug to observe precisely why the worker core selected a certain path; very useful to determine exactly why certain connections seem to always be doomed to the F2F/slowpath.

With all that said, when you run fwaccel off here is what happens in R80.20+:

  • Accept templates are not checked nor created
  • Full firewall/network policy lookup is always performed on the worker cores
  • Offload decision for all NEW connections is always remain F2F/slowpath
  • Existing connections stay in whatever path they were in before, and do not suddenly start going F2F/slowpath like they used to prior to R80.20

Performance should not improve when you run fwaccel off, unless you have an insufficient number of SND cores which are choking on a large amount of fastpath traffic; when fwaccel off is run all new connections will go F2F/slowpath which the Dynamic Dispatcher will evenly distribute among multiple worker/instance cores.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
(1)
Who rated this post