CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: SecureXL getting disabled

  1. #1
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default SecureXL getting disabled

    Hello Guys,

    I am trying to optimize my firewall's rules base to enable SecureXL, since fwaccel stat tells me that Accept templates are getting disabled by firewall.

    So here is what I did, I imported my Production MGMT server backup on to a test VM, with test VM firewalls having very similar hardware specs.

    According Checkpoint SecureXL was meant basically for HTTP1.1 acceleration, so what I did is I moved all my rules having service as HTTP and HTTPS to the top and currently the top 55 rules are pure HTTP/HTTPS service rules.

    But even after doing this fwaccel stat still says that Accept templates are getting disabled by Firewall.

    I have gone through some of sk, but I have overcome all its limitations, but I still see SecureXL not working all packets are now through F2F.

    Any advice would be really helpful

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by udupik View Post
    Hello Guys,

    I am trying to optimize my firewall's rules base to enable SecureXL, since fwaccel stat tells me that Accept templates are getting disabled by firewall.

    So here is what I did, I imported my Production MGMT server backup on to a test VM, with test VM firewalls having very similar hardware specs.

    According Checkpoint SecureXL was meant basically for HTTP1.1 acceleration, so what I did is I moved all my rules having service as HTTP and HTTPS to the top and currently the top 55 rules are pure HTTP/HTTPS service rules.

    But even after doing this fwaccel stat still says that Accept templates are getting disabled by Firewall.

    I have gone through some of sk, but I have overcome all its limitations, but I still see SecureXL not working all packets are now through F2F.

    Any advice would be really helpful
    Please post output of these commands run in expert mode on the firewall (or the active cluster member if you have a cluster):

    fwaccel stat
    fwaccel stats -s
    fwaccel stats -p

  3. #3
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    5

    Default Re: SecureXL getting disabled

    Also, what blades do you have active on the Gateway? There are some that will force an F2F path, like DLP or IPS.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by jdmoore0883 View Post
    Also, what blades do you have active on the Gateway? There are some that will force an F2F path, like DLP or IPS.
    Easy way from the CLI to get this info is to run "enabled_blades" on R75.47+ or "enabled_blades.sh" on R75.46 and earlier firewalls.

  5. #5
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Quote Originally Posted by ShadowPeak.com View Post
    Please post output of these commands run in expert mode on the firewall (or the active cluster member if you have a cluster):

    fwaccel stat
    fwaccel stats -s
    fwaccel stats -p
    So i did some more research to enable secureXL. So here's what I found out I am not sure if this documented anywhere atleast as far as I know this isnt mentioned in any of the sk.

    I had time based firewall policy, not just one a couple of em may be close to 12 to 15 rules. But Ideally according to its limitations it says SecureXL would be disabled from the rule where time object is being used, theoretically it should not be "Disabled by firewall", but it should be "Disabled from rule no n".

    In my case these time based rules had expired, so the moment i disabled all these expired rules and pushed policy and wolla I see accept templates Enabled :)

    Still is see that 80% of traffic is under PXL packets/Total packets according to fwaccel stats -s. Strangely I see that F2f is 0% and Accel throughput and session is hardly around 35 to 40%, which is at the moment ok at the moment.

    Is there anyways to reduce traffic going through Partial Accel and improvize full and thorough Acceleration with proper templates.

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by udupik View Post
    So i did some more research to enable secureXL. So here's what I found out I am not sure if this documented anywhere atleast as far as I know this isnt mentioned in any of the sk.

    I had time based firewall policy, not just one a couple of em may be close to 12 to 15 rules. But Ideally according to its limitations it says SecureXL would be disabled from the rule where time object is being used, theoretically it should not be "Disabled by firewall", but it should be "Disabled from rule no n".

    In my case these time based rules had expired, so the moment i disabled all these expired rules and pushed policy and wolla I see accept templates Enabled :)
    Yep, time objects will disable SecureXL templating in the rule base. So it sounds like you are in good shape with the Session Rate Acceleration portion of SecureXL.

    Still is see that 80% of traffic is under PXL packets/Total packets according to fwaccel stats -s. Strangely I see that F2f is 0% and Accel throughput and session is hardly around 35 to 40%, which is at the moment ok at the moment.

    Is there anyways to reduce traffic going through Partial Accel and improvize full and thorough Acceleration with proper templates.
    Maybe, please post the output of command "enabled_blades" on R75.47+ or "enabled_blades.sh" on R75.46 and earlier firewalls. Certain blades (especially IPS) tend to pull large amounts of traffic into the Medium Path (PXL) and there are definitely some optimization techniques available depending on what combination of blades are enabled. The different paths (Accelerated/PPAK, Medium/PXL, and Firewall/F2F) are associated with the Throughput Acceleration function of SecureXL.

  7. #7
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Quote Originally Posted by ShadowPeak.com View Post
    Yep, time objects will disable SecureXL templating in the rule base. So it sounds like you are in good shape with the Session Rate Acceleration portion of SecureXL.



    Maybe, please post the output of command "enabled_blades" on R75.47+ or "enabled_blades.sh" on R75.46 and earlier firewalls. Certain blades (especially IPS) tend to pull large amounts of traffic into the Medium Path (PXL) and there are definitely some optimization techniques available depending on what combination of blades are enabled. The different paths (Accelerated/PPAK, Medium/PXL, and Firewall/F2F) are associated with the Throughput Acceleration function of SecureXL.
    Thanks for your suggestions!!! :)

    Here is the output which you asked me for - fw vpn ips

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by udupik View Post
    Thanks for your suggestions!!! :)

    Here is the output which you asked me for - fw vpn ips
    In that case the IPS is probably causing 80% of your traffic to go into the Medium Path. Any IPS Signature with a Performance Ranking of Medium or higher will cause traffic to be pulled into the Medium Path and/or Firewall Path. The "Default_Protection" IPS Profile as it is shipped should allow almost all traffic to take the Accelerated Path (assuming the signatures in that profile have not been modified from their defaults). Try bringing up the Protection list under the IPS tab and sort it by Performance Impact, see if there are any signatures you can set to Inactive with a Critical, High, or Medium Performance Impact. Setting Detect will do no good as far as acceleration is concerned, only Inactive will help.

  9. #9
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Quote Originally Posted by ShadowPeak.com View Post
    In that case the IPS is probably causing 80% of your traffic to go into the Medium Path. Any IPS Signature with a Performance Ranking of Medium or higher will cause traffic to be pulled into the Medium Path and/or Firewall Path. The "Default_Protection" IPS Profile as it is shipped should allow almost all traffic to take the Accelerated Path (assuming the signatures in that profile have not been modified from their defaults). Try bringing up the Protection list under the IPS tab and sort it by Performance Impact, see if there are any signatures you can set to Inactive with a Critical, High, or Medium Performance Impact. Setting Detect will do no good as far as acceleration is concerned, only Inactive will help.
    Thanks for your valuable suggestions.

    I did verify the IPS profile, we are currently using Default protection. No changes done to the profile.

    What I see as per the logs, lots of traffic being inspected by Geo protection and SMTP signatures. So possibility of me making any changes to the IPS policy is very less

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by udupik View Post
    Thanks for your valuable suggestions.

    I did verify the IPS profile, we are currently using Default protection. No changes done to the profile.

    What I see as per the logs, lots of traffic being inspected by Geo protection and SMTP signatures. So possibility of me making any changes to the IPS policy is very less
    To conclusively identify if it is the IPS, you can uncheck the IPS box on the gateway and reinstall policy. Then run:

    fwaccel stats -r (resets statistics)
    (pass a bunch of traffic)
    fwaccel stats -s

    If almost everything goes Accelerated Path (pkts not conns in fwaccel -s) at that point you have your answer. Geo Protection is fully handled in the Accelerated Path and should not force traffic into the Medium Path. Once again go to the Protections screen and ensure you have no signatures active in Default_Protection with a Performance Impact of Medium/High/Critical since if you have even one of these active it can cause a big shift into the Medium Path. About half of the signatures dealing with SMTP are Medium impact or higher so I'd start there.

  11. #11
    Join Date
    2018-04-18
    Posts
    41
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Good Morning,

    I am having a similar issue where SecureXL accept templates are being disabled by my firewall rule # 15, however I am not able to determine exactly what in that rule is the cause.

    Click image for larger version. 

Name:	fw rule 15.jpg 
Views:	50 
Size:	25.8 KB 
ID:	1402

    I have attached a screen shot of the rule.

    I have tried removing the icmp services, http, and ftp services and the accept templates are still being disabled by this rule.

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by mjensen View Post
    Good Morning,

    I am having a similar issue where SecureXL accept templates are being disabled by my firewall rule # 15, however I am not able to determine exactly what in that rule is the cause.

    Click image for larger version. 

Name:	fw rule 15.jpg 
Views:	50 
Size:	25.8 KB 
ID:	1402

    I have attached a screen shot of the rule.

    I have tried removing the icmp services, http, and ftp services and the accept templates are still being disabled by this rule.
    Remove Snmp-read-only and icmp-proto. Could also be port 135 service if protocol type is RPC/DCE.
    Last edited by ShadowPeak.com; 2018-07-17 at 12:49.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  13. #13
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,492
    Rep Power
    15

    Default Re: SecureXL getting disabled

    Just as an aside, you should also remove snmp-trap. Managed nodes send SNMP traps *to* the monitoring system, not the other way around.

  14. #14
    Join Date
    2018-04-18
    Posts
    41
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Good Morning,

    I removed the following services from the rule in question; snmp-read-only, icmp-proto, and snmp-trap. Accept Templates now show enabled. I left TCP 135 for now and will monitor to see if the Accept Templates status changes.


    Expert@msgcu-intfw1:0]# fwaccel stat
    Accelerator Status : on
    Accept Templates : enabled
    Drop Templates : disabled
    NAT Templates : disabled by user

    Accelerator Features : Accounting, NAT, Cryptography, Routing,
    HasClock, Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
    WireMode, DropTemplates, NatTemplates,
    Streaming, MultiFW, AntiSpoofing, Nac,
    ViolationStats, AsychronicNotif, ERDOS,
    NAT64, GTPAcceleration, SCTPAcceleration,
    McastRoutingV2
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256
    [Expert@msgcu-intfw1:0]#

  15. #15
    Join Date
    2018-04-18
    Posts
    41
    Rep Power
    0

    Default Re: SecureXL getting disabled

    Hello,

    I have different Security Gateway running R77.30 that shows Accept Templates are disabled from rule # 6 and disabled by IPS protections: storm center.

    I have attached a screen shot of rule # 6. I am not sure if it is safe to remove any of the services since this rule is being used for a VPN.

    For the IPS protection disabling Accept Templates I am assuming I just need to find the "storm center" definition and turn it off?

    Thank you.

    [Expert@MAIN-EXT-FWA:0]# fwaccel stat
    Accelerator Status : on
    Accept Templates : disabled by Firewall
    disabled from rule #6
    disabled by IPS protections: storm center
    Drop Templates : disabled
    NAT Templates : disabled by user

    Accelerator Features : Accounting, NAT, Cryptography, Routing,
    HasClock, Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
    WireMode, DropTemplates, NatTemplates,
    Streaming, MultiFW, AntiSpoofing, Nac,
    ViolationStats, AsychronicNotif, ERDOS,
    NAT64, GTPAcceleration, SCTPAcceleration,
    McastRoutingV2
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256
    [Expert@MAIN-EXT-FWA:0]#

    Click image for larger version. 

Name:	external fw accept template.jpg 
Views:	26 
Size:	17.7 KB 
ID:	1403

  16. #16
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,233
    Rep Power
    13

    Default Re: SecureXL getting disabled

    Quote Originally Posted by mjensen View Post
    Hello,

    I have different Security Gateway running R77.30 that shows Accept Templates are disabled from rule # 6 and disabled by IPS protections: storm center.

    I have attached a screen shot of rule # 6. I am not sure if it is safe to remove any of the services since this rule is being used for a VPN.

    For the IPS protection disabling Accept Templates I am assuming I just need to find the "storm center" definition and turn it off?

    Thank you.

    [Expert@MAIN-EXT-FWA:0]# fwaccel stat
    Accelerator Status : on
    Accept Templates : disabled by Firewall
    disabled from rule #6
    disabled by IPS protections: storm center
    Drop Templates : disabled
    NAT Templates : disabled by user

    Accelerator Features : Accounting, NAT, Cryptography, Routing,
    HasClock, Templates, Synchronous, IdleDetection,
    Sequencing, TcpStateDetect, AutoExpire,
    DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
    WireMode, DropTemplates, NatTemplates,
    Streaming, MultiFW, AntiSpoofing, Nac,
    ViolationStats, AsychronicNotif, ERDOS,
    NAT64, GTPAcceleration, SCTPAcceleration,
    McastRoutingV2
    Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
    3DES, DES, CAST, CAST-40, AES-128, AES-256,
    ESP, LinkSelection, DynamicVPN, NatTraversal,
    EncRouting, AES-XCBC, SHA256
    [Expert@MAIN-EXT-FWA:0]#

    Click image for larger version. 

Name:	external fw accept template.jpg 
Views:	26 
Size:	17.7 KB 
ID:	1403
    sip_dynamic_ports is the service halting SecureXL templating. Try searching for that service in your traffic logs, if you see connections being logged with that service name you probably can't remove it without breaking something. If you can't remove it, try moving this entire rule as far down in your rule base as possible. You can also remove the offending service from this rule, then create a copy of this rule as far down in the rule base as possible with everything the same except the service is only set to "sip_dynamic_ports" with no other ones. I call this technique "splitting rules" in my book, page 381 in the second edition.

    The "disabled by IPS protections: storm center" issue can be remediated by setting that IPS signature to inactive.

    After doing these two things your templating should be able to get much further through your rule base, let us know what happens.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Count Disabled Rules
    By hsamad in forum Check Point Security Gateway Appliances
    Replies: 0
    Last Post: 2013-09-05, 17:31
  2. SIC Communication Tab Disabled/Greyed
    By vijay_vya in forum Check Point UTM-1 Appliances
    Replies: 5
    Last Post: 2010-05-03, 02:43
  3. Rule disabled = not checked ?
    By vlemanchec in forum Miscellaneous
    Replies: 1
    Last Post: 2009-03-26, 12:55
  4. Disabled SmartDashboard on R61
    By peggy in forum SmartDashboard
    Replies: 1
    Last Post: 2006-11-23, 08:08
  5. How is IP Forwarding Disabled?
    By Barry J. Stiefel in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-13, 15:04

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •