CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Secure XL -- Some doubts

  1. #1
    Join Date
    2017-04-08
    Posts
    17
    Rep Power
    0

    Default Secure XL -- Some doubts

    Hi All,

    I was studying secure XL. I went through some show commands for secure XL. I need to understand if secure XL automatically create the template for the new connection or if there is way to create manual templates for specific services. For what services templates are created.

    I didn't understand drop template. what exactly it means.

    I am going more deep to understand secure XL. I will post more in case i got stuck somewhere.

    Thanks for always helping and guiding me.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: Secure XL -- Some doubts

    Quote Originally Posted by ankda14 View Post
    Hi All,

    I was studying secure XL. I went through some show commands for secure XL. I need to understand if secure XL automatically create the template for the new connection or if there is way to create manual templates for specific services. For what services templates are created.
    You are talking about "Accept templates" here, these are dynamically formed in SecureXL to save the overhead of a full rulebase lookup for repeated connections having only one attribute that is different (usually the source port number). You can't add these manually, at least as far as I know. I feel that SecureXL Accept templating in this regard is kind of on its way out in R80.10 gateway and later, due to the new Column-based Matching process that now occurs when finding a rule match in the various policy layers.

    I didn't understand drop template. what exactly it means.
    Drop templates allow SecureXL to drop offending traffic (like a flood or other attacks) while consuming a minimal amount of CPU overhead. Drop templates can be added manually with the sim dropcfg command, and these can also be dynamically formed on the fly if "Drop Optimization" is enabled on the Optimizations screen of a gateway/cluster object, and a certain threshold of excessive drops is reached for a particular source IP address.

    I am going more deep to understand secure XL. I will post more in case i got stuck somewhere.

    Thanks for always helping and guiding me.
    My book is probably the best resource to learn about SecureXL, but there are also many great documents and SecureKnowledge articles about SecureXL at Check Point's website. However these documents/articles are written like reference guides while my book tries to introduce SecureXL concepts in a more step-by-step, easily-digestible fashion.

    Just as a heads up, it would appear that SecureXL in R80.20 has been extensively retooled (and major parts of it may have been completely rewritten) for the new Falcon accelerator cards and the Linux 3.5 kernel update. Looks like the biggest overhaul for SecureXL since at least R77, and perhaps even since its 2004 inception in the NG w/ AI (R54) release. The R80.20 addendum for the second edition of my book is going to be rather lengthy it would seem...
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Mobile Access configuration doubts
    By mjrduarte in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2016-10-04, 09:57
  2. Application control doubts and queries
    By blason in forum R77.30
    Replies: 7
    Last Post: 2015-10-09, 09:14
  3. Basic doubts with CheckPoint
    By anthonws in forum Installing And Upgrading
    Replies: 2
    Last Post: 2008-07-31, 09:42
  4. Doubts about SMTP resource
    By oziko in forum Content Security/Security Servers/CVP/UFP
    Replies: 3
    Last Post: 2007-05-20, 08:28
  5. Basic doubts in NAT rule base.
    By jagclinton in forum NAT (Network Address Translation)
    Replies: 2
    Last Post: 2007-04-20, 12:18

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •