performance tuning r80.40 administration guide · 2020. 6. 30. · tableofcontents...

[Classification:Protected]

23 January 2020

PERFORMANCE TUNING

R80.40

Administration Guide

Check Point Copyright Notice©2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributedunder licensing restricting their use, copying, distribution, and decompilation. No part of this product orrelated documentation may be reproduced in any form or by any means without prior written authorizationof Check Point. While every precaution has been taken in the preparation of this book, Check Pointassumes no responsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTEDRIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.

TRADEMARKS:

Refer to the Copyright page for a list of our trademarks.

Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

https://www.checkpoint.com/copyright/https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/

Performance Tuning R80.40 Administration Guide

Performance Tuning R80.40 Administration Guide | 3

Important InformationLatest Software

We recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protectionagainst new and evolving attacks.

Certifications

For third party independent certification of Check Point products, see the Check PointCertifications page.

Check Point R80.40

For more about this release, see the R80.40 home page.

Latest Version of this Document

Open the latest version of this document in aWeb browser.

Download the latest version of this document in PDF format.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments.

Revision History

Date Description

23 January 2020 First release of this document

https://www.checkpoint.com/products-solutions/certified-check-point-solutions/https://www.checkpoint.com/products-solutions/certified-check-point-solutions/http://supportcontent.checkpoint.com/solutions?id=sk160736https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide/Default.htmhttp://downloads.checkpoint.com/dc/download.htm?ID=96088mailto:[email protected]?subject=Feedback on Performance Tuning R80.40 Administration Guide

Table of Contents


Table of ContentsGlossary 11

Introduction to Performance Tuning 23

SecureXL 24

Accelerated Features 25

Packet Flow 26

Connection Templates 29

Policy Installation Acceleration 30

Scalable Performance 31

Configuring SecureXL 32

Analyzing the Accelerated Traffic 35

Rate Limiting for DoSMitigation 36

Introduction 36

Monitoring Events Related to DoSMitigation 36

Accelerated SYNDefender 38

Introduction 38

Command Line Interface 39

Configuring the 'SYN Attack' protection in SmartConsole 39

SecureXL Commands and Debug 41

Syntax Legend 42

'fwaccel' and 'fwaccel6' 44

fwaccel cfg 47

fwaccel conns 50

fwaccel dbg 54

fwaccel dos 60

fwaccel dos blacklist 62

fwaccel dos config 64

fwaccel dos pbox 70

fwaccel dos rate 75

fwaccel dos stats 77

fwaccel dos whitelist 79

Table of Contents


fwaccel feature 84

fwaccel off 87

fwaccel on 91

fwaccel ranges 95

fwaccel stat 101

fwaccel stats 107

Description of the Statistics Counters in the "fwaccel stats" Output 109

Example Outputs on the "fwaccel stats" Commands 115

fwaccel synatk 130

fwaccel synatk -a 133

fwaccel synatk -c 134

fwaccel synatk -d 135

fwaccel synatk -e 136

fwaccel synatk -g 137

fwaccel synatk -m 138

fwaccel synatk -t 139

fwaccel synatk config 140

fwaccel synatk monitor 143

fwaccel synatk state 148

fwaccel synatk whitelist 150

fwaccel tab 155

fwaccel templates 159

fwaccel ver 163

'sim' and 'sim6' 164

sim affinity 166

sim affinityload 169

sim enable_aesni 170

sim if 171

sim nonaccel 175

sim ver 177

fw monitor 178

fw sam_policy 208

fw sam_policy add 211

Table of Contents


fw sam_policy batch 224

fw sam_policy del 226

fw sam_policy get 229

The /proc/ppk/ and /proc/ppk6/ entries 233

/proc/ppk/affinity 235

/proc/ppk/conf 236

/proc/ppk/conns 237

/proc/ppk/cpls 238

/proc/ppk/cqstats 239

/proc/ppk/drop_statistics 240

/proc/ppk/ifs 241

/proc/ppk/mcast_statistics 245

/proc/ppk/nac 246

/proc/ppk/notify_statistics 247

/proc/ppk/profile_cpu_stat 248

/proc/ppk/rlc 249

/proc/ppk/statistics 250

/proc/ppk/stats 252

/proc/ppk/viol_statistics 253

SecureXL Debug 254

fwaccel dbg 255

SecureXL Debug Procedure 261

SecureXL Debug Modules and Debug Flags 265

CoreXL 279

Enabling and Disabling CoreXL 280

Default Configuration of CoreXL 281

Configuring IPv4 and IPv6 CoreXL Firewall instances 283

IPv4 and IPv6 CoreXL Firewall Instances 283

Configuring the Number of IPv4 CoreXL Firewall Instances 285

Configuring the Number of IPv6 CoreXL Firewall Instances 286

Example CoreXL Configuration 287

CoreXL Unsupported Features 289

Configuring Affinity Settings 290

Table of Contents


Introduction 290

The $FWDIR/conf/fwaffinity.conf Configuration File 290

The $FWDIR/scripts/fwaffinity_apply Script 292

Affinity Settings for 16000 and 26000 Appliances 293

Performance Tuning 297

Allocation of Processing CPUCores 298

Adding Processing CPUCores to the Hardware 299

Allocating Additional CPUCores to the CoreXL SND 300

Allocating a CPUCore for Heavy Logging 301

Setting Affinities for Interfaces on the Host Security Appliance 303

Dynamic Split of CoreXL Instances 305

Introduction 305

Syntax 306

Monitoring 308

CoreXL Commands 310

Syntax Legend 311

cp_conf corexl 313

cpconfig 315

fw ctl multik 318

fw ctl multik add_bypass_port 321

fw ctl multik del_bypass_port 323

fw ctl multik dynamic_dispatching 325

fw ctl multik gconn 326

fw ctl multik get_instance 331

fw ctl multik print_heavy_conn 333

fw ctl multik prioq 335

fw ctl multik show_bypass_ports 336

fw ctl multik stat 337

fw ctl multik start 339

fw ctl multik stop 340

fw ctl multik utilize 341

fw ctl affinity 342

Running the 'fw ctl affinity -l' command in Gateway Mode 343

Table of Contents


Running the 'fw ctl affinity -l' command in VSXMode 347

Running the 'fw ctl affinity -s' command in Gateway Mode 350

Running the 'fw ctl affinity -s' command in VSXMode 354

fw -i 358

fwboot bootconf 359

fwboot corexl 363

fwboot cpuid 370

fwboot ht 372

fwboot multik_reg 375

fwboot post_drv 377

Multi-Queue 378

Introduction to Multiple Traffic Queues 378

Multi-Queue Requirements and Limitations 378

Deciding Whether to Enable the Multi-Queue 379

Multi-Queue Administration 383

Multi-Queue Basic Configuration 384

Multi-Queue Special Scenarios and Configurations 387

Default Number of Active RXQueues 388

Gateway Mode 388

VSXMode 388

Changing the Status of an Interface with Enabled Multi-Queue 389

Adding a Network Interface 390

Changing the Affinity of CoreXL Firewall instances 391

Processing Packets that Arrive in the Wrong Order on an Interface that Works in Monitor Mode 392

Multi-Queue Troubleshooting 393

CPView 395

Overview of CPView 395

CPView User Interface 395

Using CPView 396

Command Line Reference 397

Working with Kernel Parameters on Security Gateway 398

Introduction to Kernel Parameters 399

Firewall Kernel Parameters 400

Table of Contents


Working with Integer Kernel Parameters 401

Working with String Kernel Parameters 406

SecureXL Kernel Parameters 409

Kernel Debug on Security Gateway 413

Kernel Debug Syntax 414

Kernel Debug Filters 423

Kernel Debug Procedure 428

Kernel Debug Procedure with Connection Life Cycle 431

Kernel Debug Modules and Debug Flags 438

Module 'accel_apps' (Accelerated Applications) 440

Module 'accel_pm_mgr' (Accelerated Pattern Match Manager) 441

Module 'APPI' (Application Control Inspection) 442

Module 'BOA' (Boolean Analyzer for Web Intelligence) 443

Module 'CI' (Content Inspection) 444

Module 'cluster' (ClusterXL) 446

Module 'cmi_loader' (Context Management Interface / Infrastructure Loader) 448

Module 'CPAS' (Check Point Active Streaming) 449

Module 'cpcode' (Data Loss Prevention - CPcode) 450

Module 'CPSSH' (SSH Inspection) 451

Module 'crypto' (SSL Inspection) 453

Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness) 454

Module 'dlpk' (Data Loss Prevention - Kernel Space) 456

Module 'dlpuk' (Data Loss Prevention - User Space) 457

Module 'DOMO' (Domain Objects) 458

Module 'fg' (FloodGate-1 - QoS) 459

Module 'FILE_SECURITY' (File Inspection) 461

Module 'FILEAPP' (File Application) 462

Module 'fw' (Firewall) 463

Module 'gtp' (GPRSTunneling Protocol) 470

Module 'h323' (VoIP H.323) 471

Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client) 472

Module 'IDAPI' (Identity Awareness API) 474

Module 'kiss' (Kernel Infrastructure) 475

Table of Contents


Module 'kissflow' (Kernel Infrastructure Flow) 478

Module 'MALWARE' (Threat Prevention) 479

Module 'multik' (Multi-Kernel Inspection - CoreXL) 480

Module 'MUX' (Multiplexer for Applications Traffic) 482

Module 'NRB' (Next Rule Base) 484

Module 'PSL' (Passive Streaming Library) 486

Module 'RAD_KERNEL' (Resource Advisor - Kernel Space) 487

Module 'RTM' (Real Time Monitoring) 488

Module 'seqvalid' (TCPSequence Validator and Translator) 490

Module 'SFT' (Stream File Type) 491

Module 'SGEN' (Struct Generator) 492

Module 'synatk' (Accelerated SYNDefender) 493

Module 'UC' (UserCheck) 494

Module 'UP' (Unified Policy) 495

Module 'upconv' (Unified Policy Conversion) 497

Module 'UPIS' (Unified Policy Infrastructure) 498

Module 'VPN' (Site-to-Site VPN and Remote Access VPN) 500

Module 'WS' (Web Intelligence) 502

Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) 505

Module 'WSIS' (Web Intelligence Infrastructure) 507

Glossary


GlossaryA

Accelerated PathPacket flow on the Host appliance, when the packet is completely handled by theSecureXL device. It is processed and forwarded to the network.

AdministratorA user with permissions to manage Check Point security products and the networkenvironment.

AffinityThe assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,user space process, or IRQ to one or more specified CPU cores.

APIIn computer programming, an application programming interface (API) is a set ofsubroutine definitions, protocols, and tools for building application software. In generalterms, it is a set of clearly defined methods of communication between various softwarecomponents.

ApplianceA physical computer manufactured and distributed by Check Point.

B

BondA virtual interface that contains (enslaves) two or more physical interfaces forredundancy and load sharing. The physical interfaces share one IP address and oneMAC address. See "Link Aggregation".

BondingSee "Link Aggregation".

Glossary


Bridge ModeA Security Gateway or Virtual System that works as a Layer 2 bridge device for easydeployment in an existing topology.

C

CACertificate Authority. Issues certificates to gateways, users, or computers, to identifyitself to connecting entities with Distinguished Name, public key, and sometimes IPaddress. After certificate validation, entities can send encrypted data using the publickeys in the certificates.

CertificateAn electronic document that uses a digital signature to bind a cryptographic public keyto a specific identity. The identity can be an individual, organization, or software entity.The certificate is used to authenticate one identity to another.

ClusterTwo or more Security Gateways that work together in a redundant configuration - HighAvailability, or Load Sharing.

Cluster MemberA Security Gateway that is part of a cluster.

CoreXLA performance-enhancing technology for Security Gateways on multi-core processingplatforms. Multiple Check Point Firewall instances are running in parallel on multipleCPU cores.

CoreXL Dynamic DispatcherImproved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXLFirewall instances. Traffic distribution between CoreXL Firewall instances isdynamically based on the utilization of CPU cores, on which the CoreXL Firewallinstances are running. The dynamic decision is made for first packets of connections, byassigning each of the CoreXL Firewall instances a rank, and selecting the CoreXLFirewall instance with the lowest rank. The rank for each CoreXL Firewall instance iscalculated according to its CPU utilization. The higher the CPU utilization, the higherthe CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is lesslikely to be selected by the CoreXL SND. See sk105261.

Glossary


CoreXL Firewall InstanceAlso CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewallkernel is copied multiple times. Each replicated copy, or firewall instance, runs on oneprocessing CPU core. These firewall instances handle traffic at the same time, andeach firewall instance is a complete and independent firewall inspection kernel.

CoreXL SNDSecure Network Distributer. Part of CoreXL that is responsible for: Processing incomingtraffic from the network interfaces; Securely accelerating authorized packets (ifSecureXL is enabled); Distributing non-accelerated packets between Firewall kernelinstances (SND maintains global dispatching table, which maps connections that wereassigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewallinstances is statically based on Source IP addresses, Destination IP addresses, and theIP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision tostick to a particular FWK daemon is done at the first packet of connection on a very highlevel, before anything else. Depending on the SecureXL settings, and in most of thecases, the SecureXL can be offloading decryption calculations. However, in some othercases, such as with Route-Based VPN, it is done by FWK daemon.

CPUSECheck Point Upgrade Service Engine for Gaia Operating System. With CPUSE, youcan automatically update Check Point products for the Gaia OS, and the Gaia OS itself.For details, see sk92449.

D

DAIP GatewayA Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where theIP address of the external interface is assigned dynamically by the ISP.

Data TypeA classification of data. The Firewall classifies incoming and outgoing traffic accordingto Data Types, and enforces the Policy accordingly.

DatabaseThe Check Point database includes all objects, including network objects, users,services, servers, and protection profiles.

Distributed DeploymentThe Check Point Security Gateway and Security Management Server products aredeployed on different computers.

Glossary


DomainA network or a collection of networks related to an entity, such as a company, businessunit or geographical location.

Domain Log ServerA Log Server for a specified Domain. It stores and processes logs from SecurityGateways that are managed by the corresponding Domain Management Server.Acronym: DLS.

Domain Management ServerA virtual Security Management Server that manages Security Gateways for oneDomain, as part of a Multi-Domain Security Management environment. Acronym: DMS.

E

Expert ModeThe name of the full command line shell that gives full system root permissions in theCheck Point Gaia operating system.

External NetworkComputers and networks that are outside of the protected network.

External UsersUsers defined on external servers. External users are not defined in the SecurityManagement Server database or on an LDAP server. External user profiles tell thesystem how to identify and authenticate externally defined users.

F

F2FDenotes non-VPN connections that SecureXL forwarded to firewall. See "FirewallPath".

FirewallThe software and hardware that protects a computer network by analyzing the incomingand outgoing network traffic (packets).

Glossary


Firewall PathAlso Slow Path. Packet flow on the Host Security Appliance, when the SecureXLdevice is unable to process the packet (see sk32578). The packet is passed to theCoreXL layer and then to one of the CoreXL Firewall instances for full processing. Thispath also processes all packets when SecureXL is disabled.

G

GaiaCheck Point security operating system that combines the strengths of bothSecurePlatform and IPSO operating systems.

Gaia ClishThe name of the default command line shell in Check Point Gaia operating system. Thisis a restrictive shell (role-based administration controls the number of commandsavailable in the shell).

Gaia PortalWeb interface for Check Point Gaia operating system.

H

HotfixA piece of software installed on top of the current software in order to fix some wrong orundesired behavior.

I

ICAInternal Certificate Authority. A component on Check Point Management Server thatissues certificates for authentication.

Internal NetworkComputers and resources protected by the Firewall and accessed by authenticatedusers.

Glossary


IPv4Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, eachset can be from 0 - 255. For example, 192.168.2.1.

IPv6Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets ofhexadecimal numbers, each set can be from 0 - ffff. For example,FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

IRQ AffinityA state of binding an IRQ to one or more CPU cores.

J

Jumbo Hotfix AccumulatorCollection of hotfixes combined into a single package. Acronyms: JHA, JHF.

L

Link AggregationVarious methods of combining (aggregating) multiple network connections in parallel toincrease throughput beyond what a single connection could sustain, and to provideredundancy in case one of the links should fail.

LogA record of an action that is done by a Software Blade.

Log ServerA dedicated Check Point computer that runs Check Point software to store and processlogs in Security Management Server or Multi-Domain Security Managementenvironment.

Glossary


M

Management High AvailabilityDeployment and configuration mode of two Check Point Management Servers, in whichthey automatically synchronize the management databases with each other. In thismode, one Management Server is Active, and the other is Standby. Acronyms:Management HA, MGMT HA.

Management InterfaceInterface on Gaia computer, through which users connect to Portal or CLI. Interface on aGaia Security Gateway or Cluster member, through which Management Serverconnects to the Security Gateway or Cluster member.

Management ServerA Check Point Security Management Server or a Multi-Domain Server.

Medium Path (PXL)Packet flow on the Host Security Appliance, when the packet is handled by theSecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewallinstances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXLinfrastructure to send the packet to the single CoreXL Firewall instance that stillfunctions. When the Medium Path is available, the SecureXL fully accelerates the TCPhandshake. Rule Base match is achieved for the first packet through an existingconnection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for ContentInspection, an FWK instance now handles the packets. The SecureXL sends allpackets that contain data to FWK for data extraction in order to build the data stream.Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets,because they do not contain data that needs to be streamed. This path is available onlywhen CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in someconfigurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPSInspection; Proxy mode; Mobile Access; VoIP; Web Portals.

Multi-Domain Log ServerA computer that runs Check Point software to store and process logs in Multi-DomainSecurity Management environment. The Multi-Domain Log Server consists of DomainLog Servers that store and process logs from Security Gateways that are managed bythe corresponding Domain Management Servers. Acronym: MDLS.

Glossary


Multi-Domain Security ManagementA centralized management solution for large-scale, distributed environments with manydifferent Domain networks.

Multi-Domain ServerA computer that runs Check Point software to host virtual Security Management Serverscalled Domain Management Servers. Acronym: MDS.

Multi-QueueAn acceleration feature on Security Gateway that lets you assign more than one packetqueue and CPU core to an interface.

N

Network ObjectLogical representation of every part of corporate topology (physical machine, softwarecomponent, IP Address range, service, and so on).

O

Open ServerA physical computer manufactured and distributed by a company, other than CheckPoint.

P

Primary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install as Primary.

Glossary


PSLPassive Streaming Library. Packets may arrive at Security Gateway out of order, or maybe legitimate retransmissions of packets that have not yet received an acknowledgment.In some cases, a retransmission may also be a deliberate attempt to evade IPSdetection by sending the malicious payload in the retransmission. Security Gatewayensures that only valid packets are allowed to proceed to destinations. It does this withthe Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,which provides stream reassembly for TCP connections. (2) The Security Gatewaymakes sure that TCP data seen by the destination system is the same as seen by codeabove PSL. (3) The PSL handles packet reordering, congestion, and is responsible forvarious security aspects of the TCP layer, such as handling payload overlaps, someDoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewallchain and from the SecureXL. (5) The PSL serves as a middleman between the varioussecurity applications and the network packets. It provides the applications with acoherent stream of data to work with, free of various network problems or attacks. (6)The PSL infrastructure is wrapped with well-defined APIs called the Unified StreamingAPIs, which are used by the applications to register and access streamed data. Formore details, see sk95193.

PSLXLTechnology name for combination of SecureXL and PSL (Passive Streaming Library) inR80.20 and higher versions. In R80.10 and lower versions, this technology was calledPXL (PacketXL).

PXLSee "PSLXL".

R

RuleA set of traffic parameters and other conditions in a Rule Base that cause specifiedactions to be taken for a communication session.

Rule BaseAlso Rulebase. All rules configured in a given Security Policy.

RX QueueReceive packet queue. See "Multi-Queue".

Glossary


S

Secondary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install asSecondary.

SecureXLCheck Point product that accelerates IPv4 and IPv6 traffic. Installed on SecurityGateways for significant performance improvements.

Security GatewayA computer that runs Check Point software to inspect traffic and enforces SecurityPolicies for connected network resources.

Security Management ServerA computer that runs Check Point software to manage the objects and policies in CheckPoint environment.

Security PolicyA collection of rules that control network traffic and enforce organization guidelines fordata protection and access to resources with packet inspection.

SICSecure Internal Communication. The Check Point proprietary mechanism with whichCheck Point computers that run Check Point software authenticate each other overSSL, for secure communication. This authentication is based on the certificates issuedby the ICA on a Check Point Management Server.

Single Sign-OnA property of access control of multiple related, yet independent, software systems. Withthis property, a user logs in with a single ID and password to gain access to aconnected system or systems without using different usernames or passwords, or insome configurations seamlessly sign on at each system. This is typically accomplishedusing the Lightweight Directory Access Protocol (LDAP) and stored LDAP databaseson (directory) servers. Acronym: SSO.

Slow PathSee "Firewall Path".

Glossary


SmartConsoleA Check Point GUI application used to manage Security Policies, monitor products andevents, install updates, provision new devices and appliances, and manage a multi-domain environment and each domain.

SmartDashboardA legacy Check Point GUI client used to create and manage the security settings inR77.30 and lower versions.

Software BladeA software blade is a security solution based on specific business needs. Each blade isindependent, modular and centrally managed. To extend security, additional blades canbe quickly added.

SSOSee "Single Sign-On".

StandaloneA Check Point computer, on which both the Security Gateway and SecurityManagement Server products are installed and configured.

T

TrafficFlow of data between network devices.

TX queueTransmit packet queue. See "Multi-Queue".

U

UsersPersonnel authorized to use network resources and applications.

Glossary


V

VLANVirtual Local Area Network. Open servers or appliances connected to a virtual network,which are not physically connected to the same network.

VLAN TrunkA connection between two switches that contains multiple VLANs.

VSXVirtual System Extension. Check Point virtual networking solution, hosted on acomputer or cluster with virtual abstractions of Check Point Security Gateways andother network devices. These Virtual Devices provide the same functionality as theirphysical counterparts.

VSX GatewayPhysical server that hosts VSX virtual networks, including all Virtual Devices thatprovide the functionality of physical network devices. It holds at least one VirtualSystem, which is called VS0.

Introduction to Performance Tuning


Introduction to Performance TuningThere features improve the performance of Check Point Security Gateway:

n SecureXL - accelerates traffic (see "SecureXL" on page 24)

n CoreXL - runs multiple Firewall instances at the same time (see "CoreXL" on page 279)

n Multi-Queue - configures multiple traffic queues for each network interface (see "Multi-Queue" onpage 378)

SecureXL


SecureXLThis feature accelerates traffic that passes through Security Gateway.

Accelerated Features


Accelerated Featuresn Access Control

n Encryption

n NAT

n Software Blades

l Firewall

l IPS features

l Application Control

l URL Filtering

l Anti-Virus

l Anti-Bot

l Identity Awareness (SecureXL does not create templates for traffic from Identity Agents)

l VPN Site-to-Site

l HTTPS Inspection

l QoS

n Policy installation

n Accounting and logging

n Connection/session rate

n General security checks

n ClusterXL High Availability and Load Sharing

n TCPSequence Verification

n Dynamic VPN

n Passive streaming

n Active streaming

Packet Flow


Packet FlowThis is the general description of the packet flow through the Host Security Appliance:

Packet Flow


For additional information, see this thread on the Check Point CheckMates Community:

Packet Flow


https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow

https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flowhttps://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow

Connection Templates


Connection TemplatesThe Connection Templates feature accelerates the speed, at which new connections from the samesource IP address to the same destination IP address and to the same destination port are established.

To achieve the maximum acceleration enhancement, only the Firewall on the Host Security Appliancecreates these Connection Templates from active connections according to the Rule Base.

Important - For the list of restrictions that apply to the Connection Templates, see sk32578.

http://supportcontent.checkpoint.com/solutions?id=sk32578

Policy Installation Acceleration


Policy Installation AccelerationAcceleration is enabled during policy installation.

SecureXL continues to run and stay enabled during a policy installation.

This decreases the load on the Security Gateway's CPU.

Scalable Performance


Scalable PerformanceR80.20 and higher versions include improved SecureXL scalability during high session rate.

As a result, there are no longer limitations on the number of CoreXL SND cores (see "CoreXL" onpage 279).

Configuring SecureXL


Configuring SecureXLThe Gaia First Time Configuration Wizard automatically installs and enables SecureXL on your SecurityGateway. No additional configuration is required.

Starting from R80.20, you can disable the SecureXL only temporarily.

The SecureXL starts automatically when you start Check Point services (with the cpstart command), orreboot the Security Gateway.

Important:

n Disable the SecureXL only for debug purposes, if Check Point Support explicitlyinstructs you to do so.

n If you disable the SecureXL, this change does not survive reboot.

SecureXL remains disabled until you enable it again on-the-fly, or reboot theSecurity Gateway.

n If you disable the SecureXL, this change applies only to new connections thatarrive after you disabled the acceleration.

SecureXL continues to accelerate the connections that are already accelerated.

Other non-connection oriented processing continues to function (for example,virtual defragmentation and VPN decrypt).

n In Cluster, you must configure the SecureXL in the same way on all of the clustermembers.

To temporarily disable SecureXL for IPv4

Step Description

1 Connect to the command line on your Security Gateway.

2 Log in to Gaia Clish, or Expert mode.

3 Examine the SecureXL status:

fwaccel stat

4 Disable the SecureXL:

fwaccel off [-a]

5 Examine the SecureXL status again:

fwaccel stat



To temporarily disable SecureXL for IPv6

Step Description




fwaccel6 stat

4 Disable the SecureXL:

fwaccel6 off [-a]


fwaccel6 stat

To enable SecureXL again for IPv4

Step Description




fwaccel stat

4 Enable the SecureXL:

fwaccel on [-a]


fwaccel stat

To enable SecureXL again for IPv6

Step Description





Step Description


fwaccel6 stat

4 Enable the SecureXL:

fwaccel6 on [-a]


fwaccel6 stat

For more information on these commands, see:

n "fwaccel stat" on page 101

n "fwaccel off" on page 87

n "fwaccel on" on page 91

Analyzing the Accelerated Traffic


Analyzing the Accelerated TrafficTo capture and analyze the accelerated traffic, use the "fw monitor" on page 178 command.

Rate Limiting for DoS Mitigation



IntroductionRate Limiting is a defense against DoS (Denial of Service) attacks.

Rate Limiting rules allow to limit traffic coming from specified sources, or sent to specified destination andusing specific services.

Rate limiting is enforced by SecureXL on these:

n Bandwidth and packet rate

n Number of concurrent connections

n Connection rate

For additional information, see sk112454.

Use these commands to configure Rate Limiting for DoSMitigation:

n "fw sam_policy" and "fw6 sam_policy" (see "fw sam_policy" on page 208 - you must usethe parameter "quota ")

n "fwaccel dos config" and "fwaccel6 dos config" (see "fwaccel dos config" on page 64)

Monitoring Events Related to DoS Mitigation

To see some information related to DoSMitigation, run these commands:

Command Description

fwaccel stats

fwaccel6 stats

Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

See:

n "fwaccel stats" on page 107

n "The /proc/ppk/ and /proc/ppk6/ entries" on page 233

fwaccel stats -d

or

cat/proc/ppk/drop_statistics

fwaccel6 stats -d

or

cat/proc/ppk6/drop_statistics

Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

See:

n "fwaccel stats" on page 107

n "The /proc/ppk/ and /proc/ppk6/ entries" on page 233

n "fw sam_policy" on page 208




Command Description

fw samp get -l|\grep '^$' |\xargs fwacceldos rate get

fw samp get -l|\grep '^$' |xargs fwaccel6dos rate get

Shows details of active policy rules in long format (for IPv4 and IPv6kernel modules).

See "fw sam_policy get" on page 229.

cat/proc/ppk/rlc

Shows:

n Total drop packets

n Total drop bytes

See "The /proc/ppk/ and /proc/ppk6/ entries" on page 233.

In addition, see "SecureXLDebug" on page 254.

Accelerated SYN Defender



IntroductionATCPSYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN]packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server tocreate a half-open (unestablished) TCP connection. This occurs because the server sends a TCP[SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

These half-open TCP connections eventually exceed the maximum available TCP connections. Thiscauses a denial of service condition.

The Check Point Accelerated SYNDefender protects the Security Gateway by preventing excessive TCPconnections from being created.

The Accelerated SYNDefender uses TCP [SYN] Cookies (particular choices of initial TCP sequencenumbers) when under a suspected TCPSYN Flood attack. Using TCP [SYN] Cookies can reduce the loadon Security Gateway and on computers behind the Security Gateway. The Accelerated SYNDefender actsas proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway withthe enabled Accelerated SYNDefender:

Note - In this example, we assume that there no TCP retransmissions and no early data.

Security Gateway

Client with Accelerated Server

| SYN Defender |

| | |

| -(1)--SYN-------> | |

| | |

| | |

| (4) |

| | |

| | -(5)--SYN-------> |

| | |

| | |



1. AClient sends a TCP [SYN] packet to a Server.

2. The Accelerated SYNDefender replies to the Client with a TCP [SYN+ACK] packet that contains aspecial cookie in the Seq field.

Security Gateway does not maintain the connection state at this time.

3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.

4. The Accelerated SYNDefender checks if the SYN cookie in the Client's TCP [ACK] packet islegitimate.

5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYNDefendersends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.

6. The Server replies with a TCP [SYN+ACK] packet.

7. The Accelerated SYNDefender sends a TCP [ACK] packet to complete the Server-size of the TCP3-way handshake.

8. The Accelerated SYNDefender marks the TCP connection as established and records the TCPsequence adjustment between the two sides.

SecureXL handles the TCP [SYN] packets. The Host Security Gateway handles the rest of the TCPconnection setup.

For each TCP connection the Accelerated SYNDefender establishes, the Security Gateway adjusts theTCP sequence number for the life of that TCP connection.

Command Line InterfaceUse the "fwaccel synatk" on page 130 commands to configure the Accelerated SYNDefender.

Configuring the 'SYN Attack' protection in SmartConsoleThe 'SYN Attack' protection is intended for mitigating SYN Flood attacks:

Step Instructions

1 Connect with SmartConsole to the Management Server.

2 From the left navigation panel, click Security Policies.

3 In the Shared Policies section, click Inspection Settings.

4 In the top field, search for SYN Attack.

5 Double-click on the SYN Attack protection.

6 Edit the applicable Inspection profile.



Step Instructions

7 Configure the applicable settings in the profile:

n On theGeneral Properties page:

If you selectOverride with Action and then Accept or Drop, it overrides the settings youmake on the Security Gateway with the "fwaccel synatk" on page 130 commands.

n On the Advanced page:

The option you select in the Activation Settings (Protect all interfaces or Protectexternal interfaces only) overrides the settings you make on the Security Gateway withthe "fwaccel synatk" on page 130 commands.

9 Install the Access Control Policy.

For more information about the SYN Attack protection in SmartConsole, see sk120476.


SecureXL Commands and Debug


SecureXL Commands and DebugThis section describes:

n SecureXL CLI commands

n SecureXL CLI Debug

Syntax Legend


Syntax LegendWhenever possible, this guide lists commands, parameters and options in the alphabetical order.

This guide uses this convention in the Command Line Interface (CLI) syntax:

Character Description

TAB Shows the available nested subcommands:

main command

→ nested subcommand 1

→ → nested subsubcommand 1-1

→ → nested subsubcommand 1-2

→ nested subcommand 2

Example:

cpwd_admin

config

-a

-d

-p

-r

del

Meaning, you can run only one of these commands:

n This command:

cpwd_admin config -a

n Or this command:

cpwd_admin config -d

n Or this command:

cpwd_admin config -p

n Or this command:

cpwd_admin config -r

n Or this command:

cpwd_admin del

Syntax Legend


Character Description

Curly brackets or braces

{ }

Enclose a list of available commands or parameters, separated by thevertical bar |.

User can enter only one of the available commands or parameters.

Angle brackets

< >

Enclose a variable.

User must explicitly specify a supported value.

Square brackets orbrackets

[ ]

Enclose an optional command or parameter, which user can also enter.

'fwaccel' and 'fwaccel6'



Description

The fwaccel commands control the acceleration for IPv4 traffic.

The fwaccel6 commands control the acceleration for IPv6 traffic.

Syntax for IPv4

fwaccel help

fwaccel [-i ] cfg conns dbg dos feature off on ranges stat stats synatk tab templates ver

Syntax for IPv6

fwaccel6 help

fwaccel6 conns dbg dos feature off on ranges stat stats synatk tab templates ver



Parameters and Options

Parameter and Options Description

help Shows the built-in help.

-i Specifies the SecureXL instance ID (for IPv4 only).

cfg Controls the SecureXL acceleration parameters.

See "fwaccel cfg" on page 47.

conns Shows all connections that pass through SecureXL.

See "fwaccel conns" on page 50.

dbg Controls the "SecureXLDebug" on page 254.

See "fwaccel dbg" on page 255.

dos Controls the Rate Limiting for DoSMitigation in SecureXL.

See "fwaccel dos" on page 60.

feature Controls the specified SecureXL features.

See "fwaccel feature" on page 84.

off Stops the acceleration on-the-fly. This does not survive reboot.

See "fwaccel off" on page 87.

on Starts the acceleration on-the-fly, if it was previously stopped.

See "fwaccel on" on page 91.

ranges Shows the loaded ranges.

See "fwaccel ranges" on page 95.

stat Shows the SecureXL status.

See "fwaccel stat" on page 101.

stats Shows the acceleration statistics.

See "fwaccel stats" on page 107.

synatk Controls the Accelerated SYNDefender.

See "fwaccel synatk" on page 130.

tab Shows the contents of the specified SecureXL table.

See "fwaccel tab" on page 155.



Parameter and Options Description

templates Shows the SecureXL templates.

See "fwaccel templates" on page 159.

ver Shows the SecureXL and FireWall version.

See "fwaccel ver" on page 163.

fwaccel cfg


fwaccel cfg

Description

The fwaccel cfg command controls the SecureXL acceleration parameters.

Important - In Cluster, you must configure all the Cluster Members in the same way

Syntax

fwaccel cfg

-h

-a { | | reset}

-b {on | off}

-c

-d

-e

-i {on | off}

-l

-m

-p {on | off}

-r

-v

-w {on | off}

Important:

n These commands do not provide output. You cannot see the currently configuredvalues.

n Changes made with these commands do not survive reboot.

Parameters

Parameter Description

-h Shows the applicable built-in help.

fwaccel cfg



-a

-a

-a reset

n -a - Configures the SecureXL not toaccelerate traffic on the interface specified by its internal number in CheckPoint kernel.

n -a - Configures the SecureXL not to acceleratetraffic on the interface specified by its name.

n -a reset - Configures the SecureXL to accelerate traffic on all interfaces(resets the non-accelerated configuration).

Notes:

n This command does not support Falcon Acceleration Cards.

n To see the required information about the interfaces, run thesecommands in the specified order:

fw getifs

fw ctl iflist

n To see if the "fwaccel cfg -a ..." command failed, run thiscommand:

tail -n 10 /var/log/messages

-b {on |off}

Controls the SecureXL Drop Templates match (sk66402):

n on - Enables the SecureXL Drop Templates match

n off - Disables the SecureXL Drop Templates match

Note - In R80.40, SecureXL does not support this parameter yet..

-c Configures the maximal number of connections, when SecureXL disables thetemplates.

-d Configures the maximal number of delete retries.

-e Configures the maximal number of general errors.

-i {on |off}

Configures SecureXL to ignore API version mismatch:

n on - Ignore API version mismatch.

n off - Do not ignore API version mismatch (this is the default).


fwaccel cfg



-l Configures the maximal number of entries in the SecureXL templates database.

Valid values are:

n 0 - To disable the limit (this is the default).

n Between 10 and 524288 - To configure the limit.

Important - If you configure a limit, you must stop and start theacceleration for this change to take effect. Run the "fwaccel off" onpage 87 command and then the "fwaccel on" on page 91 command.

-m Configures the timeout for entries in the SecureXL templates database.

Valid values are:

n 0 - To disable the timeout (this is the default).

n Between 10 and 524288 - To configure the timeout.

-p {on |off}

Configures the offload of Connection Templates (if possible):

n on - Enables the offload of new templates (this is the default).

n off - Disables the offload of new templates.

-r Configures the maximal number of retries for SecureXL API calls.

-v Configures the interval between SecureXL statistics request.

Valid values are:

n 0 - To disable the interval.

n 1 and greater - To configure the interval.

-w {on |off}

Configures the support for warnings about the IPS protection Sequence Verifier:

n on - Enable the support for these warnings.

n off - Disables the support for these warnings.

fwaccel conns


fwaccel conns

Description

The fwaccel conns and fwaccel6 conns commands show the list of the SecureXL connections on the localSecurity Gateway, or Cluster Member.

Warning - If the number of concurrent connections is large, when you run thesecommands, they can consume memory and CPU at very high level (see sk118716).

Syntax for IPv4

fwaccel [-i ] conns

-h

-f

-m

-s

Syntax for IPv6

fwaccel6 conns

-h

-f

-m

-s

Parameters





fwaccel conns



-f Show the SecureXL Connections Table entries based on the specified filterflags.

Notes:

n To see the available filter flags, run:

fwaccel conns -h

n Each filter flag is one letter - capital, or small.

n You can specify more than one flag.

For example:

fwaccel conns -f AaQq

fwaccel conns



Available filter flags are:

n A - Shows accounted connections (for which SecureXL counted thenumber of packets and bytes).

n a - Shows not accounted connections.

n C - Shows encrypted (VPN) connections.

n c - Shows clear-text (not encrypted) connections.

n F - Shows connections that SecureXL forwarded to Firewall.

Note - In R80.40, SecureXL does not support this parameter.

n f - Shows cut-through connections (which SecureXL accelerated).


n H - Shows connections offloaded to the SAM card.

Note - R80.40, does not support the SAM card (Known LimitationPMTR-18774).

n h - Shows connections created in the SAM card.

Note - R80.40, does not support the SAM card (Known LimitationPMTR-18774).

n L - Shows connections, for which SecureXL created internal links.

n l - Shows connections, for which SecureXL did not create internallinks.

n N - Shows connections that undergo NAT.


n n - Shows connections that do not undergo NAT.

Note - R80.40, SecureXL does not support this parameter.

n Q - Shows connections that undergo QoS.

n q - Shows connections that do not undergo QoS.

n S - Shows connections that undergo PXL.

n s - Shows connections that do not undergo PXL.

n U - Shows unidirectional connections.

n u - Shows bidirectional connections.

-m

Specifies the maximal number of connections to show.


fwaccel conns



-s Shows the summary of SecureXL Connections Table (number ofconnections).

Warning - Depending on the number of current connections, might consumememory at very high level.

Example - Default output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel connsSource SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------

1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0

1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0

1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 01.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0

192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 01.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 01.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0

192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0

1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 01.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0

192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

Idx Interface--- ---------0 lo1 eth02 eth1

Total number of connections: 30[Expert@MyGW:0]#

fwaccel dbg


fwaccel dbg

Description

The fwaccel dbg command controls the SecureXL debug. See "SecureXLDebug" on page 254.

Important - In Cluster, you must configure all the Cluster Members in the same way

Syntax

fwaccel dbg

-h

-m

all

+

-

reset

-f {"" | reset}

list

resetall

Parameters



-m

Specifies the name of the SecureXL debug module.

To see the list of available debug modules, run:

fwaccel dbg

all Enables all debug flags for the specified debug module.

fwaccel dbg



+ Enables the specified debug flags for the specified debug module:

Syntax:

+ Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the plus(+) character.

- Disables all debug flags for the specified debug module.

Syntax:

- Flag1 [Flag2 Flag3 ... FlagN]

Note - You must press the space bar key after the minus(-) character.

reset Resets all debug flags for the specified debug module to theirdefault state.

-f ""

Configures the debug filter to show only debug messages thatcontain the specified connection.

The filter is a string of five numbers separated with commas:

",,,,"

Notes:

n You can configure only one debug filter at onetime.

n You can use the asterisk "*" as a wildcard for anIP Address, Port number, or Protocol number.

n For more information, see IANA Service Nameand Port Number Registry and IANA ProtocolNumbers.

-f reset Resets the current debug filter.

list Shows all enabled debug flags in all debug modules.

resetall Reset all debug flags for all debug modules to their default state.

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlhttps://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlhttps://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtmlhttps://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

fwaccel dbg


Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbgUsage: fwaccel dbg [-m ] [resetall | reset | list | all | +/- ]

-m - module of debugging-h - this help messageresetall - reset all debug flags for all modulesreset - reset all debug flags for moduleall - set all debug flags for modulelist - list all debug flags for all modules-f reset | "" - filter debug messages+ - set the given debug flags- - unset the given debug flags

List of available modules and flags:

Module: default (default)err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf statqueue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: dberr get save del tmpl tmo init ant profile nmr nmt

Module: apierr init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_infadd_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl get_stateupd_link_sel

Module: pkterr f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan pktnat wrp corr caf

Module: infraserr reorder pm

Module: tmplerr dtmpl_get dtmpl_notif tmpl

Module: vpnerr vpnpkt linksel routing vpn

Module: nacerr db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaqinit client server exp cbuf opreg transport transport_utils error

Module: synatkinit conf conn err log pkt proxy state msg

Module: adperr rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dosfw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

fwaccel dbg


Example 2 - Enabling and disabling of debug flags

fwaccel dbg


[Expert@MyGW:0]# fwaccel dbg -m default + err connDebug flags updated.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)err conn

Module: db (1)err

Module: api (1)err

Module: pkt (1)err

Module: infras (1)err

Module: tmpl (1)err

Module: vpn (1)err

Module: nac (1)err

Module: cpaq (100)error

Module: synatk (0)

Module: adp (1)err

Module: dos (10)err

Debug filter not set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg -m default - connDebug flags updated.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)err

Module: db (1)err

Module: api (1)err

Module: pkt (1)err

Module: infras (1)err

Module: tmpl (1)err

fwaccel dbg


Module: vpn (1)err

Module: nac (1)err

Module: cpaq (100)error

Module: synatk (0)

Module: adp (1)err

Module: dos (10)err

Debug filter not set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg -m default resetDebug flags updated.[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetallDebug state was reset to default.[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to 172.16.40.50

[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6Debug filter was set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: ""[Expert@MyGW:0]#

fwaccel dos


fwaccel dos

Description

The fwaccel dos and fwaccel6 dos commands control the Rate Limiting for DoSmitigation techniques inSecureXL on the local Security Gateway, or Cluster Member.

Important:

n On VSXGateway, first go to the context of an applicable VirtualSystem.

In Gaia Clish, run: set virtual-system

In Expert mode, run: vsenv

n In Cluster, you must configure all the Cluster Members in thesame way

Syntax for IPv4

fwaccel [-i ] dos

blacklist

config

pbox

rate

stats

whitelist

Syntax for IPv6

fwaccel6 dos

blacklist

config

rate

stats

Parameters



blacklist Controls the IP blacklist in SecureXL.

See"fwaccel dos blacklist" on page 62.

fwaccel dos



config Controls the DoSmitigation configuration in SecureXL.

See "fwaccel dos config" on page 64.

pbox Controls the Penalty Box whitelist in SecureXL.

See "fwaccel dos pbox" on page 70.

rate Shows and installs the Rate Limiting policy in SecureXL.

See "fwaccel dos rate" on page 75.

stats Shows and clears the DoS real-time statistics in SecureXL.

See "fwaccel dos stats" on page 77.

whitelist

Configures the whitelist for source IP addresses in the SecureXL PenaltyBox.

See "fwaccel doswhitelist" on page 79.

fwaccel dos blacklist



Description

The fwaccel dos blacklist and fwaccel6 dos blacklist commands control the IP blacklist in SecureXL.

The blacklist blocks all traffic to and from the specified IP addresses.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop thepackets.

Important:

n On VSXGateway, first go to the context of an applicable Virtual System.



n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

n To enforce the IP blacklist in SecureXL, you must first enable the IP blacklists.

See these commands:

l "fwaccel dos config" on page 64

l "fw sam_policy" on page 208 (let you configure more granular rules)

Syntax for IPv4

fwaccel [-i ] dos blacklist

-a

-d

-F

-s

Syntax for IPv6

fwaccel6 dos blacklist

-a

-d

-F

-s



Parameters


-i

Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

-a

Adds the specified IP address to the blacklist.

To add more than one IP address, run this command for each applicable IPaddress.

-d

Removes the specified IP addresses from the blacklist.

To remove more than one IP address, run this command for each applicable IPaddress.

-F Removes (flushes) all IP addresses from the blacklist.

-s Shows the configured blacklist.

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos blacklist -sThe blacklist is empty[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -a 1.1.1.1Adding 1.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s1.1.1.1[Expert@MyGW:0]# fwaccel dos blacklist -a 2.2.2.2Adding 2.2.2.2[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s2.2.2.21.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -d 2.2.2.2Deleting 2.2.2.2[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s1.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -FAll blacklist entries deleted[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -sThe blacklist is empty[Expert@MyGW:0]#

fwaccel dos config


fwaccel dos config

Description

The fwaccel dos config and fwaccel6 dos config commands control the global configurationparameters of the Rate Limiting for DoSmitigation in SecureXL.

These global parameters apply to all configured Rate Limiting rules.

Important:

n On VSXGateway, first go to the context of an applicable VirtualSystem.



n In Cluster, you must configure all the Cluster Members in thesame way

Syntax for IPv4

fwaccel [-i ] dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n | --notif-rate }

{-p | --pbox-rate }

{-t | --pbox-tmo }

fwaccel dos config


Syntax for IPv6

fwaccel6 dos config

get

set

{--disable-rate-limit | --enable-rate-limit}

{--disable-pbox | --enable-pbox}

{--disable-blacklists | --enable-blacklists}

{--disable-drop-frags | --enable-drop-frags}

{--disable-drop-opts | --enable-drop-opts}

{--disable-internal | --enable-internal}

{--disable-monitor | --enable-monitor}

{--disable-log-drops | --enable-log-drops}

{--disable-log-pbox | --enable-log-pbox}

{-n | --notif-rate }

{-p | --pbox-rate }

{-t | --pbox-tmo }

Parameters and Options

Parameter or Option Description

-i



get Shows the configuration parameters.

set Configuration the parameters.

--disable-blacklists

Disables the IP blacklists.

This is the default configuration.

fwaccel dos config



--disable-drop-frags

Disables the drops of all fragmented packets. This is the default configuration.

Important - This option applies to only VSX, and only for traffic thatarrives at a Virtual System through a Virtual Switch (packetsreceived through a Warp interface). From R80.20, IP Fragmentreassembly occurs in SecureXL before the Warp-jump from a VirtualSwitch to a Virtual System. To block IP fragments, the Virtual Switchmust be configured with this option. Otherwise, this has no effect,because the IP fragments would already be reassembled when theyarrive at the Virtual System's Warp interface.

--disable-drop-opts

Disables the drops of all packets with IP options.


--disable-internal

Disables the enforcement on internal interfaces.


--disable-log-drops

Disables the notifications when the DoSmodule drops a packet due to ratelimiting policy.

--disable-log-pbox

Disables the notifications when administrator adds an IP address to thepenalty box.

--disable-monitor

Disables the acceptance of all packets that otherwise would be dropped.


--disable-pbox Disables the IP penalty box.


Also, see the "fwaccel dos pbox" on page 70 command.

--disable-rate-limit

Disables the enforcement of the rate limiting policy.


--enable-blacklists

Enables IP blacklists.

Also, see the "fwaccel dos blacklist" on page 62 command.

--enable-drop-frags

Enables the drops of all fragmented packets.

--enable-drop-opts

Enables the drops of all packets with IP options.

--enable-internal

Enables the enforcement on internal interfaces.

fwaccel dos config



--enable-log-drops

Enables the notifications when the DoSmodule drops a packet due to ratelimiting policy.


--enable-log-pbox

Enables the notifications when administrator adds an IP address to the penaltybox.


--enable-monitor

Enables the acceptance of all packets that otherwise would be dropped.

--enable-pbox Enables the IP penalty box.

Also, see the "fwaccel dos pbox" on page 70 command.

--enable-rate-limit

Enables the enforcement of the rate limiting policy.

Important - After you run this command, you must install the AccessControl policy.

-n

--notif-rate

Configures the maximal number of drop notifications per second for eachSecureXL device.

Range: 0 - (232-1)

Default: 100

-p

--pbox-rate

Configures the minimal number of reported dropped packets before SecureXLadds a source IPv4 address to the penalty box.

Range: 0 - (232-1)

Default: 500

-t

--pbox-tmo

Configures the number of seconds until SecureXL removes an IP is from thepenalty box.

Range: 0 - (232-1)

Default: 180

fwaccel dos config


Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config getrate limit: disabled (without policy)

pbox: disabledblacklists: disabled

log blacklist: disableddrop frags: disableddrop opts: disabledinternal: disabledmonitor: disabled

log drops: disabledlog pbox: disabled

notif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 seconds

[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pboxOK[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos config get

rate limit: disabled (without policy)pbox: enabled

blacklists: disableddrop frags: disableddrop opts: disabledinternal: disabledmonitor: disabled

log drops: enabledlog pbox: enabled

notif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 seconds

[Expert@MyGW:0]#

fwaccel dos config


Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set"commands return to their default values during each reboot. To make these settings persistent, add theapplicable commands to these configuration files:

File Description

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the fwacceldos config set commands:

#!/bin/bashfwaccel dos config set

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the fwaccel6dos config set commands:

#!/bin/bashfwaccel6 dos config set

Important - Do not include the "fw sam_policy" on page 208 commands in theseconfiguration files. The configured Rate Limiting policy survives reboot. If you add thefw sam_policy commands, the rate policy installer runs in an infinite loop.

Notes:

n To create or edit these files, log in to the Expert mode.

n If these files do not already exist, create them with one of these commands:

l touch $FWDIR/conf/

l vi $FWDIR/conf/

n On VSXGateway, before you create these files, go to the context of anapplicable Virtual System.

l In Gaia Clish, run: set virtual-system

l In Expert mode, run: vsenv

n These files must start with the "#!/bin/bash" line.

n These files must end with a new empty line.

n After you create these files, you must assign the execute permission to them:

chmod +x $FWDIR/conf/

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

!/bin/bashfwaccel dos config set --enable-internalfwaccel dos config set --enable-pbox

fwaccel dos pbox


fwaccel dos pbox

Description

The fwaccel dos pbox command controls the Penalty Box whitelist in SecureXL.

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive fromsuspected sources. The purpose of this feature is to allow the Security Gateway to cope better under hightraffic load, possibly caused by a DoS/DDoS attack.

The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, andclients that violate the IPS protections. If the SecureXL Penalty Box detects a specific client frequently, itputs that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blockedsource IP address.

The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXLPenalty Box never blocks.

Important:

n This command supports only IPv4.





n To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.

See these commands:

l "fwaccel dos config" on page 64

l "fwaccel doswhitelist" on page 79

l "fwaccel synatk whitelist" on page 150

Syntax for IPv4

fwaccel [-i ] dos pbox

flush

whitelist

-a [/]

-d [/]

-F

-l //

-L

-s

fwaccel dos pbox


Parameters




flush Removes (flushes) all source IP addresses from the Penalty Box.

whitelist Configures the whitelist for source IP addresses in the SecureXLPenalty Box.

Important - This whitelist overrides which packet theSecureXL Penalty Box drops. Before you use a 3rd-party orautomatic blacklists, add trusted networks and hosts to thewhitelist to avoid outages.

Note - This command is similar to the "fwaccel doswhitelist" on page 79 command.

-a [/]

Adds the specified IP address to the Penalty Box whitelist.

n - Can be an IP address of a network or ahost.

n - Must specify the length of the subnetmask in the format /.

Optional for a host IP address.

Mandatory for a network IP address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefixexplicitly, this command uses the subnet prefix /32.

Examples:

n For a host:

192.168.20.30

192.168.20.30/32

n For a network:

192.168.20.0/24

fwaccel dos pbox



-d [/]

Removes the specified IP address from the Penalty Box whitelist.

n - Can be an IP address of a network or ahost.

n - Optional. Must specify the length of thesubnet mask in the format /.

Optional for a host IP address.

Mandatory for a network IP address.

Range - from /1 to /32.

Important - If you do not specify the subnet prefixexplicitly, this command uses the subnet prefix /32.

-F Removes (flushes) all entries from the Penalty Box whitelist.

-l //

Loads the Penalty Box whitelist entries from the specified plain-textfile.

Important:

n You must manually create and configure this file withthe touch or vi command.

n You must assign at least the read permission to thisfile with the chmod +x command.

n Each entry in this file must be on a separate line.

n Each entry in this file must be in this format:

[/]

n SecureXL ignores empty lines and lines that startwith the # character in this file.

fwaccel dos pbox



-L Loads the Penalty Box whitelist entries from the plain-text file with apredefined name:

$FWDIR/conf/pbox-whitelist-v4.conf

Security Gateway automatically runs this command fwaccel dospbox whitelist -L during each boot.

Important:

n This file does not exist by default.

n You must manually create and configure this file withthe touch or vi command.

n You must assign at least the read permission to thisfile with the chmod +x command..

n Each entry in this file must be on a separate line.

n Each entry in this file must be in this format:

[/]

n SecureXL ignores empty lines and lines that startwith the # character in this file.

-s Shows the current Penalty Box whitelist entries.

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

fwaccel dos pbox


Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.0/24[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.0/24[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.70/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32192.168.20.70/32[Expert@MyGW:0]# fwaccel dos pbox whitelist -d 192.168.20.70/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#

fwaccel dos rate


fwaccel dos rate

Description

The fwaccel dos rate and fwaccel6 dos rate commands show and install the Rate Limiting policy inSecureXL.

Important:





Syntax for IPv4

fwaccel [-i ] dos rate

get ''

install

Syntax for IPv6

fwaccel6 dos rate

get ''

install

fwaccel dos rate


Parameters


-i



get ''

Shows information about the rule specified by its Rule UID or its zero-based ruleindex.

The quote marks and angle brackets ('') are mandatory.

install Installs a new rate limiting policy.

Important - This command requires input from the stdin.

To use this command, run:

fw sam_policy get -l -k req_type -t in -vquota | fwaccel dos rate install

For more information about the fw sam_policy command, see "fw sam_policy" on page 208.

Notes

n If you install a new rate limiting policy with more than one rule, it automatically enables the ratelimiting feature.

To disable the rate limiting feature manually, run this command (see "fwaccel dos config" onpage 64):

fwaccel dos config set --disable-rate-limit

n To delete the current rate limiting policy, install a new policy with zero rules.

fwaccel dos stats


fwaccel dos stats

Description

The fwaccel dos stats and fwaccel6 dos stats commands show and clear the DoS real-time statistics inSecureXL.

Important:





Syntax for IPv4

fwaccel [-i ] stats

clear

get

Syntax for IPv6

fwaccel6 dos stats

clear

get

Parameters




clear Clears the real-time statistics counters.

get Shows the real-time statistics counters.

fwaccel dos stats


Example - Get the current DoS statistics

[Expert@MyGW:0]# fwaccel dos stats getFirewall:

Number of Elements in Tables:Penalty Box Violating IPs: 0 (size: 8192)Blacklist Notification Handlers: 0 (size: 1024)

SXL Device 0:Total Active Connections: 0Total New Connections/Second: 0Total Packets/Second: 0Total Bytes/Second: 0Reasons Packets Dropped:

IP Fragment: 0IP Option: 0Penalty Box: 0Blacklist: 0Rate Limit: 0

Number of Elements in Tables:Penalty Box: 0 (size: 0)Non-Empty Blacklists: 0 (size: 0)Blacklisted IPs: 0 (size: 0)Rate Limit Matches: 0 (size: 0)Rate Limit Source Only Tracks: 0 (size: 0)Rate Limit Source and Service Tracks: 0 (size: 0)

SXL Devices in Aggregate:Reasons Packets Dropped:

IP Fragment: 0IP Option: 0Penalty Box: 0Blacklist: 0Rate Limit: 0

Number of Elements in Tables:Penalty Box: 0Non-Empty Blacklists: 0Blacklisted IPs: 0Rate Limit Matches: 0Rate Limit Source Only Tracks: 0Rate Limit Source and Service Tracks: 0

[Expert@MyGW:0]#

fwaccel dos whitelist


fwaccel dos whitelist

Description

The fwaccel doswhitelist command configures the whitelist for source IP addresses in the SecureXLPenalty Box.

This whitelist overrides which packet the SecureXL Penalty Box drops.

Notes:

n This command supports only IPv4.





n This whitelist overrides entries in the blacklist. Before you use a 3rd-party orautomatic blacklists, add trusted networks and hosts to the whitelist to avoidoutages.

n This whitelist unblocks IPOptions and IP fragments from trusted sources whenyou explicitly configure one these SecureXL features:

l --enable-drop-opts

l --enable-drop-frags

See the "fwaccel dos config" on page 64 command.

n To whitelist the Rate Limiting policy, refer to the bypass action of the fw sampcommand. For example, fw samp -a b ...

For more information about the fw sam_policy command, see the R80.40Performance Tuning Administration Guide - Section Rate Limiting for DoSMitigation - Section 'fw sam_policy' and 'fw6 sam_policy'.

n This command is similar to the "fwaccel

performance tuning r80.40 administration guide · 2020. 6. 30. · tableofcontents...

Documents