performance tuning r80.40 administration guide · 2020. 6. 30. · tableofcontents...

507
[Classification: Protected] 23 January 2020 PERFORMANCE TUNING R80.40 Administration Guide

Upload: others

Post on 31-Jan-2021

0 views

Category:

Documents


0 download

TRANSCRIPT

  • [Classification:Protected]

    23 January 2020

    PERFORMANCE TUNING

    R80.40

    Administration Guide

  • Check Point Copyright Notice©2020 Check Point Software Technologies Ltd.

    All rights reserved. This product and related documentation are protected by copyright and distributedunder licensing restricting their use, copying, distribution, and decompilation. No part of this product orrelated documentation may be reproduced in any form or by any means without prior written authorizationof Check Point. While every precaution has been taken in the preparation of this book, Check Pointassumes no responsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

    RESTRICTEDRIGHTS LEGEND:

    Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.

    TRADEMARKS:

    Refer to the Copyright page for a list of our trademarks.

    Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.

    https://www.checkpoint.com/copyright/https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/

  • Performance Tuning R80.40 Administration Guide

    Performance Tuning R80.40 Administration Guide      |      3

    Important InformationLatest Software

    We recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protectionagainst new and evolving attacks.

    Certifications

    For third party independent certification of Check Point products, see the Check PointCertifications page.

    Check Point R80.40

    For more about this release, see the R80.40 home page.

    Latest Version of this Document

    Open the latest version of this document in aWeb browser.

    Download the latest version of this document in PDF format.

    Feedback

    Check Point is engaged in a continuous effort to improve its documentation.

    Please help us by sending your comments.

    Revision History

    Date Description

    23 January 2020 First release of this document

    https://www.checkpoint.com/products-solutions/certified-check-point-solutions/https://www.checkpoint.com/products-solutions/certified-check-point-solutions/http://supportcontent.checkpoint.com/solutions?id=sk160736https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide/Default.htmhttp://downloads.checkpoint.com/dc/download.htm?ID=96088mailto:[email protected]?subject=Feedback on Performance Tuning R80.40 Administration Guide

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      4

    Table of ContentsGlossary 11

    Introduction to Performance Tuning 23

    SecureXL 24

    Accelerated Features 25

    Packet Flow 26

    Connection Templates 29

    Policy Installation Acceleration 30

    Scalable Performance 31

    Configuring SecureXL 32

    Analyzing the Accelerated Traffic 35

    Rate Limiting for DoSMitigation 36

    Introduction 36

    Monitoring Events Related to DoSMitigation 36

    Accelerated SYNDefender 38

    Introduction 38

    Command Line Interface 39

    Configuring the 'SYN Attack' protection in SmartConsole 39

    SecureXL Commands and Debug 41

    Syntax Legend 42

    'fwaccel' and 'fwaccel6' 44

    fwaccel cfg 47

    fwaccel conns 50

    fwaccel dbg 54

    fwaccel dos 60

    fwaccel dos blacklist 62

    fwaccel dos config 64

    fwaccel dos pbox 70

    fwaccel dos rate 75

    fwaccel dos stats 77

    fwaccel dos whitelist 79

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      5

    fwaccel feature 84

    fwaccel off 87

    fwaccel on 91

    fwaccel ranges 95

    fwaccel stat 101

    fwaccel stats 107

    Description of the Statistics Counters in the "fwaccel stats" Output 109

    Example Outputs on the "fwaccel stats" Commands 115

    fwaccel synatk 130

    fwaccel synatk -a 133

    fwaccel synatk -c 134

    fwaccel synatk -d 135

    fwaccel synatk -e 136

    fwaccel synatk -g 137

    fwaccel synatk -m 138

    fwaccel synatk -t 139

    fwaccel synatk config 140

    fwaccel synatk monitor 143

    fwaccel synatk state 148

    fwaccel synatk whitelist 150

    fwaccel tab 155

    fwaccel templates 159

    fwaccel ver 163

    'sim' and 'sim6' 164

    sim affinity 166

    sim affinityload 169

    sim enable_aesni 170

    sim if 171

    sim nonaccel 175

    sim ver 177

    fw monitor 178

    fw sam_policy 208

    fw sam_policy add 211

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      6

    fw sam_policy batch 224

    fw sam_policy del 226

    fw sam_policy get 229

    The /proc/ppk/ and /proc/ppk6/ entries 233

    /proc/ppk/affinity 235

    /proc/ppk/conf 236

    /proc/ppk/conns 237

    /proc/ppk/cpls 238

    /proc/ppk/cqstats 239

    /proc/ppk/drop_statistics 240

    /proc/ppk/ifs 241

    /proc/ppk/mcast_statistics 245

    /proc/ppk/nac 246

    /proc/ppk/notify_statistics 247

    /proc/ppk/profile_cpu_stat 248

    /proc/ppk/rlc 249

    /proc/ppk/statistics 250

    /proc/ppk/stats 252

    /proc/ppk/viol_statistics 253

    SecureXL Debug 254

    fwaccel dbg 255

    SecureXL Debug Procedure 261

    SecureXL Debug Modules and Debug Flags 265

    CoreXL 279

    Enabling and Disabling CoreXL 280

    Default Configuration of CoreXL 281

    Configuring IPv4 and IPv6 CoreXL Firewall instances 283

    IPv4 and IPv6 CoreXL Firewall Instances 283

    Configuring the Number of IPv4 CoreXL Firewall Instances 285

    Configuring the Number of IPv6 CoreXL Firewall Instances 286

    Example CoreXL Configuration 287

    CoreXL Unsupported Features 289

    Configuring Affinity Settings 290

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      7

    Introduction 290

    The $FWDIR/conf/fwaffinity.conf Configuration File 290

    The $FWDIR/scripts/fwaffinity_apply Script 292

    Affinity Settings for 16000 and 26000 Appliances 293

    Performance Tuning 297

    Allocation of Processing CPUCores 298

    Adding Processing CPUCores to the Hardware 299

    Allocating Additional CPUCores to the CoreXL SND 300

    Allocating a CPUCore for Heavy Logging 301

    Setting Affinities for Interfaces on the Host Security Appliance 303

    Dynamic Split of CoreXL Instances 305

    Introduction 305

    Syntax 306

    Monitoring 308

    CoreXL Commands 310

    Syntax Legend 311

    cp_conf corexl 313

    cpconfig 315

    fw ctl multik 318

    fw ctl multik add_bypass_port 321

    fw ctl multik del_bypass_port 323

    fw ctl multik dynamic_dispatching 325

    fw ctl multik gconn 326

    fw ctl multik get_instance 331

    fw ctl multik print_heavy_conn 333

    fw ctl multik prioq 335

    fw ctl multik show_bypass_ports 336

    fw ctl multik stat 337

    fw ctl multik start 339

    fw ctl multik stop 340

    fw ctl multik utilize 341

    fw ctl affinity 342

    Running the 'fw ctl affinity -l' command in Gateway Mode 343

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      8

    Running the 'fw ctl affinity -l' command in VSXMode 347

    Running the 'fw ctl affinity -s' command in Gateway Mode 350

    Running the 'fw ctl affinity -s' command in VSXMode 354

    fw -i 358

    fwboot bootconf 359

    fwboot corexl 363

    fwboot cpuid 370

    fwboot ht 372

    fwboot multik_reg 375

    fwboot post_drv 377

    Multi-Queue 378

    Introduction to Multiple Traffic Queues 378

    Multi-Queue Requirements and Limitations 378

    Deciding Whether to Enable the Multi-Queue 379

    Multi-Queue Administration 383

    Multi-Queue Basic Configuration 384

    Multi-Queue Special Scenarios and Configurations 387

    Default Number of Active RXQueues 388

    Gateway Mode 388

    VSXMode 388

    Changing the Status of an Interface with Enabled Multi-Queue 389

    Adding a Network Interface 390

    Changing the Affinity of CoreXL Firewall instances 391

    Processing Packets that Arrive in the Wrong Order on an Interface that Works in Monitor Mode 392

    Multi-Queue Troubleshooting 393

    CPView 395

    Overview of CPView 395

    CPView User Interface 395

    Using CPView 396

    Command Line Reference 397

    Working with Kernel Parameters on Security Gateway 398

    Introduction to Kernel Parameters 399

    Firewall Kernel Parameters 400

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      9

    Working with Integer Kernel Parameters 401

    Working with String Kernel Parameters 406

    SecureXL Kernel Parameters 409

    Kernel Debug on Security Gateway 413

    Kernel Debug Syntax 414

    Kernel Debug Filters 423

    Kernel Debug Procedure 428

    Kernel Debug Procedure with Connection Life Cycle 431

    Kernel Debug Modules and Debug Flags 438

    Module 'accel_apps' (Accelerated Applications) 440

    Module 'accel_pm_mgr' (Accelerated Pattern Match Manager) 441

    Module 'APPI' (Application Control Inspection) 442

    Module 'BOA' (Boolean Analyzer for Web Intelligence) 443

    Module 'CI' (Content Inspection) 444

    Module 'cluster' (ClusterXL) 446

    Module 'cmi_loader' (Context Management Interface / Infrastructure Loader) 448

    Module 'CPAS' (Check Point Active Streaming) 449

    Module 'cpcode' (Data Loss Prevention - CPcode) 450

    Module 'CPSSH' (SSH Inspection) 451

    Module 'crypto' (SSL Inspection) 453

    Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness) 454

    Module 'dlpk' (Data Loss Prevention - Kernel Space) 456

    Module 'dlpuk' (Data Loss Prevention - User Space) 457

    Module 'DOMO' (Domain Objects) 458

    Module 'fg' (FloodGate-1 - QoS) 459

    Module 'FILE_SECURITY' (File Inspection) 461

    Module 'FILEAPP' (File Application) 462

    Module 'fw' (Firewall) 463

    Module 'gtp' (GPRSTunneling Protocol) 470

    Module 'h323' (VoIP H.323) 471

    Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client) 472

    Module 'IDAPI' (Identity Awareness API) 474

    Module 'kiss' (Kernel Infrastructure) 475

  • Table of Contents

    Performance Tuning R80.40 Administration Guide      |      10

    Module 'kissflow' (Kernel Infrastructure Flow) 478

    Module 'MALWARE' (Threat Prevention) 479

    Module 'multik' (Multi-Kernel Inspection - CoreXL) 480

    Module 'MUX' (Multiplexer for Applications Traffic) 482

    Module 'NRB' (Next Rule Base) 484

    Module 'PSL' (Passive Streaming Library) 486

    Module 'RAD_KERNEL' (Resource Advisor - Kernel Space) 487

    Module 'RTM' (Real Time Monitoring) 488

    Module 'seqvalid' (TCPSequence Validator and Translator) 490

    Module 'SFT' (Stream File Type) 491

    Module 'SGEN' (Struct Generator) 492

    Module 'synatk' (Accelerated SYNDefender) 493

    Module 'UC' (UserCheck) 494

    Module 'UP' (Unified Policy) 495

    Module 'upconv' (Unified Policy Conversion) 497

    Module 'UPIS' (Unified Policy Infrastructure) 498

    Module 'VPN' (Site-to-Site VPN and Remote Access VPN) 500

    Module 'WS' (Web Intelligence) 502

    Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) 505

    Module 'WSIS' (Web Intelligence Infrastructure) 507

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      11

    GlossaryA

    Accelerated PathPacket flow on the Host appliance, when the packet is completely handled by theSecureXL device. It is processed and forwarded to the network.

    AdministratorA user with permissions to manage Check Point security products and the networkenvironment.

    AffinityThe assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface,user space process, or IRQ to one or more specified CPU cores.

    APIIn computer programming, an application programming interface (API) is a set ofsubroutine definitions, protocols, and tools for building application software. In generalterms, it is a set of clearly defined methods of communication between various softwarecomponents.

    ApplianceA physical computer manufactured and distributed by Check Point.

    B

    BondA virtual interface that contains (enslaves) two or more physical interfaces forredundancy and load sharing. The physical interfaces share one IP address and oneMAC address. See "Link Aggregation".

    BondingSee "Link Aggregation".

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      12

    Bridge ModeA Security Gateway or Virtual System that works as a Layer 2 bridge device for easydeployment in an existing topology.

    C

    CACertificate Authority. Issues certificates to gateways, users, or computers, to identifyitself to connecting entities with Distinguished Name, public key, and sometimes IPaddress. After certificate validation, entities can send encrypted data using the publickeys in the certificates.

    CertificateAn electronic document that uses a digital signature to bind a cryptographic public keyto a specific identity. The identity can be an individual, organization, or software entity.The certificate is used to authenticate one identity to another.

    ClusterTwo or more Security Gateways that work together in a redundant configuration - HighAvailability, or Load Sharing.

    Cluster MemberA Security Gateway that is part of a cluster.

    CoreXLA performance-enhancing technology for Security Gateways on multi-core processingplatforms. Multiple Check Point Firewall instances are running in parallel on multipleCPU cores.

    CoreXL Dynamic DispatcherImproved CoreXL SND feature. Part of CoreXL that distributes packets between CoreXLFirewall instances. Traffic distribution between CoreXL Firewall instances isdynamically based on the utilization of CPU cores, on which the CoreXL Firewallinstances are running. The dynamic decision is made for first packets of connections, byassigning each of the CoreXL Firewall instances a rank, and selecting the CoreXLFirewall instance with the lowest rank. The rank for each CoreXL Firewall instance iscalculated according to its CPU utilization. The higher the CPU utilization, the higherthe CoreXL Firewall instance's rank is, hence this CoreXL Firewall instance is lesslikely to be selected by the CoreXL SND. See sk105261.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      13

    CoreXL Firewall InstanceAlso CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewallkernel is copied multiple times. Each replicated copy, or firewall instance, runs on oneprocessing CPU core. These firewall instances handle traffic at the same time, andeach firewall instance is a complete and independent firewall inspection kernel.

    CoreXL SNDSecure Network Distributer. Part of CoreXL that is responsible for: Processing incomingtraffic from the network interfaces; Securely accelerating authorized packets (ifSecureXL is enabled); Distributing non-accelerated packets between Firewall kernelinstances (SND maintains global dispatching table, which maps connections that wereassigned to CoreXL Firewall instances). Traffic distribution between CoreXL Firewallinstances is statically based on Source IP addresses, Destination IP addresses, and theIP 'Protocol' type. The CoreXL SND does not really "touch" packets. The decision tostick to a particular FWK daemon is done at the first packet of connection on a very highlevel, before anything else. Depending on the SecureXL settings, and in most of thecases, the SecureXL can be offloading decryption calculations. However, in some othercases, such as with Route-Based VPN, it is done by FWK daemon.

    CPUSECheck Point Upgrade Service Engine for Gaia Operating System. With CPUSE, youcan automatically update Check Point products for the Gaia OS, and the Gaia OS itself.For details, see sk92449.

    D

    DAIP GatewayA Dynamically Assigned IP (DAIP) Security Gateway is a Security Gateway where theIP address of the external interface is assigned dynamically by the ISP.

    Data TypeA classification of data. The Firewall classifies incoming and outgoing traffic accordingto Data Types, and enforces the Policy accordingly.

    DatabaseThe Check Point database includes all objects, including network objects, users,services, servers, and protection profiles.

    Distributed DeploymentThe Check Point Security Gateway and Security Management Server products aredeployed on different computers.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      14

    DomainA network or a collection of networks related to an entity, such as a company, businessunit or geographical location.

    Domain Log ServerA Log Server for a specified Domain. It stores and processes logs from SecurityGateways that are managed by the corresponding Domain Management Server.Acronym: DLS.

    Domain Management ServerA virtual Security Management Server that manages Security Gateways for oneDomain, as part of a Multi-Domain Security Management environment. Acronym: DMS.

    E

    Expert ModeThe name of the full command line shell that gives full system root permissions in theCheck Point Gaia operating system.

    External NetworkComputers and networks that are outside of the protected network.

    External UsersUsers defined on external servers. External users are not defined in the SecurityManagement Server database or on an LDAP server. External user profiles tell thesystem how to identify and authenticate externally defined users.

    F

    F2FDenotes non-VPN connections that SecureXL forwarded to firewall. See "FirewallPath".

    FirewallThe software and hardware that protects a computer network by analyzing the incomingand outgoing network traffic (packets).

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      15

    Firewall PathAlso Slow Path. Packet flow on the Host Security Appliance, when the SecureXLdevice is unable to process the packet (see sk32578). The packet is passed to theCoreXL layer and then to one of the CoreXL Firewall instances for full processing. Thispath also processes all packets when SecureXL is disabled.

    G

    GaiaCheck Point security operating system that combines the strengths of bothSecurePlatform and IPSO operating systems.

    Gaia ClishThe name of the default command line shell in Check Point Gaia operating system. Thisis a restrictive shell (role-based administration controls the number of commandsavailable in the shell).

    Gaia PortalWeb interface for Check Point Gaia operating system.

    H

    HotfixA piece of software installed on top of the current software in order to fix some wrong orundesired behavior.

    I

    ICAInternal Certificate Authority. A component on Check Point Management Server thatissues certificates for authentication.

    Internal NetworkComputers and resources protected by the Firewall and accessed by authenticatedusers.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      16

    IPv4Internet Protocol Version 4 (see RFC 791). A 32-bit number - 4 sets of numbers, eachset can be from 0 - 255. For example, 192.168.2.1.

    IPv6Internet Protocol Version 6 (see RFC 2460 and RFC 3513). 128-bit number - 8 sets ofhexadecimal numbers, each set can be from 0 - ffff. For example,FEDC:BA98:7654:3210:FEDC:BA98:7654:3210.

    IRQ AffinityA state of binding an IRQ to one or more CPU cores.

    J

    Jumbo Hotfix AccumulatorCollection of hotfixes combined into a single package. Acronyms: JHA, JHF.

    L

    Link AggregationVarious methods of combining (aggregating) multiple network connections in parallel toincrease throughput beyond what a single connection could sustain, and to provideredundancy in case one of the links should fail.

    LogA record of an action that is done by a Software Blade.

    Log ServerA dedicated Check Point computer that runs Check Point software to store and processlogs in Security Management Server or Multi-Domain Security Managementenvironment.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      17

    M

    Management High AvailabilityDeployment and configuration mode of two Check Point Management Servers, in whichthey automatically synchronize the management databases with each other. In thismode, one Management Server is Active, and the other is Standby. Acronyms:Management HA, MGMT HA.

    Management InterfaceInterface on Gaia computer, through which users connect to Portal or CLI. Interface on aGaia Security Gateway or Cluster member, through which Management Serverconnects to the Security Gateway or Cluster member.

    Management ServerA Check Point Security Management Server or a Multi-Domain Server.

    Medium Path (PXL)Packet flow on the Host Security Appliance, when the packet is handled by theSecureXL device. The CoreXL layer passes the packet to one of the CoreXL Firewallinstances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXLinfrastructure to send the packet to the single CoreXL Firewall instance that stillfunctions. When the Medium Path is available, the SecureXL fully accelerates the TCPhandshake. Rule Base match is achieved for the first packet through an existingconnection acceleration template. The SecureXL also fully accelerates the TCP [SYN-ACK] and TCP [ACK] packets. However, once data starts to flow, to stream it for ContentInspection, an FWK instance now handles the packets. The SecureXL sends allpackets that contain data to FWK for data extraction in order to build the data stream.Only the SecureXL handles the TCP [RST], TCP [FIN] and TCP [FIN-ACK] packets,because they do not contain data that needs to be streamed. This path is available onlywhen CoreXL is enabled. Exceptions are: IPS (some protections); VPN (in someconfigurations); Application Control; Content Awareness; Anti-Virus; Anti-Bot; HTTPSInspection; Proxy mode; Mobile Access; VoIP; Web Portals.

    Multi-Domain Log ServerA computer that runs Check Point software to store and process logs in Multi-DomainSecurity Management environment. The Multi-Domain Log Server consists of DomainLog Servers that store and process logs from Security Gateways that are managed bythe corresponding Domain Management Servers. Acronym: MDLS.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      18

    Multi-Domain Security ManagementA centralized management solution for large-scale, distributed environments with manydifferent Domain networks.

    Multi-Domain ServerA computer that runs Check Point software to host virtual Security Management Serverscalled Domain Management Servers. Acronym: MDS.

    Multi-QueueAn acceleration feature on Security Gateway that lets you assign more than one packetqueue and CPU core to an interface.

    N

    Network ObjectLogical representation of every part of corporate topology (physical machine, softwarecomponent, IP Address range, service, and so on).

    O

    Open ServerA physical computer manufactured and distributed by a company, other than CheckPoint.

    P

    Primary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install as Primary.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      19

    PSLPassive Streaming Library. Packets may arrive at Security Gateway out of order, or maybe legitimate retransmissions of packets that have not yet received an acknowledgment.In some cases, a retransmission may also be a deliberate attempt to evade IPSdetection by sending the malicious payload in the retransmission. Security Gatewayensures that only valid packets are allowed to proceed to destinations. It does this withthe Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer,which provides stream reassembly for TCP connections. (2) The Security Gatewaymakes sure that TCP data seen by the destination system is the same as seen by codeabove PSL. (3) The PSL handles packet reordering, congestion, and is responsible forvarious security aspects of the TCP layer, such as handling payload overlaps, someDoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewallchain and from the SecureXL. (5) The PSL serves as a middleman between the varioussecurity applications and the network packets. It provides the applications with acoherent stream of data to work with, free of various network problems or attacks. (6)The PSL infrastructure is wrapped with well-defined APIs called the Unified StreamingAPIs, which are used by the applications to register and access streamed data. Formore details, see sk95193.

    PSLXLTechnology name for combination of SecureXL and PSL (Passive Streaming Library) inR80.20 and higher versions. In R80.10 and lower versions, this technology was calledPXL (PacketXL).

    PXLSee "PSLXL".

    R

    RuleA set of traffic parameters and other conditions in a Rule Base that cause specifiedactions to be taken for a communication session.

    Rule BaseAlso Rulebase. All rules configured in a given Security Policy.

    RX QueueReceive packet queue. See "Multi-Queue".

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      20

    S

    Secondary Multi-Domain ServerThe Multi-Domain Server in Management High Availability that you install asSecondary.

    SecureXLCheck Point product that accelerates IPv4 and IPv6 traffic. Installed on SecurityGateways for significant performance improvements.

    Security GatewayA computer that runs Check Point software to inspect traffic and enforces SecurityPolicies for connected network resources.

    Security Management ServerA computer that runs Check Point software to manage the objects and policies in CheckPoint environment.

    Security PolicyA collection of rules that control network traffic and enforce organization guidelines fordata protection and access to resources with packet inspection.

    SICSecure Internal Communication. The Check Point proprietary mechanism with whichCheck Point computers that run Check Point software authenticate each other overSSL, for secure communication. This authentication is based on the certificates issuedby the ICA on a Check Point Management Server.

    Single Sign-OnA property of access control of multiple related, yet independent, software systems. Withthis property, a user logs in with a single ID and password to gain access to aconnected system or systems without using different usernames or passwords, or insome configurations seamlessly sign on at each system. This is typically accomplishedusing the Lightweight Directory Access Protocol (LDAP) and stored LDAP databaseson (directory) servers. Acronym: SSO.

    Slow PathSee "Firewall Path".

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      21

    SmartConsoleA Check Point GUI application used to manage Security Policies, monitor products andevents, install updates, provision new devices and appliances, and manage a multi-domain environment and each domain.

    SmartDashboardA legacy Check Point GUI client used to create and manage the security settings inR77.30 and lower versions.

    Software BladeA software blade is a security solution based on specific business needs. Each blade isindependent, modular and centrally managed. To extend security, additional blades canbe quickly added.

    SSOSee "Single Sign-On".

    StandaloneA Check Point computer, on which both the Security Gateway and SecurityManagement Server products are installed and configured.

    T

    TrafficFlow of data between network devices.

    TX queueTransmit packet queue. See "Multi-Queue".

    U

    UsersPersonnel authorized to use network resources and applications.

  • Glossary

    Performance Tuning R80.40 Administration Guide      |      22

    V

    VLANVirtual Local Area Network. Open servers or appliances connected to a virtual network,which are not physically connected to the same network.

    VLAN TrunkA connection between two switches that contains multiple VLANs.

    VSXVirtual System Extension. Check Point virtual networking solution, hosted on acomputer or cluster with virtual abstractions of Check Point Security Gateways andother network devices. These Virtual Devices provide the same functionality as theirphysical counterparts.

    VSX GatewayPhysical server that hosts VSX virtual networks, including all Virtual Devices thatprovide the functionality of physical network devices. It holds at least one VirtualSystem, which is called VS0.

  • Introduction to Performance Tuning

    Performance Tuning R80.40 Administration Guide      |      23

    Introduction to Performance TuningThere features improve the performance of Check Point Security Gateway:

    n SecureXL - accelerates traffic (see "SecureXL" on page 24)

    n CoreXL - runs multiple Firewall instances at the same time (see "CoreXL" on page 279)

    n Multi-Queue - configures multiple traffic queues for each network interface (see "Multi-Queue" onpage 378)

  • SecureXL

    Performance Tuning R80.40 Administration Guide      |      24

    SecureXLThis feature accelerates traffic that passes through Security Gateway.

  • Accelerated Features

    Performance Tuning R80.40 Administration Guide      |      25

    Accelerated Featuresn Access Control

    n Encryption

    n NAT

    n Software Blades

    l Firewall

    l IPS features

    l Application Control

    l URL Filtering

    l Anti-Virus

    l Anti-Bot

    l Identity Awareness (SecureXL does not create templates for traffic from Identity Agents)

    l VPN Site-to-Site

    l HTTPS Inspection

    l QoS

    n Policy installation

    n Accounting and logging

    n Connection/session rate

    n General security checks

    n ClusterXL High Availability and Load Sharing

    n TCPSequence Verification

    n Dynamic VPN

    n Passive streaming

    n Active streaming

  • Packet Flow

    Performance Tuning R80.40 Administration Guide      |      26

    Packet FlowThis is the general description of the packet flow through the Host Security Appliance:

  • Packet Flow

    Performance Tuning R80.40 Administration Guide      |      27

    For additional information, see this thread on the Check Point CheckMates Community:

  • Packet Flow

    Performance Tuning R80.40 Administration Guide      |      28

    https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow

    https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flowhttps://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow

  • Connection Templates

    Performance Tuning R80.40 Administration Guide      |      29

    Connection TemplatesThe Connection Templates feature accelerates the speed, at which new connections from the samesource IP address to the same destination IP address and to the same destination port are established.

    To achieve the maximum acceleration enhancement, only the Firewall on the Host Security Appliancecreates these Connection Templates from active connections according to the Rule Base.

    Important - For the list of restrictions that apply to the Connection Templates, see sk32578.

    http://supportcontent.checkpoint.com/solutions?id=sk32578

  • Policy Installation Acceleration

    Performance Tuning R80.40 Administration Guide      |      30

    Policy Installation AccelerationAcceleration is enabled during policy installation.

    SecureXL continues to run and stay enabled during a policy installation.

    This decreases the load on the Security Gateway's CPU.

  • Scalable Performance

    Performance Tuning R80.40 Administration Guide      |      31

    Scalable PerformanceR80.20 and higher versions include improved SecureXL scalability during high session rate.

    As a result, there are no longer limitations on the number of CoreXL SND cores (see "CoreXL" onpage 279).

  • Configuring SecureXL

    Performance Tuning R80.40 Administration Guide      |      32

    Configuring SecureXLThe Gaia First Time Configuration Wizard automatically installs and enables SecureXL on your SecurityGateway. No additional configuration is required.

    Starting from R80.20, you can disable the SecureXL only temporarily.

    The SecureXL starts automatically when you start Check Point services (with the cpstart command), orreboot the Security Gateway.

    Important:

    n Disable the SecureXL only for debug purposes, if Check Point Support explicitlyinstructs you to do so.

    n If you disable the SecureXL, this change does not survive reboot.

    SecureXL remains disabled until you enable it again on-the-fly, or reboot theSecurity Gateway.

    n If you disable the SecureXL, this change applies only to new connections thatarrive after you disabled the acceleration.

    SecureXL continues to accelerate the connections that are already accelerated.

    Other non-connection oriented processing continues to function (for example,virtual defragmentation and VPN decrypt).

    n In Cluster, you must configure the SecureXL in the same way on all of the clustermembers.

    To temporarily disable SecureXL for IPv4

    Step Description

    1 Connect to the command line on your Security Gateway.

    2 Log in to Gaia Clish, or Expert mode.

    3 Examine the SecureXL status:

    fwaccel stat

    4 Disable the SecureXL:

    fwaccel off [-a]

    5 Examine the SecureXL status again:

    fwaccel stat

  • Configuring SecureXL

    Performance Tuning R80.40 Administration Guide      |      33

    To temporarily disable SecureXL for IPv6

    Step Description

    1 Connect to the command line on your Security Gateway.

    2 Log in to Gaia Clish, or Expert mode.

    3 Examine the SecureXL status:

    fwaccel6 stat

    4 Disable the SecureXL:

    fwaccel6 off [-a]

    5 Examine the SecureXL status again:

    fwaccel6 stat

    To enable SecureXL again for IPv4

    Step Description

    1 Connect to the command line on your Security Gateway.

    2 Log in to Gaia Clish, or Expert mode.

    3 Examine the SecureXL status:

    fwaccel stat

    4 Enable the SecureXL:

    fwaccel on [-a]

    5 Examine the SecureXL status again:

    fwaccel stat

    To enable SecureXL again for IPv6

    Step Description

    1 Connect to the command line on your Security Gateway.

    2 Log in to Gaia Clish, or Expert mode.

  • Configuring SecureXL

    Performance Tuning R80.40 Administration Guide      |      34

    Step Description

    3 Examine the SecureXL status:

    fwaccel6 stat

    4 Enable the SecureXL:

    fwaccel6 on [-a]

    5 Examine the SecureXL status again:

    fwaccel6 stat

    For more information on these commands, see:

    n "fwaccel stat" on page 101

    n "fwaccel off" on page 87

    n "fwaccel on" on page 91

  • Analyzing the Accelerated Traffic

    Performance Tuning R80.40 Administration Guide      |      35

    Analyzing the Accelerated TrafficTo capture and analyze the accelerated traffic, use the "fw monitor" on page 178 command.

  • Rate Limiting for DoS Mitigation

    Performance Tuning R80.40 Administration Guide      |      36

    Rate Limiting for DoS Mitigation

    IntroductionRate Limiting is a defense against DoS (Denial of Service) attacks.

    Rate Limiting rules allow to limit traffic coming from specified sources, or sent to specified destination andusing specific services.

    Rate limiting is enforced by SecureXL on these:

    n Bandwidth and packet rate

    n Number of concurrent connections

    n Connection rate

    For additional information, see sk112454.

    Use these commands to configure Rate Limiting for DoSMitigation:

    n "fw sam_policy" and "fw6 sam_policy" (see "fw sam_policy" on page 208 - you must usethe parameter "quota ")

    n "fwaccel dos config" and "fwaccel6 dos config" (see "fwaccel dos config" on page 64)

    Monitoring Events Related to DoS Mitigation

    To see some information related to DoSMitigation, run these commands:

    Command Description

    fwaccel stats

    fwaccel6 stats

    Shows all SecureXL statistics (for IPv4 and IPv6 kernel modules).

    See:

    n "fwaccel stats" on page 107

    n "The /proc/ppk/ and /proc/ppk6/ entries" on page 233

    fwaccel stats -d

    or

    cat/proc/ppk/drop_statistics

    fwaccel6 stats -d

    or

    cat/proc/ppk6/drop_statistics

    Shows SecureXL drop statistics only (for IPv4 and IPv6 kernel modules).

    See:

    n "fwaccel stats" on page 107

    n "The /proc/ppk/ and /proc/ppk6/ entries" on page 233

    n "fw sam_policy" on page 208

    http://supportcontent.checkpoint.com/solutions?id=sk112454

  • Rate Limiting for DoS Mitigation

    Performance Tuning R80.40 Administration Guide      |      37

    Command Description

    fw samp get -l|\grep '^$' |\xargs fwacceldos rate get

    fw samp get -l|\grep '^$' |xargs fwaccel6dos rate get

    Shows details of active policy rules in long format (for IPv4 and IPv6kernel modules).

    See "fw sam_policy get" on page 229.

    cat/proc/ppk/rlc

    Shows:

    n Total drop packets

    n Total drop bytes

    See "The /proc/ppk/ and /proc/ppk6/ entries" on page 233.

    In addition, see "SecureXLDebug" on page 254.

  • Accelerated SYN Defender

    Performance Tuning R80.40 Administration Guide      |      38

    Accelerated SYN Defender

    IntroductionATCPSYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN]packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server tocreate a half-open (unestablished) TCP connection. This occurs because the server sends a TCP[SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

    These half-open TCP connections eventually exceed the maximum available TCP connections. Thiscauses a denial of service condition.

    The Check Point Accelerated SYNDefender protects the Security Gateway by preventing excessive TCPconnections from being created.

    The Accelerated SYNDefender uses TCP [SYN] Cookies (particular choices of initial TCP sequencenumbers) when under a suspected TCPSYN Flood attack. Using TCP [SYN] Cookies can reduce the loadon Security Gateway and on computers behind the Security Gateway. The Accelerated SYNDefender actsas proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

    This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway withthe enabled Accelerated SYNDefender:

    Note - In this example, we assume that there no TCP retransmissions and no early data.

    Security Gateway

    Client with Accelerated Server

    | SYN Defender |

    | | |

    | -(1)--SYN-------> | |

    | | |

    | | |

    | (4) |

    | | |

    | | -(5)--SYN-------> |

    | | |

    | | |

  • Accelerated SYN Defender

    Performance Tuning R80.40 Administration Guide      |      39

    1. AClient sends a TCP [SYN] packet to a Server.

    2. The Accelerated SYNDefender replies to the Client with a TCP [SYN+ACK] packet that contains aspecial cookie in the Seq field.

    Security Gateway does not maintain the connection state at this time.

    3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.

    4. The Accelerated SYNDefender checks if the SYN cookie in the Client's TCP [ACK] packet islegitimate.

    5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYNDefendersends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.

    6. The Server replies with a TCP [SYN+ACK] packet.

    7. The Accelerated SYNDefender sends a TCP [ACK] packet to complete the Server-size of the TCP3-way handshake.

    8. The Accelerated SYNDefender marks the TCP connection as established and records the TCPsequence adjustment between the two sides.

    SecureXL handles the TCP [SYN] packets. The Host Security Gateway handles the rest of the TCPconnection setup.

    For each TCP connection the Accelerated SYNDefender establishes, the Security Gateway adjusts theTCP sequence number for the life of that TCP connection.

    Command Line InterfaceUse the "fwaccel synatk" on page 130 commands to configure the Accelerated SYNDefender.

    Configuring the 'SYN Attack' protection in SmartConsoleThe 'SYN Attack' protection is intended for mitigating SYN Flood attacks:

    Step Instructions

    1 Connect with SmartConsole to the Management Server.

    2 From the left navigation panel, click Security Policies.

    3 In the Shared Policies section, click Inspection Settings.

    4 In the top field, search for SYN Attack.

    5 Double-click on the SYN Attack protection.

    6 Edit the applicable Inspection profile.

  • Accelerated SYN Defender

    Performance Tuning R80.40 Administration Guide      |      40

    Step Instructions

    7 Configure the applicable settings in the profile:

    n On theGeneral Properties page:

    If you selectOverride with Action and then Accept or Drop, it overrides the settings youmake on the Security Gateway with the "fwaccel synatk" on page 130 commands.

    n On the Advanced page:

    The option you select in the Activation Settings (Protect all interfaces or Protectexternal interfaces only) overrides the settings you make on the Security Gateway withthe "fwaccel synatk" on page 130 commands.

    9 Install the Access Control Policy.

    For more information about the SYN Attack protection in SmartConsole, see sk120476.

    http://supportcontent.checkpoint.com/solutions?id=sk120476

  • SecureXL Commands and Debug

    Performance Tuning R80.40 Administration Guide      |      41

    SecureXL Commands and DebugThis section describes:

    n SecureXL CLI commands

    n SecureXL CLI Debug

  • Syntax Legend

    Performance Tuning R80.40 Administration Guide      |      42

    Syntax LegendWhenever possible, this guide lists commands, parameters and options in the alphabetical order.

    This guide uses this convention in the Command Line Interface (CLI) syntax:

    Character Description

    TAB Shows the available nested subcommands:

    main command

    → nested subcommand 1

    → → nested subsubcommand 1-1

    → → nested subsubcommand 1-2

    → nested subcommand 2

    Example:

    cpwd_admin

        config

            -a

            -d

            -p

            -r

        del

    Meaning, you can run only one of these commands:

    n This command:

    cpwd_admin config -a

    n Or this command:

    cpwd_admin config -d

    n Or this command:

    cpwd_admin config -p

    n Or this command:

    cpwd_admin config -r

    n Or this command:

    cpwd_admin del

  • Syntax Legend

    Performance Tuning R80.40 Administration Guide      |      43

    Character Description

    Curly brackets or braces

    { }

    Enclose a list of available commands or parameters, separated by thevertical bar |.

    User can enter only one of the available commands or parameters.

    Angle brackets

    < >

    Enclose a variable.

    User must explicitly specify a supported value.

    Square brackets orbrackets

    [ ]

    Enclose an optional command or parameter, which user can also enter.

  • 'fwaccel' and 'fwaccel6'

    Performance Tuning R80.40 Administration Guide      |      44

    'fwaccel' and 'fwaccel6'

    Description

    The fwaccel commands control the acceleration for IPv4 traffic.

    The fwaccel6 commands control the acceleration for IPv6 traffic.

    Syntax for IPv4

    fwaccel help

    fwaccel [-i ]      cfg       conns       dbg       dos             feature       off       on       ranges       stat       stats       synatk       tab       templates       ver

    Syntax for IPv6

    fwaccel6 help

    fwaccel6      conns       dbg       dos             feature       off       on       ranges       stat       stats       synatk       tab       templates       ver

  • 'fwaccel' and 'fwaccel6'

    Performance Tuning R80.40 Administration Guide      |      45

    Parameters and Options

    Parameter and Options Description

    help Shows the built-in help.

    -i Specifies the SecureXL instance ID (for IPv4 only).

    cfg Controls the SecureXL acceleration parameters.

    See "fwaccel cfg" on page 47.

    conns Shows all connections that pass through SecureXL.

    See "fwaccel conns" on page 50.

    dbg Controls the "SecureXLDebug" on page 254.

    See "fwaccel dbg" on page 255.

    dos Controls the Rate Limiting for DoSMitigation in SecureXL.

    See "fwaccel dos" on page 60.

    feature Controls the specified SecureXL features.

    See "fwaccel feature" on page 84.

    off Stops the acceleration on-the-fly. This does not survive reboot.

    See "fwaccel off" on page 87.

    on Starts the acceleration on-the-fly, if it was previously stopped.

    See "fwaccel on" on page 91.

    ranges Shows the loaded ranges.

    See "fwaccel ranges" on page 95.

    stat Shows the SecureXL status.

    See "fwaccel stat" on page 101.

    stats Shows the acceleration statistics.

    See "fwaccel stats" on page 107.

    synatk Controls the Accelerated SYNDefender.

    See "fwaccel synatk" on page 130.

    tab Shows the contents of the specified SecureXL table.

    See "fwaccel tab" on page 155.

  • 'fwaccel' and 'fwaccel6'

    Performance Tuning R80.40 Administration Guide      |      46

    Parameter and Options Description

    templates Shows the SecureXL templates.

    See "fwaccel templates" on page 159.

    ver Shows the SecureXL and FireWall version.

    See "fwaccel ver" on page 163.

  • fwaccel cfg

    Performance Tuning R80.40 Administration Guide      |      47

    fwaccel cfg

    Description

    The fwaccel cfg command controls the SecureXL acceleration parameters.

    Important - In Cluster, you must configure all the Cluster Members in the same way

    Syntax

    fwaccel cfg

          -h

          -a { | | reset}

          -b {on | off}

          -c

          -d

          -e

          -i {on | off}

          -l

          -m

          -p {on | off}

          -r

          -v

          -w {on | off}

    Important:

    n These commands do not provide output. You cannot see the currently configuredvalues.

    n Changes made with these commands do not survive reboot.

    Parameters

    Parameter Description

    -h Shows the applicable built-in help.

  • fwaccel cfg

    Performance Tuning R80.40 Administration Guide      |      48

    Parameter Description

    -a

    -a

    -a reset

    n -a - Configures the SecureXL not toaccelerate traffic on the interface specified by its internal number in CheckPoint kernel.

    n -a - Configures the SecureXL not to acceleratetraffic on the interface specified by its name.

    n -a reset - Configures the SecureXL to accelerate traffic on all interfaces(resets the non-accelerated configuration).

    Notes:

    n This command does not support Falcon Acceleration Cards.

    n To see the required information about the interfaces, run thesecommands in the specified order:

    fw getifs

    fw ctl iflist

    n To see if the "fwaccel cfg -a ..." command failed, run thiscommand:

    tail -n 10 /var/log/messages

    -b {on |off}

    Controls the SecureXL Drop Templates match (sk66402):

    n on - Enables the SecureXL Drop Templates match

    n off - Disables the SecureXL Drop Templates match

    Note - In R80.40, SecureXL does not support this parameter yet..

    -c Configures the maximal number of connections, when SecureXL disables thetemplates.

    -d Configures the maximal number of delete retries.

    -e Configures the maximal number of general errors.

    -i {on |off}

    Configures SecureXL to ignore API version mismatch:

    n on - Ignore API version mismatch.

    n off - Do not ignore API version mismatch (this is the default).

    http://supportcontent.checkpoint.com/solutions?id=sk66402

  • fwaccel cfg

    Performance Tuning R80.40 Administration Guide      |      49

    Parameter Description

    -l Configures the maximal number of entries in the SecureXL templates database.

    Valid values are:

    n 0 - To disable the limit (this is the default).

    n Between 10 and 524288 - To configure the limit.

    Important - If you configure a limit, you must stop and start theacceleration for this change to take effect. Run the "fwaccel off" onpage 87 command and then the "fwaccel on" on page 91 command.

    -m Configures the timeout for entries in the SecureXL templates database.

    Valid values are:

    n 0 - To disable the timeout (this is the default).

    n Between 10 and 524288 - To configure the timeout.

    -p {on |off}

    Configures the offload of Connection Templates (if possible):

    n on - Enables the offload of new templates (this is the default).

    n off - Disables the offload of new templates.

    -r Configures the maximal number of retries for SecureXL API calls.

    -v Configures the interval between SecureXL statistics request.

    Valid values are:

    n 0 - To disable the interval.

    n 1 and greater - To configure the interval.

    -w {on |off}

    Configures the support for warnings about the IPS protection Sequence Verifier:

    n on - Enable the support for these warnings.

    n off - Disables the support for these warnings.

  • fwaccel conns

    Performance Tuning R80.40 Administration Guide      |      50

    fwaccel conns

    Description

    The fwaccel conns and fwaccel6 conns commands show the list of the SecureXL connections on the localSecurity Gateway, or Cluster Member.

    Warning - If the number of concurrent connections is large, when you run thesecommands, they can consume memory and CPU at very high level (see sk118716).

    Syntax for IPv4

    fwaccel [-i ] conns

          -h

          -f

          -m

          -s

    Syntax for IPv6

    fwaccel6 conns

          -h

          -f

          -m

          -s

    Parameters

    Parameter Description

    -h Shows the applicable built-in help.

    -i Specifies the SecureXL instance ID (for IPv4 only).

    http://supportcontent.checkpoint.com/solutions?id=sk118716

  • fwaccel conns

    Performance Tuning R80.40 Administration Guide      |      51

    Parameter Description

    -f Show the SecureXL Connections Table entries based on the specified filterflags.

    Notes:

    n To see the available filter flags, run:

    fwaccel conns -h

    n Each filter flag is one letter - capital, or small.

    n You can specify more than one flag.

    For example:

    fwaccel conns -f AaQq

  • fwaccel conns

    Performance Tuning R80.40 Administration Guide      |      52

    Parameter Description

    Available filter flags are:

    n A - Shows accounted connections (for which SecureXL counted thenumber of packets and bytes).

    n a - Shows not accounted connections.

    n C - Shows encrypted (VPN) connections.

    n c - Shows clear-text (not encrypted) connections.

    n F - Shows connections that SecureXL forwarded to Firewall.

    Note - In R80.40, SecureXL does not support this parameter.

    n f - Shows cut-through connections (which SecureXL accelerated).

    Note - In R80.40, SecureXL does not support this parameter.

    n H - Shows connections offloaded to the SAM card.

    Note - R80.40, does not support the SAM card (Known LimitationPMTR-18774).

    n h - Shows connections created in the SAM card.

    Note - R80.40, does not support the SAM card (Known LimitationPMTR-18774).

    n L - Shows connections, for which SecureXL created internal links.

    n l - Shows connections, for which SecureXL did not create internallinks.

    n N - Shows connections that undergo NAT.

    Note - In R80.40, SecureXL does not support this parameter.

    n n - Shows connections that do not undergo NAT.

    Note - R80.40, SecureXL does not support this parameter.

    n Q - Shows connections that undergo QoS.

    n q - Shows connections that do not undergo QoS.

    n S - Shows connections that undergo PXL.

    n s - Shows connections that do not undergo PXL.

    n U - Shows unidirectional connections.

    n u - Shows bidirectional connections.

    -m

    Specifies the maximal number of connections to show.

    Note - In R80.40, SecureXL does not support this parameter.

  • fwaccel conns

    Performance Tuning R80.40 Administration Guide      |      53

    Parameter Description

    -s Shows the summary of SecureXL Connections Table (number ofconnections).

    Warning - Depending on the number of current connections, might consumememory at very high level.

    Example - Default output from a non-VSX Gateway

    [Expert@MyGW:0]# fwaccel connsSource SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------

    1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0

    1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0

    1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 01.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0

    192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 01.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 01.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0

    192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0

    1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 01.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0

    192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

    Idx Interface--- ---------0 lo1 eth02 eth1

    Total number of connections: 30[Expert@MyGW:0]#

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      54

    fwaccel dbg

    Description

    The fwaccel dbg command controls the SecureXL debug. See "SecureXLDebug" on page 254.

    Important - In Cluster, you must configure all the Cluster Members in the same way

    Syntax

    fwaccel dbg

          -h

          -m

          all

          +

          -

          reset

          -f {"" | reset}

          list

          resetall

    Parameters

    Parameter Description

    -h Shows the applicable built-in help.

    -m

    Specifies the name of the SecureXL debug module.

    To see the list of available debug modules, run:

    fwaccel dbg

    all Enables all debug flags for the specified debug module.

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      55

    Parameter Description

    + Enables the specified debug flags for the specified debug module:

    Syntax:

    + Flag1 [Flag2 Flag3 ... FlagN]

    Note - You must press the space bar key after the plus(+) character.

    - Disables all debug flags for the specified debug module.

    Syntax:

    - Flag1 [Flag2 Flag3 ... FlagN]

    Note - You must press the space bar key after the minus(-) character.

    reset Resets all debug flags for the specified debug module to theirdefault state.

    -f ""

    Configures the debug filter to show only debug messages thatcontain the specified connection.

    The filter is a string of five numbers separated with commas:

    ",,,,"

    Notes:

    n You can configure only one debug filter at onetime.

    n You can use the asterisk "*" as a wildcard for anIP Address, Port number, or Protocol number.

    n For more information, see IANA Service Nameand Port Number Registry and IANA ProtocolNumbers.

    -f reset Resets the current debug filter.

    list Shows all enabled debug flags in all debug modules.

    resetall Reset all debug flags for all debug modules to their default state.

    https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlhttps://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlhttps://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtmlhttps://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      56

    Example 1 - Default output

    [Expert@MyGW:0]# fwaccel dbgUsage: fwaccel dbg [-m ] [resetall | reset | list | all | +/- ]

    -m - module of debugging-h - this help messageresetall - reset all debug flags for all modulesreset - reset all debug flags for moduleall - set all debug flags for modulelist - list all debug flags for all modules-f reset | "" - filter debug messages+ - set the given debug flags- - unset the given debug flags

    List of available modules and flags:

    Module: default (default)err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf statqueue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

    Module: dberr get save del tmpl tmo init ant profile nmr nmt

    Module: apierr init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_infadd_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl get_stateupd_link_sel

    Module: pkterr f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan pktnat wrp corr caf

    Module: infraserr reorder pm

    Module: tmplerr dtmpl_get dtmpl_notif tmpl

    Module: vpnerr vpnpkt linksel routing vpn

    Module: nacerr db db_get pkt pkt_ex signature offload idnt ioctl nac

    Module: cpaqinit client server exp cbuf opreg transport transport_utils error

    Module: synatkinit conf conn err log pkt proxy state msg

    Module: adperr rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

    Module: dosfw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

    [Expert@MyGW:0]#

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      57

    Example 2 - Enabling and disabling of debug flags

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      58

    [Expert@MyGW:0]# fwaccel dbg -m default + err connDebug flags updated.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

    Module: default (2001)err conn

    Module: db (1)err

    Module: api (1)err

    Module: pkt (1)err

    Module: infras (1)err

    Module: tmpl (1)err

    Module: vpn (1)err

    Module: nac (1)err

    Module: cpaq (100)error

    Module: synatk (0)

    Module: adp (1)err

    Module: dos (10)err

    Debug filter not set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg -m default - connDebug flags updated.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

    Module: default (1)err

    Module: db (1)err

    Module: api (1)err

    Module: pkt (1)err

    Module: infras (1)err

    Module: tmpl (1)err

  • fwaccel dbg

    Performance Tuning R80.40 Administration Guide      |      59

    Module: vpn (1)err

    Module: nac (1)err

    Module: cpaq (100)error

    Module: synatk (0)

    Module: adp (1)err

    Module: dos (10)err

    Debug filter not set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg -m default resetDebug flags updated.[Expert@MyGW:0]#

    Example 3 - Resetting all debug flags in all debug modules

    [Expert@MyGW:0]# fwaccel dbg resetallDebug state was reset to default.[Expert@MyGW:0]#

    Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to 172.16.40.50

    [Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6Debug filter was set.[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dbg list

    ... ...

    Debug filter: ""[Expert@MyGW:0]#

  • fwaccel dos

    Performance Tuning R80.40 Administration Guide      |      60

    fwaccel dos

    Description

    The fwaccel dos and fwaccel6 dos commands control the Rate Limiting for DoSmitigation techniques inSecureXL on the local Security Gateway, or Cluster Member.

    Important:

    n On VSXGateway, first go to the context of an applicable VirtualSystem.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure all the Cluster Members in thesame way

    Syntax for IPv4

    fwaccel [-i ] dos

          blacklist

          config

          pbox

          rate

          stats

          whitelist

    Syntax for IPv6

    fwaccel6 dos

          blacklist

          config

          rate

          stats

    Parameters

    Parameter Description

    -i Specifies the SecureXL instance ID (for IPv4 only).

    blacklist Controls the IP blacklist in SecureXL.

    See"fwaccel dos blacklist" on page 62.

  • fwaccel dos

    Performance Tuning R80.40 Administration Guide      |      61

    Parameter Description

    config Controls the DoSmitigation configuration in SecureXL.

    See "fwaccel dos config" on page 64.

    pbox Controls the Penalty Box whitelist in SecureXL.

    See "fwaccel dos pbox" on page 70.

    rate Shows and installs the Rate Limiting policy in SecureXL.

    See "fwaccel dos rate" on page 75.

    stats Shows and clears the DoS real-time statistics in SecureXL.

    See "fwaccel dos stats" on page 77.

    whitelist

    Configures the whitelist for source IP addresses in the SecureXL PenaltyBox.

    See "fwaccel doswhitelist" on page 79.

  • fwaccel dos blacklist

    Performance Tuning R80.40 Administration Guide      |      62

    fwaccel dos blacklist

    Description

    The fwaccel dos blacklist and fwaccel6 dos blacklist commands control the IP blacklist in SecureXL.

    The blacklist blocks all traffic to and from the specified IP addresses.

    The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop thepackets.

    Important:

    n On VSXGateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

    n To enforce the IP blacklist in SecureXL, you must first enable the IP blacklists.

    See these commands:

    l "fwaccel dos config" on page 64

    l "fw sam_policy" on page 208 (let you configure more granular rules)

    Syntax for IPv4

    fwaccel [-i ] dos blacklist

          -a

          -d

          -F

          -s

    Syntax for IPv6

    fwaccel6 dos blacklist

          -a

          -d

          -F

          -s

  • fwaccel dos blacklist

    Performance Tuning R80.40 Administration Guide      |      63

    Parameters

    Parameter Description

    -i

    Specifies the SecureXL instance ID (for IPv4 only).

    No Parameters Shows the applicable built-in usage.

    -a

    Adds the specified IP address to the blacklist.

    To add more than one IP address, run this command for each applicable IPaddress.

    -d

    Removes the specified IP addresses from the blacklist.

    To remove more than one IP address, run this command for each applicable IPaddress.

    -F Removes (flushes) all IP addresses from the blacklist.

    -s Shows the configured blacklist.

    Example from a non-VSX Gateway

    [Expert@MyGW:0]# fwaccel dos blacklist -sThe blacklist is empty[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -a 1.1.1.1Adding 1.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s1.1.1.1[Expert@MyGW:0]# fwaccel dos blacklist -a 2.2.2.2Adding 2.2.2.2[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s2.2.2.21.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -d 2.2.2.2Deleting 2.2.2.2[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -s1.1.1.1[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -FAll blacklist entries deleted[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos blacklist -sThe blacklist is empty[Expert@MyGW:0]#

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      64

    fwaccel dos config

    Description

    The fwaccel dos config and fwaccel6 dos config commands control the global configurationparameters of the Rate Limiting for DoSmitigation in SecureXL.

    These global parameters apply to all configured Rate Limiting rules.

    Important:

    n On VSXGateway, first go to the context of an applicable VirtualSystem.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure all the Cluster Members in thesame way

    Syntax for IPv4

    fwaccel [-i ] dos config

          get

          set

    {--disable-rate-limit | --enable-rate-limit}

    {--disable-pbox | --enable-pbox}

    {--disable-blacklists | --enable-blacklists}

    {--disable-drop-frags | --enable-drop-frags}

    {--disable-drop-opts | --enable-drop-opts}

    {--disable-internal | --enable-internal}

    {--disable-monitor | --enable-monitor}

    {--disable-log-drops | --enable-log-drops}

    {--disable-log-pbox | --enable-log-pbox}

    {-n | --notif-rate }

    {-p | --pbox-rate }

    {-t | --pbox-tmo }

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      65

    Syntax for IPv6

    fwaccel6 dos config

          get

          set

    {--disable-rate-limit | --enable-rate-limit}

    {--disable-pbox | --enable-pbox}

    {--disable-blacklists | --enable-blacklists}

    {--disable-drop-frags | --enable-drop-frags}

    {--disable-drop-opts | --enable-drop-opts}

    {--disable-internal | --enable-internal}

    {--disable-monitor | --enable-monitor}

    {--disable-log-drops | --enable-log-drops}

    {--disable-log-pbox | --enable-log-pbox}

    {-n | --notif-rate }

    {-p | --pbox-rate }

    {-t | --pbox-tmo }

    Parameters and Options

    Parameter or Option Description

    -i

    Specifies the SecureXL instance ID (for IPv4 only).

    No Parameters Shows the applicable built-in usage.

    get Shows the configuration parameters.

    set Configuration the parameters.

    --disable-blacklists

    Disables the IP blacklists.

    This is the default configuration.

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      66

    Parameter or Option Description

    --disable-drop-frags

    Disables the drops of all fragmented packets. This is the default configuration.

    Important - This option applies to only VSX, and only for traffic thatarrives at a Virtual System through a Virtual Switch (packetsreceived through a Warp interface). From R80.20, IP Fragmentreassembly occurs in SecureXL before the Warp-jump from a VirtualSwitch to a Virtual System. To block IP fragments, the Virtual Switchmust be configured with this option. Otherwise, this has no effect,because the IP fragments would already be reassembled when theyarrive at the Virtual System's Warp interface.

    --disable-drop-opts

    Disables the drops of all packets with IP options.

    This is the default configuration.

    --disable-internal

    Disables the enforcement on internal interfaces.

    This is the default configuration.

    --disable-log-drops

    Disables the notifications when the DoSmodule drops a packet due to ratelimiting policy.

    --disable-log-pbox

    Disables the notifications when administrator adds an IP address to thepenalty box.

    --disable-monitor

    Disables the acceptance of all packets that otherwise would be dropped.

    This is the default configuration.

    --disable-pbox Disables the IP penalty box.

    This is the default configuration.

    Also, see the "fwaccel dos pbox" on page 70 command.

    --disable-rate-limit

    Disables the enforcement of the rate limiting policy.

    This is the default configuration.

    --enable-blacklists

    Enables IP blacklists.

    Also, see the "fwaccel dos blacklist" on page 62 command.

    --enable-drop-frags

    Enables the drops of all fragmented packets.

    --enable-drop-opts

    Enables the drops of all packets with IP options.

    --enable-internal

    Enables the enforcement on internal interfaces.

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      67

    Parameter or Option Description

    --enable-log-drops

    Enables the notifications when the DoSmodule drops a packet due to ratelimiting policy.

    This is the default configuration.

    --enable-log-pbox

    Enables the notifications when administrator adds an IP address to the penaltybox.

    This is the default configuration.

    --enable-monitor

    Enables the acceptance of all packets that otherwise would be dropped.

    --enable-pbox Enables the IP penalty box.

    Also, see the "fwaccel dos pbox" on page 70 command.

    --enable-rate-limit

    Enables the enforcement of the rate limiting policy.

    Important - After you run this command, you must install the AccessControl policy.

    -n

    --notif-rate

    Configures the maximal number of drop notifications per second for eachSecureXL device.

    Range: 0 - (232-1)

    Default: 100

    -p

    --pbox-rate

    Configures the minimal number of reported dropped packets before SecureXLadds a source IPv4 address to the penalty box.

    Range: 0 - (232-1)

    Default: 500

    -t

    --pbox-tmo

    Configures the number of seconds until SecureXL removes an IP is from thepenalty box.

    Range: 0 - (232-1)

    Default: 180

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      68

    Example 1 - Get the current DoS configuration on a non-VSX Gateway

    [Expert@MyGW:0]# fwaccel dos config getrate limit: disabled (without policy)

    pbox: disabledblacklists: disabled

    log blacklist: disableddrop frags: disableddrop opts: disabledinternal: disabledmonitor: disabled

    log drops: disabledlog pbox: disabled

    notif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 seconds

    [Expert@MyGW:0]#

    Example 2 - Enabling the Penalty Box on a non-VSX Gateway

    [Expert@MyGW:0]# fwaccel dos config set --enable-pboxOK[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos config get

    rate limit: disabled (without policy)pbox: enabled

    blacklists: disableddrop frags: disableddrop opts: disabledinternal: disabledmonitor: disabled

    log drops: enabledlog pbox: enabled

    notif rate: 100 notifications/secondpbox rate: 500 packets/secondpbox tmo: 180 seconds

    [Expert@MyGW:0]#

  • fwaccel dos config

    Performance Tuning R80.40 Administration Guide      |      69

    Making the configuration persistent

    The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set"commands return to their default values during each reboot. To make these settings persistent, add theapplicable commands to these configuration files:

    File Description

    $FWDIR/conf/fwaccel_dos_rate_on_install

    This shell script for IPv4 must contain only the fwacceldos config set commands:

    #!/bin/bashfwaccel dos config set

    $FWDIR/conf/fwaccel6_dos_rate_on_install

    This shell script for IPv6 must contain only the fwaccel6dos config set commands:

    #!/bin/bashfwaccel6 dos config set

    Important - Do not include the "fw sam_policy" on page 208 commands in theseconfiguration files. The configured Rate Limiting policy survives reboot. If you add thefw sam_policy commands, the rate policy installer runs in an infinite loop.

    Notes:

    n To create or edit these files, log in to the Expert mode.

    n If these files do not already exist, create them with one of these commands:

    l touch $FWDIR/conf/

    l vi $FWDIR/conf/

    n On VSXGateway, before you create these files, go to the context of anapplicable Virtual System.

    l In Gaia Clish, run: set virtual-system

    l In Expert mode, run: vsenv

    n These files must start with the "#!/bin/bash" line.

    n These files must end with a new empty line.

    n After you create these files, you must assign the execute permission to them:

    chmod +x $FWDIR/conf/

    Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:

    !/bin/bashfwaccel dos config set --enable-internalfwaccel dos config set --enable-pbox

  • fwaccel dos pbox

    Performance Tuning R80.40 Administration Guide      |      70

    fwaccel dos pbox

    Description

    The fwaccel dos pbox command controls the Penalty Box whitelist in SecureXL.

    The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive fromsuspected sources. The purpose of this feature is to allow the Security Gateway to cope better under hightraffic load, possibly caused by a DoS/DDoS attack.

    The SecureXL Penalty Box detects clients that send packets, which the Access Control Policy drops, andclients that violate the IPS protections. If the SecureXL Penalty Box detects a specific client frequently, itputs that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blockedsource IP address.

    The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXLPenalty Box never blocks.

    Important:

    n This command supports only IPv4.

    n On VSXGateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

    n To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.

    See these commands:

    l "fwaccel dos config" on page 64

    l "fwaccel doswhitelist" on page 79

    l "fwaccel synatk whitelist" on page 150

    Syntax for IPv4

    fwaccel [-i ] dos pbox

          flush

          whitelist

                -a [/]

                -d [/]

                -F

                -l //

                -L

                -s

  • fwaccel dos pbox

    Performance Tuning R80.40 Administration Guide      |      71

    Parameters

    Parameter Description

    -i Specifies the SecureXL instance ID (for IPv4 only).

    No Parameters Shows the applicable built-in usage.

    flush Removes (flushes) all source IP addresses from the Penalty Box.

    whitelist Configures the whitelist for source IP addresses in the SecureXLPenalty Box.

    Important - This whitelist overrides which packet theSecureXL Penalty Box drops. Before you use a 3rd-party orautomatic blacklists, add trusted networks and hosts to thewhitelist to avoid outages.

    Note - This command is similar to the "fwaccel doswhitelist" on page 79 command.

    -a [/]

    Adds the specified IP address to the Penalty Box whitelist.

    n - Can be an IP address of a network or ahost.

    n - Must specify the length of the subnetmask in the format /.

    Optional for a host IP address.

    Mandatory for a network IP address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefixexplicitly, this command uses the subnet prefix /32.

    Examples:

    n For a host:

    192.168.20.30

    192.168.20.30/32

    n For a network:

    192.168.20.0/24

  • fwaccel dos pbox

    Performance Tuning R80.40 Administration Guide      |      72

    Parameter Description

    -d [/]

    Removes the specified IP address from the Penalty Box whitelist.

    n - Can be an IP address of a network or ahost.

    n - Optional. Must specify the length of thesubnet mask in the format /.

    Optional for a host IP address.

    Mandatory for a network IP address.

    Range - from /1 to /32.

    Important - If you do not specify the subnet prefixexplicitly, this command uses the subnet prefix /32.

    -F Removes (flushes) all entries from the Penalty Box whitelist.

    -l //

    Loads the Penalty Box whitelist entries from the specified plain-textfile.

    Important:

    n You must manually create and configure this file withthe touch or vi command.

    n You must assign at least the read permission to thisfile with the chmod +x command.

    n Each entry in this file must be on a separate line.

    n Each entry in this file must be in this format:

    [/]

    n SecureXL ignores empty lines and lines that startwith the # character in this file.

  • fwaccel dos pbox

    Performance Tuning R80.40 Administration Guide      |      73

    Parameter Description

    -L Loads the Penalty Box whitelist entries from the plain-text file with apredefined name:

    $FWDIR/conf/pbox-whitelist-v4.conf

    Security Gateway automatically runs this command fwaccel dospbox whitelist -L during each boot.

    Important:

    n This file does not exist by default.

    n You must manually create and configure this file withthe touch or vi command.

    n You must assign at least the read permission to thisfile with the chmod +x command..

    n Each entry in this file must be on a separate line.

    n Each entry in this file must be in this format:

    [/]

    n SecureXL ignores empty lines and lines that startwith the # character in this file.

    -s Shows the current Penalty Box whitelist entries.

    Example 1 - Adding a host IP address without optional subnet prefix

    [Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

    Example 2 - Adding a host IP address with optional subnet prefix

    [Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

  • fwaccel dos pbox

    Performance Tuning R80.40 Administration Guide      |      74

    Example 3 - Adding a network IP address with mandatory subnet prefix

    [Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.0/24[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.0/24[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -F[Expert@MyGW:0]# fwaccel dos pbox whitelist -s[Expert@MyGW:0]#

    Example 4 - Deleting an entry

    [Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.70/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32192.168.20.70/32[Expert@MyGW:0]# fwaccel dos pbox whitelist -d 192.168.20.70/32[Expert@MyGW:0]#[Expert@MyGW:0]# fwaccel dos pbox whitelist -s192.168.20.40/32[Expert@MyGW:0]#

  • fwaccel dos rate

    Performance Tuning R80.40 Administration Guide      |      75

    fwaccel dos rate

    Description

    The fwaccel dos rate and fwaccel6 dos rate commands show and install the Rate Limiting policy inSecureXL.

    Important:

    n On VSXGateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

    Syntax for IPv4

    fwaccel [-i ] dos rate

          get ''

          install

    Syntax for IPv6

    fwaccel6 dos rate

          get ''

          install

  • fwaccel dos rate

    Performance Tuning R80.40 Administration Guide      |      76

    Parameters

    Parameter Description

    -i

    Specifies the SecureXL instance ID (for IPv4 only).

    No Parameters Shows the applicable built-in usage.

    get ''

    Shows information about the rule specified by its Rule UID or its zero-based ruleindex.

    The quote marks and angle brackets ('') are mandatory.

    install Installs a new rate limiting policy.

    Important - This command requires input from the stdin.

    To use this command, run:

    fw sam_policy get -l -k req_type -t in -vquota | fwaccel dos rate install

    For more information about the fw sam_policy command, see "fw sam_policy" on page 208.

    Notes

    n If you install a new rate limiting policy with more than one rule, it automatically enables the ratelimiting feature.

    To disable the rate limiting feature manually, run this command (see "fwaccel dos config" onpage 64):

    fwaccel dos config set --disable-rate-limit

    n To delete the current rate limiting policy, install a new policy with zero rules.

  • fwaccel dos stats

    Performance Tuning R80.40 Administration Guide      |      77

    fwaccel dos stats

    Description

    The fwaccel dos stats and fwaccel6 dos stats commands show and clear the DoS real-time statistics inSecureXL.

    Important:

    n On VSXGateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

    Syntax for IPv4

    fwaccel [-i ] stats

          clear

          get

    Syntax for IPv6

    fwaccel6 dos stats

          clear

          get

    Parameters

    Parameter Description

    -i Specifies the SecureXL instance ID (for IPv4 only).

    No Parameters Shows the applicable built-in usage.

    clear Clears the real-time statistics counters.

    get Shows the real-time statistics counters.

  • fwaccel dos stats

    Performance Tuning R80.40 Administration Guide      |      78

    Example - Get the current DoS statistics

    [Expert@MyGW:0]# fwaccel dos stats getFirewall:

    Number of Elements in Tables:Penalty Box Violating IPs: 0 (size: 8192)Blacklist Notification Handlers: 0 (size: 1024)

    SXL Device 0:Total Active Connections: 0Total New Connections/Second: 0Total Packets/Second: 0Total Bytes/Second: 0Reasons Packets Dropped:

    IP Fragment: 0IP Option: 0Penalty Box: 0Blacklist: 0Rate Limit: 0

    Number of Elements in Tables:Penalty Box: 0 (size: 0)Non-Empty Blacklists: 0 (size: 0)Blacklisted IPs: 0 (size: 0)Rate Limit Matches: 0 (size: 0)Rate Limit Source Only Tracks: 0 (size: 0)Rate Limit Source and Service Tracks: 0 (size: 0)

    SXL Devices in Aggregate:Reasons Packets Dropped:

    IP Fragment: 0IP Option: 0Penalty Box: 0Blacklist: 0Rate Limit: 0

    Number of Elements in Tables:Penalty Box: 0Non-Empty Blacklists: 0Blacklisted IPs: 0Rate Limit Matches: 0Rate Limit Source Only Tracks: 0Rate Limit Source and Service Tracks: 0

    [Expert@MyGW:0]#

  • fwaccel dos whitelist

    Performance Tuning R80.40 Administration Guide      |      79

    fwaccel dos whitelist

    Description

    The fwaccel doswhitelist command configures the whitelist for source IP addresses in the SecureXLPenalty Box.

    This whitelist overrides which packet the SecureXL Penalty Box drops.

    Notes:

    n This command supports only IPv4.

    n On VSXGateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system

    In Expert mode, run: vsenv

    n In Cluster, you must configure the SecureXL in the same way on all the ClusterMembers.

    n This whitelist overrides entries in the blacklist. Before you use a 3rd-party orautomatic blacklists, add trusted networks and hosts to the whitelist to avoidoutages.

    n This whitelist unblocks IPOptions and IP fragments from trusted sources whenyou explicitly configure one these SecureXL features:

    l --enable-drop-opts

    l --enable-drop-frags

    See the "fwaccel dos config" on page 64 command.

    n To whitelist the Rate Limiting policy, refer to the bypass action of the fw sampcommand. For example, fw samp -a b ...

    For more information about the fw sam_policy command, see the R80.40Performance Tuning Administration Guide - Section Rate Limiting for DoSMitigation - Section 'fw sam_policy' and 'fw6 sam_policy'.

    n This command is similar to the "fwaccel