Performance Pack (SecureXL) is only accelerating traffic up to a specific policy rule

book

Article ID: 168117

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Performance Pack (SecureXL) is only accelerating traffic up to a specific policy rule
N/A

Cause

N/A

Resolution

Refer to Check Point SK solution ID # sk41493 (contents below)

What types of traffic or services are not accelerated by SecureXL?

Product: VPN-1 Power/UTM
Version: All
Last Modified: 19-Apr-2009


When SecureXL is enabled, all traffic that matches following conditions will not be accelerated:


* The first packets of any new TCP session, unless a "template" exists.

* The first packet of any new UDP session.

* All traffic that matches a service that uses a resource.

* All traffic that matches a service that is inspected by a SmartDefence or Web Intelligence feature.

* All traffic that is supposed to be dropped or rejected, according to the rule base.

* All traffic that matches a rule, whose source or destination is the gateway itself.

* All traffic that matches a rule with a security server.

* All traffic that matches a rule with user authentication or session authentication.

* Non-TCP/UDP/GRE/ESP trafic (e.g. ICMP, IGRP, etc.)

* All multicast traffic. **** Prior to IPSO-3.9. In IPSO-3.9 has support for Multicast PIM acceleration for IP225x. IPSO-4.2 supports Multicast PIM acceleration for all Nokia Platforms.

* All fragmented traffic.

* All traffic with IP options.

* RST packets, when the "Spoofed Reset Protection" feature is activated.

* Traffic that violates stateful inspection paradigm or that is suspected to be spoofed.

* Rules where the service has an INSPECT handler (e.g. FTP control connection)

* Rules with action "encrypt" with no VPN H/W Accelerator card.

* All VoIP traffic

* All VPN traffic with IP Compression enabled.

* All directed broadcast traffic


Connection establishment acceleration ("templates" mechanism)

In order to enhance connection establishment acceleration, a mechanism attempts to "group together" all connections that match a particular service and whose sole discriminating element is the source port. This type of "grouping" enables even the very first packets of a TCP handshake to be accelerated. This is very useful on short connections, in which the percentage of TCP handshake traffic is very high.

The very first packets of the first connection on the same service will be forwarded to the security gateway, which will then create a "template" of the connection and notify the SecureXL device. Any subsequent TCP establishments on the same service (where only the source port is different) will already be accelerated (as well as any other traffic, of course).

Conditions that will prevent a template from being created:


* All connections that cannot be discriminated ONLY by the source port.

* Traffic subject to NAT.

* VPN traffic.

* Non-trivial TCP/UDP connections (FTP, H323, etc.).

* Non-TCP/UDP traffic.


The following rules will prevent a template from being created. All subsequent rules below it will not be template as well, regardless of the rule. It is advised that all rules that will be subject to template creation be placed at the top of the rule base (unless of course, this will violate other optimization considerations):


* Rules with the following objects

o Time object.

o Port range object (SPORT range only, Services with DPORT range should not disable templates)

o Dynamic object

o Domain object



* Rules with "complex" services (i.e. services that have anything specified in the "Match" field, or "Enable reply from any port" of their "Advanced" section).

* Rules with RPC/DCOM/DCE-RPC services.

* Rules with client authentication or session authentication.

* When SYN Defender features is activated.


Note: - Use fwaccel stat to list which rules disables SXL or templates and move that rule to the bottom of the rulebase. If most of the connections are NATed or VPN, rulebase order change is not required as you will not be using templates at all. In such configuration, make sure most frequently used rules are placed on top to gain performance improvements.

Also, when installing policy containing a restricted rule, you will get console messages indicating that Connection Templates will not be created due to the rules that have been defined. This warning should be used as a recommendation that will assist you to fine-tune your policy in order to optimize performance.

Also, refer to CheckPoint SmartDefense Protections Refernce Guide for details on which settings will have impact on connection acceleration or templates disabled.

SmartDefense settings that will impact SecureXL:


* SYN Attack Configuration - Disables Templates

* Network Quota - Disables Templates

* ISN Spoofing - Disable Acceleration.

* Spoofed Reset protection - Forwards RST packets to the Firewall

* Sequence Verifier - Make sure to turn on "Sequence Validation" in "Advanced System Tuning" page in Voyager.

* TTL Check - Disable Acceleration

* IP ID Check - Disable Acceleration

* Application Intelligence Check:

o POP3/IMAP Security - Disables Acceleration

o Mail Server Security - Disable Acceleration

o FTP Security Server - Disable Acceleration



* Microsoft Networks - File and Print sharing - Disables Acceleration

* Block NULL CIFS sessions - Disable Acceleration

* Block Popup Messages - Disable Acceleration for Microsoft networks

* Block ASN.1  Disables Acceleration for relevant protocols

* Block WINS Replication attack  Disables Acceleration for MS WINS traffic

* Block WINS Name Violation Disables Acceleration for WINS traffic

* Peer-to-Peer: Disables Templates

* Instant Messanger: Disables Template

* DNS Protection  Disables DNS Acceleration -TCP/UDP

* VoIP  Not Accelerated.

* SNMP Checks  Disables SNMP traffic Acceleration

* SUN-RPC Program Lookup  Disable Acceleration for SUN-RPC Traffic only

* VPN Protocols:

o PPTP Enforcement  Disables Acceleration of PPTP traffic

o SSL enforcement Disables Acceleration of SSL traffic

o Block IKE Aggressive Exchange Disables IKE Acceleration for client to server direction only

o IKE enforcement - Disables IKE Acceleration for client to server direction only



* SSH  Detect SSH over non-standard port Disables Templates on ALL traffic

* SSH enforcement Disables Acceleration for ssh traffic

* Content Protection:

o Malformed JPEG Disables Acceleration for all HTTP

o Malformed ANI files Disables Acceleration for all HTTP

o MS-RPC Disable Acceleration for RPC traffic

o MS-SQL Disable Acceleration for MS-SQL traffic



* Routing Protocols Check: Disable Acceleration for these protocols only (RIP,BGP,OSPF,IGMP)

* Application Layer: Web Intelligence :

o HTTP Header Spoofing Check  Disables Acceleration on all HTTP traffic

o Directory Listing - Disables Acceleration on all HTTP traffic

o Error Concealment Disables Acceleration on all HTTP traffic

o ASCII only response header  Disables Acceleration on all HTTP traffic

o Block HTTP on non-standard port Disables Template

o Block HTTP Malicious Encodings Disables Templates

Workaround

N/A