Configuring SecureXL

The Gaia First Time Configuration Wizard automatically installs, enables, and configures SecureXL on your Security Gateway. No additional configuration is required.

SecureXL can work in these modes:

Note - For the required Jumbo Hotfix Accumulator, see sk179432.

SecureXL Mode	Description
User Mode (UPPAK)	On the supported Check Point Appliances (see Introduction), SecureXL runs as processes in the user space (UPPAK - "User Space Performance Pack"). This mode increases performance and unlocks more advanced features in SecureXL. UPPAK is the default mode after you install the required Jumbo Hotfix Accumulator (unless you enabled features that do not support SecureXL UPPAK - see Known Limitations).
Kernel Mode (KPPAK)	SecureXL runs as a kernel module in the kernel space (KPPAK - "Kernel Space Performance Pack").

SecureXL Mode

Description

User Mode

(UPPAK)

On the supported Check Point Appliances (see Introduction), SecureXL runs as processes in the user space (UPPAK - "User Space Performance Pack").

This mode increases performance and unlocks more advanced features in SecureXL.

UPPAK is the default mode after you install the required Jumbo Hotfix Accumulator (unless you enabled features that do not support SecureXL UPPAK - see Known Limitations).

Kernel Mode

(KPPAK)

SecureXL runs as a kernel module in the kernel space (KPPAK - "Kernel Space Performance Pack").

See:

Viewing the Current SecureXL Mode.
Changing the Current SecureXL Mode.

SecureXL in Kernel Mode (KPPAK)

SecureXL runs as a kernel module in the kernel space (KPPAK - "Kernel Space Performance Pack").

SecureXL in User Mode (UPPAK)

SecureXL runs as processes in the user space (UPPAK - "User Space Performance Pack").

Description

Limitations when SecureXL works in User Mode (UPPAK):

See Known Limitations > Section SecureXL.

SecureXL user space processes:

SecureXL in User Mode uses these processes and log files:

Process	Log File	Description
`$PPKDIR/bin/usim_x86`	`/var/log/usim_x86.elg`	The main SecureXL process.
`$PPKDIR/bin/usim_wd_agent`	N / A	The Watch Dog process that monitors the main SecureXL process "`usim_x86`". If the main process crashes, this Watch Dog process starts it again.
`$PPKDIR/bin/usim_launcher`	N / A	Starts the main SecureXL process "`usim_x86`" during boot.

Process

Log File

Description

$PPKDIR/bin/usim_x86

/var/log/usim_x86.elg

The main SecureXL process.

$PPKDIR/bin/usim_wd_agent

N / A

The Watch Dog process that monitors the main SecureXL process "usim_x86".

If the main process crashes, this Watch Dog process starts it again.

$PPKDIR/bin/usim_launcher

N / A

Starts the main SecureXL process "usim_x86" during boot.

SecureXL configuration file:

SecureXL in User Mode uses this configuration file for its parameters:

$PPKDIR/conf/simkern.conf

SecureXL core dump files:

SecureXL in User Mode creates these files when its user space processes crash:

/var/log/dump/usermode/usim_x86.<PID>.core
/var/log/dump/usermode/lcore-worker<ID>.core
/var/log/dump/usermode/fwk_snd<ID>.core
/var/log/usim_crash/crash_list

Viewing the Current SecureXL Mode

Procedure

Step

Instructions

Connect to the command line on your Security Gateway.

Examine the SecureXL status and mode.

fwaccel stat

Examine the column Name:

KPPAK - Kernel Mode
UPPAK - User Mode

For information about the "fwaccel" command, see the Performance Tuning Administration Guide for your version.

Example output:

[Expert@MyGW:0]# fwaccel stat
+---------------------------------------------------------------------------------+
|Id|Name     |Status     |Interfaces               |Features                      |
+---------------------------------------------------------------------------------+
|0 |KPPAK    |enabled    |eth0,eth1,eth2           |Acceleration,Cryptography     |
|  |         |           |                         |                              |
|  |         |           |                         |Crypto: Tunnel,UDPEncap,MD5,  |
|  |         |           |                         |SHA1,3DES,DES,AES-128,AES-256,|
|  |         |           |                         |ESP,LinkSelection,DynamicVPN, |
|  |         |           |                         |NatTraversal,AES-XCBC,SHA256, |
|  |         |           |                         |SHA384,SHA512                 |
+---------------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates   : disabled
NAT Templates    : enabled
LightSpeed Accel : disabled
[Expert@MyGW:0]#

Changing the Current SecureXL Mode

You can change the current SecureXL mode between User Mode (UPPAK) and Kernel Mode (KPPAK).

It is possible to enable the SecureXL User Mode (UPPAK) only if the Security Gateway does not run features that do not support SecureXL UPPAK. See Known Limitations.

When SecureXL works in User Mode (UPPAK), it does not allow you to enable features that UPPAK does not support.

Procedure

Step

Instructions

Connect to the command line on your Security Gateway / each Cluster Member.

Run:

cpconfig

Enter the number of the Check Point SecureXL option.

The menu shows the current SecureXL mode.

Enter the number of the Change SecureXL Mode option.

Enter y to confirm the change.

Exit from the cpconfig menu.

Reboot.

Important - In a cluster, this can cause a failover.

Examine the SecureXL status and mode:

fwaccel stat

For information about the "fwaccel" command, see the Performance Tuning Administration Guide for your version.

Disabling SecureXL

It is not supported to disable SecureXL.

You can disable SecureXL only if Check Point Support explicitly instructs you to do so for debug purposes.

Explanation and Procedure

Starting from R80.20, you can disable the SecureXL only temporarily.

The SecureXL starts automatically when you start Check Point services (with the cpstart command), or reboot the Security Gateway (Scalable Platform Security Group Member).

Important:

If you disable the SecureXL, this change does not survive reboot.

SecureXL remains disabled until you enable it again on-the-fly, or reboot the Security Gateway.
If you disable the SecureXL, this change applies only to new connections that arrive after you disabled the acceleration.

SecureXL continues to accelerate the connections that are already accelerated.

Other non-connection oriented processing continues to function (for example, virtual defragmentation and VPN decrypt).

For information about the "fwaccel" command, see the Performance Tuning Administration Guide for your version.

To disable SecureXL for IPv4 temporarily

Step

Instructions

Connect to the command line on your Security Gateway.

Examine the SecureXL status.

fwaccel stat

Disable the SecureXL.

fwaccel off [-a]

Examine the SecureXL status.

fwaccel stat

To disable SecureXL for IPv6 temporarily

Step

Instructions

Connect to the command line on your Security Gateway.

Examine the SecureXL status.

fwaccel6 stat

Disable the SecureXL.

fwaccel6 off [-a]

Examine the SecureXL status.

fwaccel6 stat

To enable SecureXL again for IPv4

Step

Instructions

Connect to the command line on your Security Gateway.

Examine the SecureXL status.

fwaccel stat

Enable the SecureXL.

fwaccel on [-a]

Examine the SecureXL status.

fwaccel stat

To enable SecureXL again for IPv6

Step

Instructions

Connect to the command line on your Security Gateway.

Examine the SecureXL status.

fwaccel6 stat

Enable the SecureXL.

fwaccel6 on [-a]

Examine the SecureXL status.

fwaccel6 stat

SecureXL KPPAK / UPPAK Modes and Firewall KSFW / USFW Modes

For information about Firewall modes, refer to sk167052.

Firewall Mode	SecureXL User Mode (UPPAK)	SecureXL Kernel Mode (KPPAK)
Firewall User Mode (USFW)	Supported	Supported
Firewall Kernel Mode (KSFW)	Not supported	Supported