Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Extending SecureXL Templates

Description

To enhance connection rate and throughput in a SecureXL enabled environment, the firewall groups together packets of a connection that share the same service (same source port). The first packets of the first connection are handled by the firewall. The firewall then offloads the connection to SecureXL (acceleration hardware or software) for processing.

SecureXL creates a connection template that matches the accept rule in the firewall Rule Base, but with a wildcard replacing the source port. New connections that match the template are processed by SecureXL.

On a busy network, repeated connections to the same DNS server clearly benefit from SecureXL acceleration, where the DNS source port (53) is replaced by a wildcard. However, multiple IP addresses can resolve to the same DNS name. In such an environment, replacing the source IP address with a second wildcard decreases the number of connections processed by the firewall.

To replace source IP addresses with a second wild card, you must extend the existing SecureXL templates.

Note - By default, SecureXL template extension is disabled.

To enable SecureXL template extension for accelerated DNS connections:

On the SMO:

  1. Exit gclish

    (To exit gclish, enter: shell.)

  2. Open: /etc/ppk.boot/boot/modules/simkern.conf for editing.

    If the file does not exist, create it.

  3. Add sim_use_srcip_wildcard_for_template=1 to the file.
  4. Copy the file to all SGMs by running:

    g_cp2blades -a /etc/ppk.boot/boot/modules/simkern.conf

  5. Open: /etc/fw.boot/modules/fwkern.conf for editing
  6. Add cphwd_src_ip_template_enabled=1 to the file.
  7. Copy the file to all SGMs by running:

    g_cp2blades -a /etc/fw.boot/modules/fwkern.conf

  8. Reboot all SGMs.

In the SecureXL acceleration template, the source IP address and source port are replaced with wildcards.

Note - Traffic is only accelerated if DNS is the destination port (53).

To add other services to the template (for example HTTP and Telnet):

On the SMO:

  1. Exit gclish

    (To exit gclish, enter: shell.)

  2. Open: /etc/fw.boot/modules/fwkern.conf for editing
  3. Add cphwd_use_srcip_wildcard_for_template=80,23 to the file.

    This adds ports 80 and 23 to the list of permitted destination ports.

    • Separate each port number with a comma
    • Do not add more than 4 port numbers

    For UDP services, add: cphwd_src_ip_tmpl_udp_ports= <UDP port numbers>.

  4. Copy the file to all SGMs by running:

    g_cp2blades -a /etc/fw.boot/modules/fwkern.conf

  5. Open /etc/ppk.boot/boot/modules/simkern.conf for editing.
  6. Add sim_src_ip_tmpl_tcp_ports=80,23 to the file.

    For UPD services, add sim_src_ip_tmpl_udp_ports=<UDP port numbers>

  7. /etc/ppk.boot/boot/modules/simkern.conf on all SGMs
  8. Copy the file to all SGMs by running:

    g_cp2blades -a /etc/ppk.boot/boot/modules/simkern.conf

  9. Reboot all SGMs.

Verification

To make sure extended SecureXL templates are being used:

  1. In gclish, run: fwaccel templates.
  2. Examine the output.

An asterisk (*) in the Source column and an increasing Conns counter means the extended template is being utilized.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print