fwaccel off

Description

The fwaccel off and fwaccel6 off commands stop the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on-the-fly.

Starting from R80.20SP, you can stop the SecureXL only temporarily. The SecureXL starts automatically when you start Check Point services (with the cpstart command), or reboot a Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Member.

Important:

Disable the SecureXL only for debug purposes, if Check Point Support explicitly instructs you to do so.
If you disable the SecureXL, this change does not survive reboot.

SecureXL remains disabled until you enable it again on-the-fly, or reboot the Security Group Member.
If you disable the SecureXL, this change applies only to new connections that arrive after you disable the acceleration.

SecureXL continues to accelerate the connections that are already accelerated.

Other non-connection oriented processing continues to function (for example, virtual defragmentation, VPN decrypt).
On a VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0.:
- If you wish to stop the acceleration only for a specific Virtual System, go to the context of that Virtual System.
  
  In Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group., run: set virtual-system <VSID>
  
  In Expert mode, run: vsenv <VSID>
- If you wish to stop the acceleration for all Virtual Systems, you must use the "-a" parameter.
  
  In this case, it does not matter from which Virtual System context you run this command.

Important:

The same SecureXL command must run on all Security Group Members.

Therefore, you must run the SecureXL commands in either Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish, or Expert mode.

In Gaia gClish, run the "fwaccel ..." and "fwaccel6 ..." commands.
In the Expert mode, run the "g_fwaccel ..." and "g_fwaccel6 ..." commands.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] off [-a] [-q]

Syntax for IPv6

fwaccel6 off [-a] [-q]

Parameters

Parameter	Description
`-i <SecureXL ID>`	Specifies the SecureXL instance ID (for IPv4 only).
`-a`	On a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway, stops acceleration on all Virtual Systems.
`-q`	Suppresses the output (does not show a returned output).

Possible returned output

SecureXL device disabled
SecureXL device is not active
Failed to disable SecureXL device
fwaccel_off: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyChassis-ch0x-0x:0]# g_fwaccel off

SecureXL device disabled.

[Expert@MyChassis-ch0x-0x:0]#

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyChassis-ch0x-0x:1]# vsx stat -v
VSX Gateway Status
==================
Name:            VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at:    17Sep2018 13:17:14
Threat Prevention Policy: <No Policy> 
SIC Status:      Trust
 
Number of Virtual Systems allowed by license:          25
Virtual Systems [active / configured]:                  2 / 2
Virtual Routers and Switches [active / configured]:     0 / 0
Total connections [current / limit]:                    4 / 44700
 
Virtual Devices Status
======================
 
 ID  | Type &amp; Name     | Access Control Policy | Installed at    | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
   1 | S VS1               | VS1_Policy            | 17Sep2018 12:47 | <No Policy>              | Trust
   2 | S VS2               | VS2_Policy            | 17Sep2018 12:47 | <No Policy>              | Trust
 
Type: S - Virtual System, B - Virtual System in Bridge mode,
      R - Virtual Router, W - Virtual Switch.
 
[Expert@MyChassis-ch0x-0x:1]#
[Expert@MyChassis-ch0x-0x:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyChassis-ch0x-0x:1]#
[Expert@MyChassis-ch0x-0x:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status     |Interfaces               |Features                      |
+-----------------------------------------------------------------------------+
|0 |SND  |enabled    |eth1,eth2,eth3           |Acceleration,Cryptography     |
+-----------------------------------------------------------------------------+
 
[Expert@MyChassis-ch0x-0x:1]#
 
[Expert@MyChassis-ch0x-0x:1]# fwaccel off
SecureXL device disabled. (Virtual ID 1)
[Expert@MyChassis-ch0x-0x:1]#
[Expert@MyChassis-ch0x-0x:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status     |Interfaces               |Features                      |
+-----------------------------------------------------------------------------+
|0 |SND  |disabled   |eth1,eth2,eth3           |Acceleration,Cryptography     |
+-----------------------------------------------------------------------------+
 
[Expert@MyChassis-ch0x-0x:1]#

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyChassis-ch0x-0x:1]# vsx stat -v
VSX Gateway Status
==================
Name:            VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at:    17Sep2018 13:17:14
Threat Prevention Policy: <No Policy> 
SIC Status:      Trust
 
Number of Virtual Systems allowed by license:          25
Virtual Systems [active / configured]:                  2 / 2
Virtual Routers and Switches [active / configured]:     0 / 0
Total connections [current / limit]:                    4 / 44700
 
Virtual Devices Status
======================
 
 ID  | Type &amp; Name     | Access Control Policy | Installed at    | Threat Prevention Policy | SIC Stat
-----+---------------------+-----------------------+-----------------+--------------------------+---------
   1 | S VS1               | VS1_Policy            | 17Sep2018 12:47 | <No Policy>              | Trust
   2 | S VS2               | VS2_Policy            | 17Sep2018 12:47 | <No Policy>              | Trust
 
Type: S - Virtual System, B - Virtual System in Bridge mode,
      R - Virtual Router, W - Virtual Switch.
 
[Expert@MyChassis-ch0x-0x:1]#
[Expert@MyChassis-ch0x-0x:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyChassis-ch0x-0x:1]#
[Expert@MyChassis-ch0x-0x:1]# fwaccel off -a
SecureXL device disabled. (Virtual ID 0)
SecureXL device disabled. (Virtual ID 1)
SecureXL device disabled. (Virtual ID 2)
[Expert@MyChassis-ch0x-0x:1]#