fwaccel templates

Description

The fwaccel templates and fwaccel6 templates commands show the contents of the SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. templates tables:

Important - Based on the number of current templates, these commands can consume memory at very high level.

Syntax for IPv4

fwaccel templates

      [-h]

      [-d]

      [-m <Number of Rows>]

      [-s]

      [-S]

Syntax for IPv6

fwaccel6 templates

      [-h]

      [-d]

      [-m <Number of Rows>]

      [-s]

      [-S]

Parameters

Parameter

Description

No Parameters

Shows the contents of the SecureXL Accept Templates table (Table Name - cphwd_tmpl, Table ID - 8111).

-h

Shows the applicable built-in usage.

-d

Shows the contents of the SecureXL Drop Templates table.

-m <Number of Rows>

Specifies how many rows to show from the templates table.

Note - The command counts from the top of the table.

Default : 1000

-s

Shows the summary of SecureXL Connections Templates (number of templates)

-S

Shows statistics for the SecureXL Connections Templates.

Accept Templates flags

One or more of these flags appears in the output:

Flag

Description

A

Connection is accounted (SecureXL counts the number of packets and bytes).

B

Connection is created for a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that contains an Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. object, or for a rule below that rule.

E

Connection is created for a NAT rule that contains an Identity Awareness object.

I

Identity Awareness (NAC) is enabled for this connection.

M

Connection is created for a rule that contains a Domain object, or for a rule below that rule.

N

Connection undergoes NAT.

O

Connection is created for a rule that contains a Dynamic object, or for a rule below that rule.

Q

QoSClosed Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. is enabled for this connection.

R

Connection is created for a rule that contains a Traceroute object, or for a rule below that rule.

S

PXL (combination of SecureXL and PSLClosed Passive Streaming Library. Packets may arrive at Security Gateway out of order, or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases, a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with the Passive Streaming Library (PSL) technology. (1) The PSL is an infrastructure layer, which provides stream reassembly for TCP connections. (2) The Security Gateway makes sure that TCP data seen by the destination system is the same as seen by code above PSL. (3) The PSL handles packet reordering, congestion, and is responsible for various security aspects of the TCP layer, such as handling payload overlaps, some DoS attacks, and others. (4) The PSL is capable of receiving packets from the Firewall chain and from the SecureXL. (5) The PSL serves as a middleman between the various security applications and the network packets. It provides the applications with a coherent stream of data to work with, free of various network problems or attacks. (6) The PSL infrastructure is wrapped with well-defined APIs called the Unified Streaming APIs, which are used by the applications to register and access streamed data. (Passive Streaming Library)) is enabled for this connection.

T

Connection is created for a rule that contains a Time object, or for a rule below that rule.

U

Connection is unidirectional.

X

Connection is created for a NAT rule that contains a translated Dynamic object.

Z

Connection is created for a rule that contains a Security Zone object, or for a rule below that rule.

Drop Templates flags

One or more of these flags appears in the output:

Flag

Description

D

Drop template exists for this connection.

L

Log and Drop action for this connection.

Examples

[Expert@MyGW:0]# fwaccel templates
Source          SPort Destination     DPort PR Flags         LCT  DLY C2S i/f S2C i/f
--------------- ----- --------------- ----- -- ------------  ---- --- ------- -------
192.168.10.20       * 192.168.10.50      80  6            0     0   0 eth5/eth1 eth1/eth5
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fwaccel templates -d
The SecureXL drop templates table is empty
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fwaccel templates -s
Total number of templates: 1
[Expert@MyGW:0]#
 
[Expert@MyGW:0]# fwaccel templates -S
 
Templates stats:
 
 Name                     Value           Name                     Value
--------------------     ------------    --------------------     ------------
C templates                         0    conns from templates                0
nat templates                       0    conns from nat tmpl                 0
C CPASXL templates                  0    C PSLXL templates                   0
C used templates                    0    cpasxl tmpl conns                   0
pslxl tmpl conns                    0    C conns from tmpl                   0
 
[Expert@MyGW:0]#