Configuring SecureXL

The GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. First Time Configuration Wizard automatically installs, enables, and configures SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. on your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.). No additional configuration is required.

SecureXL can work in these modes:

SecureXL Mode

Description

User Mode

(UPPAK)

SecureXL runs as processes in the user space (UPPAK - "User Space Performance Pack").

This mode increases performance and unlocks more advanced features in SecureXL.

This is the default mode on the supported Check Point appliances.

Important - For the list of supported Check Point appliances and Known Limitations, see the LightSpeed 10/25/40/100G QSFP28 Ports Administration Guide.

Kernel Mode

(KPPAK)

SecureXL runs as a kernel module in the kernel space (KPPAK - "Kernel Space Performance Pack").

See:

SecureXL in Kernel Mode (KPPAK)

SecureXL runs as a kernel module in the kernel space (KPPAK - "Kernel Space Performance Pack").

On Security Gateways that do not support SecureXL in User Mode (UPPAK), it works in Kernel Mode.

SecureXL kernel modules:

SecureXL in Kernel Mode uses these kernel modules (see Introduction to Kernel Parameters):

  • $PPKDIR/boot/modules/sim_kern_64_3_10_64.o

  • $PPKDIR/boot/modules/sim_kern_64_3_10_64_v6.o

SecureXL configuration file:

SecureXL in Kernel Mode uses this configuration file for its parameters (see SecureXL Kernel Parameters):

  • $PPKDIR/conf/simkern.conf

SecureXL in User Mode (UPPAK)

SecureXL runs as processes in the user space (UPPAK - "User Space Performance Pack").

Important - This feature is available on the supported Check Point appliances. For the list of supported Check Point appliances and Known Limitations, see the LightSpeed 10/25/40/100G QSFP28 Ports Administration Guide.

SecureXL user space processes:

SecureXL in User Mode uses these processes and log files:

Process

Log File

Description

$PPKDIR/bin/usim_x86

/var/log/usim_x86.elg

The main SecureXL process.

$PPKDIR/bin/usim_wd_agent

N / A

The Watch Dog process that monitors the main SecureXL process "usim_x86".

If the main process crashes, this Watch Dog process starts it again.

$PPKDIR/bin/usim_launcher

N / A

Starts the main SecureXL process "usim_x86" during boot.

SecureXL configuration file:

SecureXL in User Mode uses this configuration file for its parameters (see SecureXL Kernel Parameters):

  • $PPKDIR/conf/simkern.conf

SecureXL core dump files:

SecureXL in User Mode creates these files when its user space processes crash:

  • /var/log/dump/usermode/usim_x86.<PID>.core

  • /var/log/dump/usermode/lcore-worker<ID>.core

  • /var/log/dump/usermode/fwk_snd<ID>.core

  • /var/log/usim_crash/crash_list

Viewing the Current SecureXL Mode

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode.

3

Examine the SecureXL status and mode (see fwaccel stat).
4

Examine the column Name:

  • KPPAK - Kernel Mode

  • UPPAK - User Mode

Changing the Current SecureXL Mode

Notes:

  • During a clean installation, the Gaia First Time Configuration Wizard automatically configures SecureXL to work in User Mode (UPPAK) on Security Gateways that meet the requirements.

  • After an upgrade from R81.10 and lower versions, SecureXL works in Kernel Mode (KPPAK).

  • SecureXL does not change its mode automatically if the hardware specifications of a Security Gateway change, and now they meet the requirements.

    You must change the SecureXL mode manually.

    If the Security Gateway now supports USFW, then enable it, but do not reboot yet. Change the SecureXL mode to User Mode (UPPAK) and then reboot only one time.

  • When SecureXL works in User Mode (UPPAK), it does not allow you to enable features that UPPAK does not support.

You can change the current SecureXL mode between Kernel Mode (KPPAK) and User Mode (UPPAK).

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish, or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Run:

cpconfig

4

Enter the number of the Check Point SecureXL option.

5

The menu shows the current SecureXL mode.

6

Enter the number of the Change SecureXL Mode option.

7

Enter y to confirm the change.

8

Exit from the cpconfig menu.

9

Reboot.

Important - In cluster, this can cause a failover.

10

Examine the SecureXL status and mode:

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel stat

Disabling SecureXL

It is not supported to disable SecureXL.

You can disable SecureXL only if Check Point Support explicitly instructs you to do so for debug purposes.

Starting from R80.20, you can disable the SecureXL only temporarily.

The SecureXL starts automatically when you start Check Point services (with the cpstart command), or reboot the Security Gateway (Scalable Platform Security Group Member).

Important:

  • If you disable the SecureXL, this change does not survive reboot.

    SecureXL remains disabled until you enable it again on-the-fly, or reboot the Security Gateway (Scalable Platform Security Group Member).

  • If you disable the SecureXL, this change applies only to new connections that arrive after you disabled the acceleration.

    SecureXL continues to accelerate the connections that are already accelerated.

    Other non-connection oriented processing continues to function (for example, virtual defragmentation and VPN decrypt).

  • In a Cluster, you must configure all the Cluster Members in the same way.

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish, or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel stat

4

Disable the SecureXL.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel off [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel off [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel off [-a]

5

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel stat

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish, or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 stat

4

Disable the SecureXL.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 off [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 off [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 off [-a]

5

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 stat

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish, or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel stat

4

Enable the SecureXL.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel on [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel on [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel on [-a]

5

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel stat

Step

Instructions

1

Connect to the command line on your Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish, or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 stat

4

Enable the SecureXL.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 on [-a]

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 on [-a]

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 on [-a]

5

Examine the SecureXL status.

  • On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in Gaia gClish:

    fwaccel6 stat

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fwaccel6 stat

For more information on the "fwaccel" commands, see: