CheckPoint - SecureXL ou l'accélération CheckPoint
Alasta 19 Décembre 2014 checkpoint Checkpoint Acceleration Commandes
Description : Une présentation du SecureXL.
SecureXL ou l'accélération CheckPoint :
L'accélération que propose CheckPoint s'appelle SecureXL, pour schématiser grossièrement son fonctionnement, le packet monte jusqu'à l'analyse des règles du firewall, si la connexion est accélérable, le firewall crée un "template de connexion" sur les packet similaire, aux prochaines connexions ces templates seront vérifier avant de passer (si nécessaire) dans le jeu de règle.
L'explication par l'exemple :
Exemple :
- une connexion de 10.0.0.1:2000 à 11.0.0.1:80 — établissement de la connexion puis sera accélérée.
- une connexion de 10.0.0.1:2001 à 11.0.0.1:80 — totalement accéléré (includant l'établissement de la connexion).
- une connexion de 10.0.0.1:8000 à 11.0.0.1:80 — totalement accéléré (includant l'établissement de la connexion).
Les requêtes HTTP à destination d'un serveur seront accélérées depuis la même IP source.
Limitation et restriction de SecureXL
Syntaxe de la commande fwaccel :
L'état
1 $ fwaccel stat
2 Accelerator Status : off
3 Accelerator Features : Accounting, NAT, Cryptography, Routing,
4 HasClock, Templates, VirtualDefrag, GenerateIcmp,
5 IdleDetection, Sequencing, TcpStateDetect,
6 AutoExpire, DelayedNotif, TcpStateDetectV2,
7 McastRouting, WireMode, Streaming, MultiFW
8 Cryptography Features Mask : not available
Dans ce cas, le SecureXL est désactivé, voici un exemple ou ce dernier est activé :
1 $ fwaccel stat
2 Accelerator Status : on
3 Accept Templates : disabled by Firewall
4 disabled from rule #22
5 Drop Templates : disabled
6 NAT Templates : disabled by Firewall
7 disabled from rule #22
8 Accelerator Features : Accounting, NAT, Cryptography, Routing,
9 HasClock, Templates, Synchronous, IdleDetection,
10 Sequencing, TcpStateDetect, AutoExpire,
11 DelayedNotif, TcpStateDetectV2, CPLS, WireMode,
12 DropTemplates, NatTemplates, Streaming
13 Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
14 3DES, DES, CAST, CAST-40, AES-128, AES-256,
15 ESP, LinkSelection, NatTraversal
L'accèlération s'arrête des qu'il matche une règle qu'il n'est pas possible d'accéléré.
Il faut donc optimiser son jeu de règle en conséquence.
Activation
1 $ fwaccel on
Désactivation
1 $ fwaccel off
Stats
1 $ fwaccel stats
2 Name Value Name Value
3 -------------------- --------------- -------------------- ---------------
4 conns created 343916 conns deleted 343904
5 temporary conns 0 templates 0
6 nat conns 0 accel packets 28323057
7 accel bytes 1132922280 F2F packets 967733
8 ESP enc pkts 0 ESP enc err 0
9 ESP dec pkts 0 ESP dec err 0
10 ESP other err 0 espudp enc pkts 0
11 espudp enc err 0 espudp dec pkts 0
12 espudp dec err 0 espudp other err 0
13 AH enc pkts 0 AH enc err 0
14 AH dec pkts 0 AH dec err 0
15 AH other err 0 memory used 0
16 free memory 0 acct update interval 3600
17 current total conns 12 TCP violations 0
18 conns from templates 0 TCP conns 5
19 delayed TCP conns 0 non TCP conns 7
20 delayed nonTCP conns 0 F2F conns 6
21 F2F bytes 111808742 crypt conns 0
22 enc bytes 0 dec bytes 0
23 partial conns 0 anticipated conns 0
24 dropped packets 0 dropped bytes 0
25 nat templates 0 port alloc templates 0
26 conns from nat tmpl 0 port alloc conns 0
27 port alloc f2f 0 PXL templates 0
28 PXL conns 0 PXL packets 0
29 PXL bytes 0 PXL async packets 0
30
31 $ fwaccel stats -h
32 Usage: fwaccel stats <options>
33
34 Options:
35 -s - print only statistics summary
36 -d - drop from device statistics
37 -h - this help message
38
39 $ fwaccel stats -s
40 Accelerated conns/Total conns : 6/11 (54%)
41 Accelerated pkts/Total pkts : 28323782/29291579 (96%)
42 F2Fed pkts/Total pkts : 967797/29291579 (3%)
43 PXL pkts/Total pkts : 0/29291579 (0%)
Description des champs :
Statistic parameter |
Explanation |
|---|---|
conns created |
Number of created connections |
conns deleted |
Number of deleted connections |
temporary conns |
Number of temporary connections |
templates |
Number of templates currently handled |
nat conns |
Number of NAT connections |
accel packets |
Number of accelerated packets |
accel bytes |
Number of accelerated traffic bytes |
F2F packets |
Number of packets handled by the VPN kernel in slow-path |
ESP enc pkts |
Number of ESP encrypted packets |
ESP enc err |
Number of ESP encrypted errors |
ESP dec pkts |
Number of ESP decrypted packets |
ESP dec err |
Number of ESP decrypted errors |
ESP other err |
Number of ESP other general errors |
espudp enc pkts |
Not in use |
espudp enc err |
Not in use |
espudp dec pkts |
Not in use |
espudp dec err |
Not in use |
espudp other err |
Not in use |
AH enc pkts |
Not in use |
AH enc err |
Not in use |
AH dec pkts |
Not in use |
AH dec err |
Not in use |
AH other err |
Not in use |
memory used |
Not in use |
free memory |
Not in use |
acct update interval |
Accounting update interval in seconds |
current total conns |
Number of connections currently handled |
TCP violations |
Number of packets which are in violation of the TCP state |
conns from templates |
Number of connections created from templates |
TCP conns |
Number of TCP connections currently handled |
delayed TCP conns |
Number of delayed TCP connections currently handled |
non TCP conns |
Number of non TCP connections currently handled |
delayed nonTCP conns |
Number of delayed non TCP connections currently handled |
F2F conns |
Number of connections currently handled by the VPN kernel in slow-path |
F2F bytes |
Number of traffic bytes handled by the VPN kernel in slow-path |
crypt conns |
Number of encrypted connections currently handled |
enc bytes |
Number of encrypted traffic bytes |
dec bytes |
Number of decrypted traffic bytes |
partial conns |
Number of partial connections currently handled |
anticipated conns |
Number of anticipated connections currently handled |
dropped packets |
Number of dropped packets |
dropped bytes |
Number of dropped traffic bytes |
nat templates |
Not in use |
port alloc templates |
Not in use |
conns from nat tmpl |
Not in use |
port alloc conns |
Not in use |
port alloc f2f |
Not in use |
PXL templates |
Number of PXL templates |
PXL conns |
Number of PXL connections |
PXL packets |
Number of PXL packets |
PXL bytes |
Number of PXL traffic bytes |
PXL async packets |
Number of PXL packets handled asynchronously |
Connexions
1 $ fwaccel conns
2 Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst
3 --------------- ----- --------------- ----- -- -------- ------- ------- ----
4 1.1.1.1 42774 1.1.1.2 161 17 F....... 1/1 -/- NA
5 2.2.2.2 514 3.3.3.3 514 17 .U...... 2/3 3/2 NA
6 3.3.3.5 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
7 1.1.1.4 257 1.1.1.2 49340 6 F....... 1/1 1/- NA
8 2.2.2.2 514 3.3.3.22 514 17 .U...... 2/3 3/2 NA
9 3.3.3.3 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
10 3.3.3.8 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
11 1.1.1.2 49340 1.1.1.4 257 6 F....... 1/1 1/- NA
12 1.1.1.2 18192 1.1.1.4 42368 6 F....... 1/1 -/- NA
13 1.1.1.4 52136 1.1.1.2 18192 6 F....... 1/1 -/- NA
14 1.1.1.2 18192 1.1.1.4 52136 6 F....... 1/1 -/- NA
15 1.1.1.1 50186 1.1.1.2 0 1 F....... 1/1 -/- NA
16 2.2.2.2 514 3.3.3.8 514 17 .U...... 2/3 2/3 NA
17 1.1.1.4 42368 1.1.1.2 18192 6 F....... 1/1 -/- NA
18 3.3.3.22 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
19 2.2.2.2 514 3.3.3.5 514 17 .U...... 2/3 3/2 NA
20 1.1.1.88 38677 1.1.1.2 22 6 F....... 1/1 -/- NA
21 1.1.1.2 161 1.1.1.1 42774 17 F....... 1/1 -/- NA
22 1.3.3.77 514 2.2.2.2 514 17 .U...... 1/2 2/1 NA
23 2.2.2.2 514 3.3.3.63 514 17 .U...... 2/3 3/2 NA
24 1.1.1.2 22 1.1.1.88 38677 6 F....... 1/1 -/- NA
25 2.2.2.2 514 3.3.3.77 514 17 .U...... 2/3 3/2 NA
26 1.1.1.2 0 1.1.1.1 50186 1 F....... 1/1 -/- NA
27 3.3.3.63 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
28
29 Idx Interface
30 --- ---------
31 0 eth2c4
32 1 eth2c3
33 2 eth2c2
34 3 eth2c1
35 4 eth1c0
36
37 Total number of connections: 24
38
39 $ fwaccel conns -h
40 Usage: fwaccel conns <options>
41
42 Options:
43 -m <max entries> - max number of entries to print
44 -f <filter> - print only entries matching the filter
45 -s - print only number of connections
46 -h - this help message
47
48 Filter (one or more of the above flags):
49 F/f - forwarded to firewall/cut-through
50 U/u - unidirectional/bidirectional
51 N/n - entries with/without NAT
52 A/a - accounted/not accounted
53 C/c - encrypted/not encrypted
54 P/p - partial/not partial
55 S/s - pxl enabled/disabled
56
57 $ fwaccel conns -s
58 There are 52 connections in SecureXL connections table
Autres ressources :
Plus de détails sur SecureXL
CheckPoint - Plus de détails sur SecureXL - sk98348
CheckPoint - différentes commandes et explications
CheckPoint - aide au debug - sk33781