SecureXL ou l’accélération CheckPoint :

L’accélération que propose CheckPoint s’appelle SecureXL, pour schématiser grossièrement son fonctionnement, le packet monte jusqu’à l’analyse des règles du firewall, si la connexion est accélérable, le firewall crée un “template de connexion” sur les packet similaire, aux prochaines connexions ces templates seront vérifier avant de passer (si nécessaire) dans le jeu de règle. L’explication par l’exemple : SecureXL_flow

Exemple :

  • une connexion de 10.0.0.1:2000 à 11.0.0.1:80 — établissement de la connexion puis sera accélérée.
  • une connexion de 10.0.0.1:2001 à 11.0.0.1:80 — totalement accéléré (includant l’établissement de la connexion).
  • une connexion de 10.0.0.1:8000 à 11.0.0.1:80 — totalement accéléré (includant l’établissement de la connexion).
    Les requêtes HTTP à destination d’un serveur seront accélérées depuis la même IP source.

Limitation et restriction de SecureXL

Syntaxe de la commande fwaccel :

Syntaxe fwaccel

L’état

$ fwaccel stat
Accelerator Status : off
Accelerator Features : Accounting, NAT, Cryptography, Routing,
                       HasClock, Templates, VirtualDefrag, GenerateIcmp,
                       IdleDetection, Sequencing, TcpStateDetect,
                       AutoExpire, DelayedNotif, TcpStateDetectV2,
                       McastRouting, WireMode, Streaming, MultiFW
                       Cryptography Features Mask : not available

Dans ce cas, le SecureXL est désactivé, voici un exemple ou ce dernier est activé :

$  fwaccel stat
Accelerator Status : on
Accept Templates   : disabled by Firewall
                     disabled from rule #22
Drop Templates     : disabled
NAT Templates      : disabled by Firewall
                     disabled from rule #22
Accelerator Features : Accounting, NAT, Cryptography, Routing,
                       HasClock, Templates, Synchronous, IdleDetection,
                       Sequencing, TcpStateDetect, AutoExpire,
                       DelayedNotif, TcpStateDetectV2, CPLS, WireMode,
                       DropTemplates, NatTemplates, Streaming
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
                        3DES, DES, CAST, CAST-40, AES-128, AES-256,
                        ESP, LinkSelection, NatTraversal

L’accèlération s’arrête des qu’il matche une règle qu’il n’est pas possible d’accéléré.
Il faut donc optimiser son jeu de règle en conséquence.

Activation

$ fwaccel on

Désactivation

$ fwaccel off

Stats

$ fwaccel stats
Name                  Value              Name                  Value
--------------------  ---------------    --------------------  ---------------
conns created                  343916    conns deleted                  343904
temporary conns                     0    templates                           0
nat conns                           0    accel packets                28323057
accel bytes                1132922280    F2F packets                    967733
ESP enc pkts                        0    ESP enc err                         0
ESP dec pkts                        0    ESP dec err                         0
ESP other err                       0    espudp enc pkts                     0
espudp enc err                      0    espudp dec pkts                     0
espudp dec err                      0    espudp other err                    0
AH enc pkts                         0    AH enc err                          0
AH dec pkts                         0    AH dec err                          0
AH other err                        0    memory used                         0
free memory                         0    acct update interval             3600
current total conns                12    TCP violations                      0
conns from templates                0    TCP conns                           5
delayed TCP conns                   0    non TCP conns                       7
delayed nonTCP conns                0    F2F conns                           6
F2F bytes                   111808742    crypt conns                         0
enc bytes                           0    dec bytes                           0
partial conns                       0    anticipated conns                   0
dropped packets                     0    dropped bytes                       0
nat templates                       0    port alloc templates                0
conns from nat tmpl                 0    port alloc conns                    0
port alloc f2f                      0    PXL templates                       0
PXL conns                           0    PXL packets                         0
PXL bytes                           0    PXL async packets                   0

$ fwaccel stats -h
Usage: fwaccel stats <options>

Options:
-s                      - print only statistics summary
-d                      - drop from device statistics
-h                      - this help message

$ fwaccel stats -s
Accelerated conns/Total conns : 6/11 (54%)
Accelerated pkts/Total pkts   : 28323782/29291579 (96%)
F2Fed pkts/Total pkts   : 967797/29291579 (3%)
PXL pkts/Total pkts   : 0/29291579 (0%)
Description des champs :

Statistic parameter

Explanation

conns created

Number of created connections

conns deleted

Number of deleted connections

temporary conns

Number of temporary connections

templates

Number of templates currently handled

nat conns

Number of NAT connections

accel packets

Number of accelerated packets

accel bytes

Number of accelerated traffic bytes

F2F packets

Number of packets handled by the VPN kernel in slow-path

ESP enc pkts

Number of ESP encrypted packets

ESP enc err

Number of ESP encrypted errors

ESP dec pkts

Number of ESP decrypted packets

ESP dec err

Number of ESP decrypted errors

ESP other err

Number of ESP other general errors

espudp enc pkts

Not in use

espudp enc err

Not in use

espudp dec pkts

Not in use

espudp dec err

Not in use

espudp other err

Not in use

AH enc pkts

Not in use

AH enc err

Not in use

AH dec pkts

Not in use

AH dec err

Not in use

AH other err

Not in use

memory used

Not in use

free memory

Not in use

acct update interval

Accounting update interval in seconds

current total conns

Number of connections currently handled

TCP violations

Number of packets which are in violation of the TCP state

conns from templates

Number of connections created from templates

TCP conns

Number of TCP connections currently handled

delayed TCP conns

Number of delayed TCP connections currently handled

non TCP conns

Number of non TCP connections currently handled

delayed nonTCP conns

Number of delayed non TCP connections currently handled

F2F conns

Number of connections currently handled by the VPN kernel in slow-path

F2F bytes

Number of traffic bytes handled by the VPN kernel in slow-path

crypt conns

Number of encrypted connections currently handled

enc bytes

Number of encrypted traffic bytes

dec bytes

Number of decrypted traffic bytes

partial conns

Number of partial connections currently handled

anticipated conns

Number of anticipated connections currently handled

dropped packets

Number of dropped packets

dropped bytes

Number of dropped traffic bytes

nat templates

Not in use

port alloc templates

Not in use

conns from nat tmpl

Not in use

port alloc conns

Not in use

port alloc f2f

Not in use

PXL templates

Number of PXL templates

PXL conns

Number of PXL connections

PXL packets

Number of PXL packets

PXL bytes

Number of PXL traffic bytes

PXL async packets

Number of PXL packets handled asynchronously

Connexions

$ fwaccel conns
Source          SPort Destination     DPort PR Flags    C2S i/f S2C i/f Inst
--------------- ----- --------------- ----- -- -------- ------- ------- ----
1.1.1.1	        42774	      1.1.1.2   161 17 F....... 1/1     -/-     NA
2.2.2.2           514         3.3.3.3   514 17 .U...... 2/3     3/2     NA
3.3.3.5           514         2.2.2.2   514 17 .U...... 3/2   	2/3     NA
1.1.1.4           257         1.1.1.2 49340  6 F....... 1/1   	1/-     NA
2.2.2.2           514        3.3.3.22   514 17 .U...... 2/3   	3/2     NA
3.3.3.3           514         2.2.2.2   514 17 .U...... 3/2   	2/3     NA
3.3.3.8           514         2.2.2.2   514 17 .U...... 3/2   	2/3     NA
1.1.1.2         49340         1.1.1.4   257  6 F....... 1/1   	1/-     NA
1.1.1.2         18192         1.1.1.4 42368  6 F....... 1/1   	-/-     NA
1.1.1.4         52136         1.1.1.2 18192  6 F....... 1/1   	-/-     NA
1.1.1.2         18192         1.1.1.4 52136  6 F....... 1/1   	-/-     NA
1.1.1.1         50186         1.1.1.2     0  1 F....... 1/1   	-/-     NA
2.2.2.2           514         3.3.3.8   514 17 .U...... 2/3   	2/3     NA
1.1.1.4         42368         1.1.1.2 18192  6 F....... 1/1   	-/-     NA
3.3.3.22          514         2.2.2.2   514 17 .U...... 3/2   	2/3     NA
2.2.2.2           514         3.3.3.5   514 17 .U...... 2/3   	3/2     NA
1.1.1.88        38677         1.1.1.2    22  6 F....... 1/1   	-/-     NA
1.1.1.2           161         1.1.1.1 42774 17 F....... 1/1   	-/-     NA
1.3.3.77          514         2.2.2.2   514 17 .U...... 1/2   	2/1     NA
2.2.2.2           514        3.3.3.63   514 17 .U...... 2/3   	3/2     NA
1.1.1.2            22        1.1.1.88 38677  6 F....... 1/1   	-/-     NA
2.2.2.2           514        3.3.3.77   514 17 .U...... 2/3   	3/2     NA
1.1.1.2             0         1.1.1.1 50186  1 F....... 1/1   	-/-     NA
3.3.3.63          514         2.2.2.2   514 17 .U...... 3/2   	2/3     NA

Idx Interface
--- ---------
  0 eth2c4
  1 eth2c3
  2 eth2c2
  3 eth2c1
  4 eth1c0

Total number of connections: 24

$ fwaccel conns -h
Usage: fwaccel conns <options>

Options:
-m <max entries>        - max number of entries to print
-f <filter>             - print only entries matching the filter
-s                      - print only number of connections
-h                      - this help message

Filter (one or more of the above flags):
F/f                     - forwarded to firewall/cut-through
U/u                     - unidirectional/bidirectional
N/n                     - entries with/without NAT
A/a                     - accounted/not accounted
C/c                     - encrypted/not encrypted
P/p                     - partial/not partial
S/s                     - pxl enabled/disabled

$ fwaccel conns -s
There are 52 connections in SecureXL connections table

Autres ressources :

Plus de détails sur SecureXL
CheckPoint - Plus de détails sur SecureXL - sk98348
CheckPoint - différentes commandes et explications
CheckPoint - aide au debug - sk33781