5 August 2019

PERFORMANCE TUNING

R80.20

Administration Guide
Classification: [Protected]
CHAPT ER1

2019 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.
Refer to the Third Party copyright notices
https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page
https://www.checkpoint.com/products-solutions/certified-check-point-solutions/.

Check Point R80.20

For more about this release, see the R80.20 home page
http://supportcontent.checkpoint.com/solutions?id=sk122485.

Latest Version of this Document

Open the latest version of this document in a Web browser
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_
PerformanceTuning_AdminGuide/html_frameset.htm.
Download the latest version of this document in PDF format
http://downloads.checkpoint.com/dc/download.htm?ID=58289.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Performance
Tuning R80.20 Administration Guide.

Revision History
Date Description
05 August 2019 Updated:
• In Multi-Queue (on page 233) - Overriding RX queue and interface
limitations (on page 244) (added a warning)
Date Description
23 May 2019 Improved formatting and document layout
Updated:
• Packet Flow (on page 15) in SecureXL
• Introduction to Multiple Traffic Queues (on page 233)
• Special Scenarios and Configurations (on page 245) (for
Multi-Queue)
• fwaccel cfg (on page 27)
• SecureXL Debug Modules and Debug Flags (on page 174) - added
flags in Module adp
• Kernel Debug Syntax (on page 262) - added information about the
unified log file
Added:
• Multiple Acceleration Cards
• Scalability on the Falcon Acceleration Cards (on page 17)
• Setting Affinities for Falcon Acceleration Cards Ports (on page
197)
• Processing Packets that Arrive in the Wrong Order on an Interface
that Works in Monitor Mode (on page 247)
14 January 2019 Updated:
• SecureXL Commands and Debug (on page 25)
• Multi-Queue (on page 233) section
• Kernel Debug on Security Gateway (on page 262)
Added:
• Working with Kernel Parameters on Security Gateway (on page
253)
10 October 2018 Updated:
• Terms section
• Accelerated SYN Defender (on page 23)
Added:
• Command Line Reference (on page 252)
• Kernel Debug on Security Gateway (on page 262)
08 October 2018 Updated:
• Configuring SecureXL (on page 18) - added a note that if you
disable the SecureXL, non-connection oriented processing
continues to function (for example, virtual defragmentation, VPN
decrypt)
04 October 2018 Improved formatting and document layout for HTML guide
Date Description
02 October 2018 Updated:
• Configuring SecureXL (on page 18)
Removed:
• cp_conf sxl command, because it is not supported anymore
26 September 2018 First release of this document
Contents
Important Information .............................................................................................................. 3
Terms........................................................................................................................................... 9
SecureXL and Falcon Acceleration Cards in R80.20.......................................................... 13
Accelerated Features ......................................................................................................... 14
Packet Flow .......................................................................................................................... 15
Connection Templates........................................................................................................ 17
Policy Installation Acceleration ........................................................................................ 17
Scalable Performance ........................................................................................................ 17
Scalability on the Falcon Acceleration Cards ................................................................. 17
Configuring SecureXL......................................................................................................... 18
Analyzing the Accelerated Traffic .................................................................................... 20
Rate Limiting for DoS Mitigation....................................................................................... 21
Overview............................................................................................................................ 21
Monitoring Events Related to DoS Mitigation................................................................... 21
Accelerated SYN Defender ................................................................................................ 23
SecureXL Commands and Debug ..................................................................................... 25
'fwaccel' and 'fwaccel6' .................................................................................................... 25
'sim' and 'sim6' ............................................................................................................... 114
'fw sam_policy' and 'fw6 sam_policy' ............................................................................ 126
The /proc/ppk/ and /proc/ppk6/ entries ........................................................................ 145
SecureXL Debug.............................................................................................................. 166
CoreXL .....................................................................................................................................181
Enabling and Disabling CoreXL.......................................................................................182
Default Configuration of CoreXL.....................................................................................183
Configuring IPv4 and IPv6 CoreXL Firewall instances ................................................185
CoreXL Unsupported Features .......................................................................................189
Configuring Affinity Settings ...........................................................................................190
The $FWDIR/conf/fwaffinity.conf Configuration File..................................................... 190
The $FWDIR/scripts/fwaffinity_apply Script ................................................................. 191
Performance Tuning .........................................................................................................192
Allocation of Processing CPU Cores .............................................................................. 192
CoreXL Commands ...........................................................................................................202
'fw ctl multik' and 'fw6 ctl multik' .................................................................................. 202
fw ctl affinity.................................................................................................................... 221
fw -i.................................................................................................................................. 232
Multi-Queue ............................................................................................................................233
Introduction to Multiple Traffic Queues.........................................................................233
Multi-Queue Requirements and Limitations.................................................................. 233
Deciding Whether to Enable the Multi-Queue................................................................ 234
Multi-Queue Administration ............................................................................................237
Basic Multi-Queue Configuration ...................................................................................238
Advanced Multi-Queue settings ......................................................................................240
Overriding RX queue and interface limitations .............................................................. 244
Special Scenarios and Configurations ...........................................................................245
Default Number of Active RX Queues............................................................................. 245
Changing the Status of an Interface with Enabled Multi-Queue ................................... 246
 Adding a Network Interface............................................................................................ 246
Changing the Affinity of CoreXL Firewall instances ...................................................... 247
Processing Packets that Arrive in the Wrong Order on an Interface that Works in Monitor
Mode ................................................................................................................................ 247
Troubleshooting ................................................................................................................248
CPView .....................................................................................................................................250
Overview of CPView...........................................................................................................250
CPView User Interface......................................................................................................250
Using CPView .....................................................................................................................251
Command Line Reference....................................................................................................252
Working with Kernel Parameters on Security Gateway..................................................253
Introduction to Kernel Parameters ................................................................................253
FireWall Kernel Parameters ...........................................................................................254
SecureXL Kernel Parameters .........................................................................................259
Kernel Debug on Security Gateway ....................................................................................262
Kernel Debug Syntax ........................................................................................................262
Kernel Debug Filters ........................................................................................................268
Kernel Debug Procedure .................................................................................................272
Kernel Debug Procedure with Connection Life Cycle .................................................274
Kernel Debug Modules and Debug Flags ......................................................................279
Module 'accel_apps' (Accelerated Applications) ........................................................... 281
Module 'accel_pm_mgr' (Accelerated Pattern Match Manager) .................................. 282
Module 'APPI' (Application Control Inspection) ............................................................. 283
Module 'BOA' (Boolean Analyzer for Web Intelligence)................................................. 284
Module 'CI' (Content Inspection) .................................................................................... 285
Module 'cluster' (ClusterXL)........................................................................................... 286
Module 'cmi_loader' (Context Management Interface/Infrastructure Loader)............ 288
Module 'CPAS' (Check Point Active Streaming) ............................................................. 289
Module 'cpcode' (Data Loss Prevention - CPcode) ........................................................ 290
Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness)...... 291
Module 'dlpk' (Data Loss Prevention - Kernel Space) ................................................... 292
Module 'dlpuk' (Data Loss Prevention - User Space) .................................................... 293
Module 'fg' (FloodGate-1 - QoS) ..................................................................................... 294
Module 'FILEAPP' (File Application)............................................................................... 295
Module 'fw' (Firewall) ..................................................................................................... 296
Module 'gtp' (GPRS Tunneling Protocol)........................................................................ 300
Module 'h323' (VoIP H.323) ............................................................................................. 301
Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client)......................... 302
Module 'IDAPI' (Identity Awareness API) ....................................................................... 303
Module 'kiss' (Kernel Infrastructure)............................................................................. 304
Module 'kissflow' (Kernel Infrastructure Flow)............................................................. 306
Module 'MALWARE' (Threat Prevention) ....................................................................... 307
Module 'multik' (Multi-Kernel Inspection - CoreXL)...................................................... 308
Module 'MUX' (Multiplexer for Applications Traffic)...................................................... 309
Module 'NRB' (Next Rule Base)...................................................................................... 310
Module 'PSL' (Passive Streaming Library)..................................................................... 311
Module 'RAD_KERNEL' (Resource Advisor - Kernel Space) ......................................... 312
Module 'RTM' (Real Time Monitoring)............................................................................ 313
Module 'seqvalid' (TCP Sequence Validator and Translator) ........................................ 314
Module 'SFT' (Stream File Type) .................................................................................... 315
Module 'SGEN' (Struct Generator) ................................................................................. 316
Module 'synatk' (Accelerated SYN Defender) ................................................................ 317
Module 'UC' (UserCheck)................................................................................................ 318
Module 'UP' (Unified Policy) ........................................................................................... 319
Module 'upconv' (Unified Policy Conversion) ................................................................. 321
Module 'UPIS' (Unified Policy Infrastructure)................................................................ 322
Module 'VPN' (Site-to-Site VPN and Remote Access VPN)............................................ 324
Module 'WS' (Web Intelligence)...................................................................................... 326
Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) ................................................... 328
Module 'WSIS' (Web Intelligence Infrastructure) .......................................................... 330
 performance due to amount of Delta Sync
traffic.
Terms Connection Rate Acceleration

Accelerated Path The SecureXL improves the rate of new

connections (connections per second) and
Packet flow on the Host Security Appliance the connection set up / tear down rate
and Falcon Acceleration Cards, when the (sessions per second). To accelerate the rate
packet is completely handled by the of new connections, the SecureXL still
SecureXL device. It is processed and processes connections that do not match a
forwarded to the network. specified 5-tuple. For example, if the source
port is masked, then only the other 4-tuple
Accept Templates attributes require a match. When a
SecureXL feature that accelerates the speed, connection is processed on the accelerated
at which a connection is established by path, the SecureXL creates an Accept
matching a new connection to a set of Template of that connection that does not
attributes. When a new connection matches include the source port. A new connection
the SecureXL Accept Template, subsequent that matches the other 4-tuple attributes is
connections are established without processed on the accelerated path, because
performing a rule match, and therefore are it matches the Accept Template. The Firewall
accelerated. Accept Templates are module does not inspect the new connection,
generated from active connections according which increases the Firewall connection
to policy rules. Currently, Accept Template rates.
acceleration is performed only on
The SecureXL and the Firewall module keep
connections with the same destination port
their own state tables and communicate
(using wildcards for source ports).
updates to each other:
Affinity • Connection notification - The SecureXL
passes the relevant information about
The assignment of a specified CoreXL
accelerated connections that match
Firewall instance, VSX Virtual System,
Accept Templates.
interface, user space process, or IRQ to one
or more specified CPU cores. • Connection offload - The Firewall kernel
passes the relevant information about the
ClusterXL connections from the Firewall kernel
Cluster of Check Point Security Gateways Connections table to the SecureXL
that work together in a redundant Connections table.
configuration. The ClusterXL both handles CoreXL
the traffic and performs State
A performance-enhancing technology for
Synchronization.
Security Gateways on multi-core processing
These Check Point Security Gateways are platforms. Multiple Check Point Firewall
installed on Gaia OS: instances are running in parallel on multiple
• ClusterXL supports up to 5 Cluster CPU cores.
Members.
CoreXL Dynamic Dispatcher
• VRRP Cluster supports up to 2 Cluster
Improved CoreXL SND feature. Part of
Members.
CoreXL that distributes packets between
• VSX VSLS cluster supports up to 13 CoreXL Firewall instances. Traffic
Cluster Members. distribution between CoreXL Firewall
Note - In ClusterXL Load Sharing mode, instances is dynamically based on the
configuring more than 4 Cluster Members utilization of CPU cores, on which the CoreXL
significantly decreases the cluster Firewall instances are running. The dynamic
decision is made for first packets of
connections, by assigning each of the CoreXL CPAS
Firewall instances a rank, and selecting the Check Point Active Streaming. Check Point
CoreXL Firewall instance with the lowest technology that allow to change data and play
rank. The rank for each CoreXL Firewall the role of "man in the middle". Several
instance is calculated according to its CPU Check Point product use CPAS. For example:
utilization. The higher the CPU utilization, the Client Authentication, VoIP (SIP,
higher the CoreXL Firewall instance's rank Skinny/SCCP, H.323, etc.), Data Loss
is, hence this CoreXL Firewall instance is Prevention, and Security Servers.
less likely to be selected by the CoreXL SND.
See sk105261 Drop Templates
http://supportcontent.checkpoint.com/soluti
SecureXL feature that accelerates the speed,
ons?id=sk105261.
at which a connection is dropped by matching
CoreXL Firewall Instance a new connection to a set of attributes. When
a new connection matches the Drop
On a Security Gateway with CoreXL enabled, Template, subsequent connections are
the Firewall kernel is copied multiple times. dropped without performing a rule match
Each replicated copy, or firewall instance, and therefore are accelerated. Currently,
runs on one processing CPU core. These Drop Template acceleration is performed
firewall instances handle traffic at the same only on connections with the same
time, and each firewall instance is a destination port (does not use wildcards for
complete and independent firewall source ports).
inspection kernel.
F2F
CoreXL SND
Denotes non-VPN connections that SecureXL
Secure Network Distributer. Part of CoreXL forwarded to firewall. See Firewall Path.
that is responsible for:
• Processing incoming traffic from the F2V
network interfaces Denotes VPN connections that SecureXL
• Securely accelerating authorized packets forwarded to firewall. See Firewall Path.
(if SecureXL is enabled)
Fast Path
• Distributing non-accelerated packets
See Accelerated Path.
between Firewall kernel instances (SND
maintains global dispatching table, which
Firewall Path
maps connections that were assigned to
CoreXL Firewall instances) Packet flow on the Host Security Appliance,
when the SecureXL device is unable to
Traffic distribution between CoreXL Firewall
process the packet (see sk32578
instances is statically based on Source IP
http://supportcontent.checkpoint.com/soluti
addresses, Destination IP addresses, and the
ons?id=sk32578). The packet is passed to the
IP 'Protocol' type.
CoreXL layer and then to one of the CoreXL
The SND does not really "touch" packets. The Firewall instances for full processing. This
decision to stick to a particular FWK core is path also processes all packets when
done at the first packet of connection on a SecureXL is disabled. This path is also called
very high level, before anything else. Slow Path.
Depending on the SecureXL settings, and in
most of the cases, the SecureXL can be IPv4
offloading decryption calculations. However, Internet Protocol Version 4 (see RFC 791
in some other cases, such as with https://tools.ietf.org/html/rfc791). A 32-bit
Route-Based VPN, it is done by FWK. number - 4 sets of numbers, each set can be
from 0 - 255. For example, 192.168.2.1.
IPv6 • VPN (in some configurations)
Internet Protocol Version 6 (see RFC 2460 • Application Control
https://www.ietf.org/rfc/rfc2460.txt and RFC
• Content Awareness
3513 https://tools.ietf.org/html/rfc3513).
128-bit number - 8 sets of hexadecimal • Anti-Virus
numbers, each set can be from 0 - ffff. For • Anti-Bot
example,
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 • HTTPS Inspection
. • Proxy mode

IRQ Affinity • Mobile Access

A state of binding an IRQ to one or more CPU • VoIP
cores. • Web Portals

Medium Path (CPASXL) Multi-Queue

Name for combination of CPAS and An acceleration feature that lets you assign
SecureXL. Starting in R80.20, also the CPAS more than one packet queue and CPU core to
uses the SecureXL path to achieve a higher an interface.
performance.
NAT Templates
Example:
SecureXL feature that accelerates the speed,
Medium Path (PXL) at which NAT connections are processed.
SecureXL Templates are supported for Static
Packet flow on the Host Security Appliance,
NAT and Hide NAT using the existing
when the packet is handled by the SecureXL SecureXL Accept Templates mechanism.
device.
The CoreXL layer passes the packet to one of Priority Queues
the CoreXL Firewall instances to process it. In cases where traffic levels exceed the
Even when CoreXL is disabled, the SecureXL capabilities of the Security Gateway
uses the CoreXL infrastructure to send the hardware, because of either a legitimate
packet to the single FW instance that still traffic or a DoS attack, it is crucial that the
functions. When the Medium Path is Security Gateway maintains the management
available, the SecureXL fully accelerates the communication and continues to interact
TCP handshake. Rule Base match is achieved with dynamic routing neighbors. The Priority
for the first packet through an existing Queues functionality prioritizes control
connection acceleration template. The connections over data connections. See
SecureXL also fully accelerates the TCP sk105762
[SYN-ACK] and TCP [ACK] packets. http://supportcontent.checkpoint.com/soluti
However, once data starts to flow, to stream ons?id=sk105762.
it for Content Inspection, an FWK instance
now handles the packets. The SecureXL PSL
sends all packets that contain data to FWK Passive Streaming Library.
for data extraction in order to build the data
Packets may arrive at Security Gateway out
stream.
of order, or may be legitimate
Only the SecureXL handles the TCP [RST], retransmissions of packets that have not yet
TCP [FIN] and TCP [FIN-ACK] packets, received an acknowledgment. In some cases,
because they do not contain data that needs a retransmission may also be a deliberate
to be streamed. This path is available only attempt to evade IPS detection by sending
when CoreXL is enabled. the malicious payload in the retransmission.
Exceptions are: Security Gateway ensures that only valid
packets are allowed to proceed to
• IPS (some protections)
destinations. It does this with the Passive does not compromise security. When
Streaming Library (PSL) technology. enabled, some CPU intensive operations are
processed by virtualized software or
• The PSL is an infrastructure layer, which
dedicated hardware (for example, an
provides stream reassembly for TCP
acceleration card) instead of the Firewall
connections.
kernel.
• The Security Gateway makes sure that
TCP data seen by the destination system Slow Path
is the same as seen by code above PSL.
See Firewall Path.
• The PSL handles packet reordering,
congestion, and is responsible for various Throughput Acceleration
security aspects of the TCP layer, such as The first packets of a new TCP connection
handling payload overlaps, some DoS require more inspection when processed by
attacks, and others. the Firewall module. If the connection is
• The PSL is capable of receiving packets eligible for acceleration, after minimal
from the Firewall chain and from the security inspection, the packet is offloaded to
SecureXL. the SecureXL device associated with the
applicable outbound interface. Subsequent
• The PSL serves as a middleman between packets of the connection can be processed
the various security applications and the
on the accelerated path and directly sent
network packets. It provides the
from the inbound to the outbound interface
applications with a coherent stream of through the SecureXL device.
data to work with, free of various network
problems or attacks. Traffic
• The PSL infrastructure is wrapped with The flow of data between network devices.
well-defined APIs called the Unified
Streaming APIs, which are used by the TX queue
applications to register and access
Transmit packet queue. See Multi-Queue.
streamed data.
For more details, see sk95193 - ATRG: IPS
http://supportcontent.checkpoint.com/soluti
ons?id=sk95193.

PSLXL
Technology name for combination of
SecureXL and PSL (Passive Streaming
Library). In R80.10 and lower versions, was
called PXL.

QXL
Technology name for combination of
SecureXL and QoS. This has no direct
association with PXL. It is used exclusively
for QoS.

RX Queue
Receive packet queue. See Multi-Queue.

SecureXL
Check Point acceleration solution that
maximizes performance of the Firewall and
CHAPT ER2

SecureXL and Falcon Acceleration

Cards in R80.20
In This Section:
Accelerated Features ...................................................................................... 14
Packet Flow .................................................................................................... 15
Connection Templates ..................................................................................... 17
Policy Installation Acceleration ........................................................................ 17
Scalable Performance ..................................................................................... 17
Scalability on the Falcon Acceleration Cards ..................................................... 17
Configuring SecureXL ...................................................................................... 18
Analyzing the Accelerated Traffic ..................................................................... 20
Rate Limiting for DoS Mitigation ....................................................................... 21
Accelerated SYN Defender ............................................................................... 23
SecureXL Commands and Debug...................................................................... 25

R80.20 includes enhancements for SecureXL acceleration.

Acceleration has been boosted with enhancements to SecureXL and the introduction of the Falcon
Acceleration Card.
SecureXL is automatically installed and enabled when you run the First Time Configuration Wizard
on your Security Gateway. There is no configuration required.
Acceleration is automatic and starts when the acceleration card is inserted into the Host Security
Appliance. All software upgrades are automatically pushed from the Host Security Appliance to
the acceleration cards.

Performance Tuning Administration Guide R80.20 | 13

 SecureXL and Falcon Acceleration Cards in R80.20

Accelerated Features
R80.20 includes enhanced performance of these security functions:
• Access control
• Encryption
• NAT
• Software Blades
• Firewall
• IPS features
• Application Control
• URL Filtering
• Anti-Virus
• Anti-Bot
• Identity Awareness (SecureXL does not create templates for traffic from Identity Agents)
• VPN Site-to-Site
• HTTPS Inspection
• QoS
• Policy installation
• Accounting and logging
• Connection/session rate
• General security checks
• ClusterXL High Availability
• TCP Sequence Verification
• Dynamic VPN
• Passive streaming
• Active streaming

Performance Tuning Administration Guide R80.20 | 14

 SecureXL and Falcon Acceleration Cards in R80.20

Packet Flow
This is the general description of the packet flow through the Host Security Appliance without
Falcon Acceleration Cards:

Performance Tuning Administration Guide R80.20 | 15

 SecureXL and Falcon Acceleration Cards in R80.20

This is the general description of the packet flow through the Host Security Appliance with the
installed Falcon Acceleration Cards (sk116242
http://supportcontent.checkpoint.com/solutions?id=sk116242):

For additional information, see this thread on the Check Point CheckMates Community:
https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-p
acket-flow

Performance Tuning Administration Guide R80.20 | 16

 SecureXL and Falcon Acceleration Cards in R80.20

Connection Templates
The Connection Templates feature accelerates the speed, at which new connections from the
same source IP address to the same destination IP address and to the same destination port are
established. To achieve the maximum acceleration enhancement, only the Firewall on the Host
Security Appliance creates these Connection Templates from active connections according to the
Rule Base.
Important - For the list of restrictions that apply to the Connection Templates, see sk32578
http://supportcontent.checkpoint.com/solutions?id=sk32578.

Policy Installation Acceleration

Acceleration is enabled during policy installation. SecureXL continues to run and stay enabled
during a policy installation. This decreases the load on the Security Gateway's CPU.

Scalable Performance
R80.20 and higher versions include improved SecureXL scalability during high session rate.
As a result, there are no longer limitations on the number of CoreXL SND cores.

Scalability on the Falcon Acceleration Cards

By default, one SecureXL instance always runs on the Host Security Appliance.
Each installed Falcon Acceleration Card adds a SecureXL instance.
Refer to the output of the fwaccel stat command.

Performance Tuning Administration Guide R80.20 | 17

 SecureXL and Falcon Acceleration Cards in R80.20

Configuring SecureXL
The Gaia First Time Configuration Wizard automatically installs and enables SecureXL on your
Security Gateway. No additional configuration is required.
Starting from R80.20, you can disable the SecureXL only temporarily. The SecureXL starts
automatically when you start Check Point services (with the cpstart command), or reboot the
Security Gateway.
Important:
• Disable the SecureXL only for debug purposes, if Check Point Support explicitly instructs you
to do so.
• If you disable the SecureXL, this change does not survive reboot.
SecureXL remains disabled until you enable it again on-the-fly, or reboot the Security Gateway.
• If you disable the SecureXL, this change applies only to new connections that arrive after you
disable the acceleration.
SecureXL continues to accelerate the connections that are already accelerated.
Other non-connection oriented processing continues to function (for example, virtual
defragmentation and VPN decrypt).
• In Cluster, you must configure the SecureXL in the same way on all of the cluster members.

To temporarily disable SecureXL for IPv4:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish, or Expert mode.
3 Examine the SecureXL status:
fwaccel stat (on page 69)
4 Disable the SecureXL:
fwaccel off [-a] (on page 58)
5 Examine the SecureXL status again:
fwaccel stat (on page 69)

To temporarily disable SecureXL for IPv6:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish, or Expert mode.
3 Examine the SecureXL status:
fwaccel6 stat (on page 69)
4 Disable the SecureXL:
fwaccel6 off [-a] (on page 58)
5 Examine the SecureXL status again:
fwaccel6 stat (on page 69)
Performance Tuning Administration Guide R80.20 | 18
 SecureXL and Falcon Acceleration Cards in R80.20

To enable SecureXL again for IPv4:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish, or Expert mode.
3 Examine the SecureXL status:
fwaccel stat (on page 69)
4 Enable the SecureXL:
fwaccel on [-a] (on page 61)
5 Examine the SecureXL status again:
fwaccel stat (on page 69)

To enable SecureXL again for IPv6:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish, or Expert mode.
3 Examine the SecureXL status:
fwaccel6 stat (on page 69)
4 Enable the SecureXL:
fwaccel6 on [-a] (on page 61)
5 Examine the SecureXL status again:
fwaccel6 stat (on page 69)

Performance Tuning Administration Guide R80.20 | 19

 SecureXL and Falcon Acceleration Cards in R80.20

Analyzing the Accelerated Traffic

To capture and analyze the accelerated traffic, run the fw monitor command. For detailed
information, R80.20 Command Line Interface Reference Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_Refere
nceGuide/html_frameset.htm > Chapter Security Gateway Commands > Section fw > Section fw
monitor.
Note - In R80.20, FW Monitor captures all accelerated traffic (FW Monitor filter expressions do not
apply).

Performance Tuning Administration Guide R80.20 | 20

 SecureXL and Falcon Acceleration Cards in R80.20

Rate Limiting for DoS Mitigation

Overview
Rate Limiting is a defense against DoS (Denial of Service) attacks. Rate Limiting rules allow to
limit traffic coming from specified sources, or sent to specified destination and using specific
services.
Rate limiting is enforced by SecureXL on these:
• Bandwidth and packet rate
• Number of concurrent connections
• Connection rate
For additional information, see sk112454: How to configure Rate Limiting rules for DoS Mitigation
http://supportcontent.checkpoint.com/solutions?id=sk112454.
Use the commands below to configure Rate Limiting for DoS Mitigation:
• 'fw sam_policy' and 'fw6 sam_policy' (on page 126) (you must use the parameter "quota
<Quota Filter Arguments>")
• 'fwaccel dos config' and 'fwaccel6 dos config' (on page 40)

Monitoring Events Related to DoS Mitigation

To see some information related to DoS Mitigation, run these commands:

Command Description
fwaccel stats Shows all SecureXL statistics (for IPv4 and IPv6 kernel
modules.
fwaccel6 stats See:
• 'fwaccel stats' and 'fwaccel6 stats' (on page 72).
• The /proc/ppk/ and /proc/ppk6/ entries (on page
145).
fwaccel stats -d Shows SecureXL drop statistics only (for IPv4 and IPv6
or kernel modules).
cat /proc/ppk/drop_statistics See:
• 'fwaccel stats' and 'fwaccel6 stats' (on page 72).
fwaccel6 stats -d
• The /proc/ppk/ and /proc/ppk6/ entries (on page
or 145).
cat
/proc/ppk6/drop_statistics
fw samp get -l |\ Shows details of active policy rules in long format (for
grep '^<[0-9a-f,]*>$' |\ IPv4 and IPv6 kernel modules).
xargs fwaccel dos rate get
See 'fw sam_policy get' and 'fw6 sam_policy get' (on
page 142).
fw samp get -l |\
grep '^<[0-9a-f,]*>$' |
xargs fwaccel6 dos rate get

Performance Tuning Administration Guide R80.20 | 21

 SecureXL and Falcon Acceleration Cards in R80.20

Command Description
cat /proc/ppk/rlc Shows:
• Total drop packets
• Total drop bytes
See The /proc/ppk/ and /proc/ppk6/ entries (on page
145).
In addition, see SecureXL Debug (on page 166).

Performance Tuning Administration Guide R80.20 | 22

 SecureXL and Falcon Acceleration Cards in R80.20

Accelerated SYN Defender

Introduction
A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of
TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which
causes the server to create a half-open (unestablished) TCP connection. This occurs because the
server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.
These half-open TCP connections eventually exceed the maximum available TCP connections.
This causes a denial of service condition.
The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive
TCP connections from being created.
The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence
numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce
the load on Security Gateway and on computers behind the Security Gateway. The Accelerated
SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in
TCP packets.
This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway
with the enabled Accelerated SYN Defender:
Note - In this example, we assume that there no TCP retransmissions and no early data.
Security Gateway
Client with Accelerated Server
| SYN Defender |
| | |
| -(1)--SYN-------> | |
| <---SYN+ACK--(2)- | |
| -(3)--ACK-------> | |
| | |
| (4) |
| | |
| | -(5)--SYN-------> |
| | <---SYN+ACK--(6)- |
| | -(7)--ACK-------> |
| | |
1. 
A Client sends a TCP [SYN] packet to a Server.
2. The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains
a special cookie in the Seq field. Security Gateway does not maintain the connection state at
this time.
3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP
connection.
4. The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is
legitimate.
5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender
sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.
6. The Server replies with a TCP [SYN+ACK] packet.
7. The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the
TCP 3-way handshake.
8. The Accelerated SYN Defender marks the TCP connection as established and records the TCP
sequence adjustment between the two sides.
Performance Tuning Administration Guide R80.20 | 23
 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL handles the TCP [SYN] packets. The Host Security Gateway handles the rest of the TCP
connection setup.
For each TCP connection the Accelerated SYN Defender establishes, the Security Gateway adjusts
the TCP sequence number for the life of that TCP connection.

Command Line Interface

Use the commands below to configure the Accelerated SYN Defender:
'fwaccel synatk' and 'fwaccel6 synatk' (on page 87)

Configuring the 'SYN Attack' protection in SmartConsole

The 'SYN Attack' protection is intended for mitigating SYN Flood attacks:
1. In SmartConsole, from the left navigation panel, click Security Policies.
2. In the Shared Policies section, click Inspection Settings.
3. In the top field, search for SYN Attack.
4. Double-click on the SYN Attack protection.
5. Edit the applicable Inspection profile.
6. Configure the applicable settings in the profile:
• On the General Properties page:
If you select Override with Action and then Accept or Drop, it overrides the settings you
make on the Security Gateway with the 'fwaccel synatk' and 'fwaccel6 synatk' (on
page 87) commands.
• On the Advanced page:
The option you select in the Activation Settings (Protect all interfaces or Protect external
interfaces only) overrides the settings you make on the Security Gateway with the
'fwaccel synatk' and 'fwaccel6 synatk' (on page 87) commands.
7. Install the Access Control Policy.
For more information about the 'SYN Attack' protection in SmartConsole, see sk120476
http://supportcontent.checkpoint.com/solutions?id=sk120476.

Performance Tuning Administration Guide R80.20 | 24

 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL Commands and Debug

Iin This Section:
'fwaccel' and 'fwaccel6' ................................................................................... 25
'sim' and 'sim6' ..............................................................................................114
'fw sam_policy' and 'fw6 sam_policy' ...............................................................126
The /proc/ppk/ and /proc/ppk6/ entries............................................................145
SecureXL Debug.............................................................................................166

'fwaccel' and 'fwaccel6'

Description
The fwaccel commands control the acceleration for IPv4 traffic.
The fwaccel6 commands control the acceleration for IPv6 traffic.

Syntax for IPv4

fwaccel help
fwaccel [-i <SecureXL ID>]
cfg <options>
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

Syntax for IPv6

fwaccel6 help
fwaccel6
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

Performance Tuning Administration Guide R80.20 | 25

 SecureXL and Falcon Acceleration Cards in R80.20

Parameters and Options

Parameter and Options Description
help
Shows the built-in help.
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).
cfg <options> (on page 27)
Controls the SecureXL acceleration parameters.
conns <options> (on page
Shows all connections that pass through SecureXL.
30)
dbg <options> (on page 33)
Controls the SecureXL Debug (on page 166).
dos <options> (on page 37)
Controls the Rate Limiting for DoS Mitigation (on page 21) in
SecureXL.
feature <options> (on page
Controls the specified SecureXL features.
56)
off <options> (on page 58)
Stops the acceleration on-the-fly. This does not survive reboot.
on <options> (on page 61)
Starts the acceleration on-the-fly, if it was previously stopped.
ranges <options> (on page
Shows the loaded ranges.
64)
stat <options> (on page 69)
Shows the SecureXL status.
stats <options> (on page
Shows the acceleration statistics.
72)
synatk <options> (on page
Controls the Accelerated SYN Defender (on page 23).
87)
tab <options> (on page 107)
Shows the contents of the specified SecureXL table.
templates <options> (on
Shows the SecureXL templates.
page 110)
ver (on page 113)
Shows the SecureXL and FireWall version.

Performance Tuning Administration Guide R80.20 | 26

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel cfg
Description
Controls the SecureXL acceleration parameters.
Important - In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax
fwaccel cfg
-h
-a {<Number of Interface> | <Name of Interface> | reset}
-b {on | off}
-c <Number>
-d <Number>
-e <Number>
-i {on | off}
-l <Number>
-m <Seconds>
-p {on | off}
-r <Number>
-v <Seconds>
-w {on | off}

Important:
• These commands do not provide output. You cannot see the currently configured values.
• Changes made with these commands do not survive reboot.

Parameters
Parameter Description
-h Shows the applicable built-in help.
-a <Number of Interface> • -a <Number of Interface> - Configures the SecureXL not to
-a <Name of Interface> accelerate traffic on the interface specified by its internal
-a reset number in Check Point kernel.
• -a <Name of Interface> - Configures the SecureXL not to
accelerate traffic on the interface specified by its name.
• -a reset - Configures the SecureXL to accelerate traffic on
all interfaces (resets the non-accelerated configuration).
Notes:
• This command does not support Falcon Acceleration Cards.
• To see the required information about the interfaces, run
these commands in the specified order:
fw getifs
fw ctl iflist
• To see if this "fwaccel cfg -a ..." command failed, run
this command:
tail -n 10 /var/log/messages

Performance Tuning Administration Guide R80.20 | 27

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-b {on | off} Controls the SecureXL Drop Templates match (sk66402):
• on - Enables the SecureXL Drop Templates match
• off - Disables the SecureXL Drop Templates match
Important - In R80.20, SecureXL does not support this
parameter yet.
-c <Number> Configures the maximal number of connections, when SecureXL
disables the templates.
-d <Number> Configures the maximal number of delete retries.

-e <Number> Configures the maximal number of general errors.

-i {on | off} Configures SecureXL to ignore API version mismatch:
• on - Ignore API version mismatch.
• off - Do not ignore API version mismatch (this is the
default).
-l <Number> Configures the maximal number of entries in the SecureXL
templates database.
Valid values are:
• 0 - To disable the limit (this is the default).
• Between 10 and 524288 - To configure the limit.
Important - If you configure a limit, you must stop and start the
acceleration for this change to take effect. Run the fwaccel
off (on page 58) command and then the fwaccel on (on page
61) command.
-m <Seconds> Configures the timeout for entries in the SecureXL templates
database.
Valid values are:
• 0 - To disable the timeout (this is the default).
• Between 10 and 524288 - To configure the timeout.
-p {on | off} Configures the offload of Connection Templates (if possible):
• on - Enables the offload of new templates (this is the
default).
• off - Disables the offload of new templates.
-r <Number> Configures the maximal number of retries for SecureXL API
calls.
-v <Seconds> Configures the interval between SecureXL statistics request.
Valid values are:
• 0 - To disable the interval.
• 1 and greater - To configure the interval.

Performance Tuning Administration Guide R80.20 | 28

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-w {on | off} Configures the support for warnings about the IPS protection
Sequence Verifier:
• on - Enable the support for these warnings.
• off - Disables the support for these warnings.

Performance Tuning Administration Guide R80.20 | 29

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel conns' and 'fwaccel6 conns'

Description
Shows the list of the SecureXL connections on the local Security Gateway, or Cluster Member.
Warning - If the number of concurrent connections is large, when you run these commands, they
can consume memory and CPU at very high level (see sk118716
http://supportcontent.checkpoint.com/solutions?id=sk118716).

Syntax for IPv4

fwaccel [-i <SecureXL ID>] conns
-h
-f <filter>
-m <Number of Entries>
-s

Syntax for IPv6

fwaccel6 conns
-h
-f <Filter>
-m <Number of Entries>
-s

Parameters
Parameter Description
-h Shows the applicable built-in help.
-i Specifies the SecureXL instance ID (for IPv4 only).
<SecureXL
ID>

Performance Tuning Administration Guide R80.20 | 30

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-f <Filter> Show the SecureXL Connections Table entries based on the specified filter flags.
Notes:
• To see the available filter flags, run: fwaccel conns -h
• Each filter flag is one letter - capital, or small.
• You can specify more than one flag.
For example: fwaccel conns -f AaQq
Available filter flags are:
• A - Shows accounted connections (for which SecureXL counted the number of
packets and bytes).
• a - Shows not accounted connections.
• C - Shows encrypted (VPN) connections.
• c - Shows clear-text (not encrypted) connections.
• F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.20, SecureXL does not support this parameter.
• f - Shows cut-through connections (which SecureXL accelerated).
Note - In R80.20, SecureXL does not support this parameter.
• H - Shows connections offloaded to the SAM card.
Note - R80.20, does not support the SAM card (Known Limitation
PMTR-18774).
• h - Shows connections created in the SAM card.
Note - R80.20, does not support the SAM card (Known Limitation
PMTR-18774).
• L - Shows connections, for which SecureXL created internal links.
• l - Shows connections, for which SecureXL did not create internal links.
• N - Shows connections that undergo NAT.
Note - In R80.20, SecureXL does not support this parameter.
• n - Shows connections that do not undergo NAT.
Note - In R80.20, SecureXL does not support this parameter.
• Q - Shows connections that undergo QoS.
• q - Shows connections that do not undergo QoS.
• S - Shows connections that undergo PXL.
• s - Shows connections that do not undergo PXL.
• U - Shows unidirectional connections.
• u - Shows bidirectional connections.
-m Specifies the maximal number of connections to show.
<Number of Important - In R80.20, SecureXL does not support this parameter.
Entries>
Performance Tuning Administration Guide R80.20 | 31
 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-s Shows the summary of SecureXL Connections Table (number of connections).
Warning - Depending on the number of current connections, might consume
memory at very high level.

Example - Default output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel conns
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------
1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0
192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0
192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0
192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0
192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0
192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0
1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0
192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0
192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0
192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0
192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 0
1.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0
192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 0
1.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 0
1.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0
192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0
192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0
192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0
192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0
172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0
192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0
192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0
1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 0
1.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0
192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0
192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0
192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0
192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

Idx Interface
--- ---------
0 lo
1 eth0
2 eth1

Total number of connections: 30

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 32

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel dbg
Description
This command controls the SecureXL debug. See SecureXL Debug (on page 166).
Important - In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax
fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

Parameters
Parameter Description
-h Shows the applicable built-in help.
-m <Name of SecureXL Debug Specifies the name of the SecureXL debug module.
Module> To see the list of available debug modules, run:
fwaccel dbg
all Enables all debug flags for the specified debug module.
+ <Debug Flags> Enables the specified debug flags for the specified debug
module:
Syntax:
+ Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the plus (+)
character.
- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:
- Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the minus
(-) character.
reset Resets all debug flags for the specified debug module to
their default state.

Performance Tuning Administration Guide R80.20 | 33

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-f "<5-Tuple Debug Filter>"
Configures the debug filter to show only debug messages
that contain the specified connection.
The filter is a string of five numbers separated with
commas:
"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"
Notes:
• You can configure only one debug filter at one time.
• You can use the asterisk "*" as a wildcard for an IP
Address, Port number, or Protocol number.
• For more information, see IANA - Port Numbers
https://www.iana.org/assignments/service-names-por
t-numbers/service-names-port-numbers.xhtml and
IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml.
-f reset Resets the current debug filter.
list Shows all enabled debug flags in all debug modules.
resetall Reset all debug flags for all debug modules to their default
state.

Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbg
Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf
stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf
add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl
get_state upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan
pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn

Performance Tuning Administration Guide R80.20 | 34

 SecureXL and Falcon Acceleration Cards in R80.20

err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

Example 2 - Enabling and disabling of debug flags

[Expert@MyGW:0]# fwaccel dbg -m default + err conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Performance Tuning Administration Guide R80.20 | 35

 SecureXL and Falcon Acceleration Cards in R80.20

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall
Debug state was reset to default.
[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to

172.16.40.50
[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6
Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<*,*,*,*,*>"

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 36

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel dos' and 'fwaccel6 dos'

Description
These commands control the Rate Limiting for DoS mitigation (on page 21) techniques in
SecureXL on the local Security Gateway, or Cluster Member.
Important:
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos
blacklist <options>
config <options>
pbox <options>
rate <options>
stats <options>
whitelist <options>

Syntax for IPv6

fwaccel6 dos
blacklist <options>
config <options>
rate <options>
stats <options>

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
blacklist <options> Controls the IP blacklist in SecureXL.
(on page 38)
config <options> (on Controls the DoS mitigation configuration in SecureXL.
page 40)
pbox <options> (on page Controls the Penalty Box whitelist in SecureXL.
44)
rate <options> (on page Shows and installs the Rate Limiting policy in SecureXL.
48)
stats <options> (on Shows and clears the DoS real-time statistics in SecureXL.
page 50)
whitelist <options> Configures the whitelist for source IP addresses in the SecureXL
(on page 52) Penalty Box.

Performance Tuning Administration Guide R80.20 | 37

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel dos blacklist' and 'fwaccel6 dos blacklist'

Description
Controls the IP blacklist in SecureXL.
The blacklist blocks all traffic to and from the specified IP addresses.
The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to
drop the packets.
Important:
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.
• To enforce the IP blacklist in SecureXL, you must first enable the IP blacklists.
See the 'fwaccel dos config' and 'fwaccel6 dos config' (on page 40) commands.
In addition, see the 'fw sam_policy' and 'fw6 sam_policy' (on page 126) commands that let
you configure more granular rules.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos blacklist
-a <IPv4 Address>
-d <IPv4 Address>
-F
-s

Syntax for IPv6

fwaccel6 dos blacklist
-a <IPv6 Address>
-d <IPv6 Address>
-F
-s

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
-a <IP Address> Adds the specified IP address to the blacklist.
To add more than one IP address, run this command for each
applicable IP address.
-d <IP Address> Removes the specified IP addresses from the blacklist.
To remove more than one IP address, run this command for each
applicable IP address.
-F Removes (flushes) all IP addresses from the blacklist.
-s Shows the configured blacklist.

Performance Tuning Administration Guide R80.20 | 38

 SecureXL and Falcon Acceleration Cards in R80.20

Example from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos blacklist -s
The blacklist is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos blacklist -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -F
All blacklist entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
The blacklist is empty
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 39

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel dos config' and 'fwaccel6 dos config'

Description
Controls the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL.
These global parameters apply to all configured Rate Limiting rules.
Important:
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos config
get
set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

fwaccel6 dos config
get
set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
get Shows the configuration parameters.
set <options> Configuration the parameters.

Performance Tuning Administration Guide R80.20 | 40

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter or Option Description

--disable-blacklists Disables the IP blacklists.
This is the default configuration.
--disable-drop-frags Disables the drops of all fragmented packets. This is the
default configuration.
Important - This option applies to only VSX, and only for
traffic that arrives at a Virtual System through a Virtual
Switch (packets received through a Warp interface). From
R80.20, IP Fragment reassembly occurs in SecureXL
before the Warp-jump from a Virtual Switch to a Virtual
System. To block IP fragments, the Virtual Switch must be
configured with this option. Otherwise, this has no effect,
because the IP fragments would already be reassembled
when they arrive at the Virtual System's Warp interface.
--disable-drop-opts Disables the drops of all packets with IP options.
This is the default configuration.
--disable-internal Disables the enforcement on internal interfaces.
This is the default configuration.
--disable-log-drops Disables the notifications when the DoS module drops a
packet due to rate limiting policy.
--disable-log-pbox Disables the notifications when administrator adds an IP
address to the penalty box.
--disable-monitor Disables the acceptance of all packets that otherwise
would be dropped.
This is the default configuration.
--disable-pbox Disables the IP penalty box.
This is the default configuration.
Also, see the fwaccel dos pbox (on page 44) command.
--disable-rate-limit Disables the enforcement of the rate limiting policy.
This is the default configuration.
--enable-blacklists Enables IP blacklists.
Also, see the 'fwaccel dos blacklist' and 'fwaccel6
dos blacklist' (on page 38) commands.
--enable-drop-frags Enables the drops of all fragmented packets.
--enable-drop-opts Enables the drops of all packets with IP options.
--enable-internal Enables the enforcement on internal interfaces.
--enable-log-drops Enables the notifications when the DoS module drops a
packet due to rate limiting policy.
This is the default configuration.
--enable-log-pbox Enables the notifications when administrator adds an IP
address to the penalty box.
This is the default configuration.

Performance Tuning Administration Guide R80.20 | 41

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter or Option Description

--enable-monitor Enables the acceptance of all packets that otherwise
would be dropped.
--enable-pbox Enables the IP penalty box.
Also, see the fwaccel dos pbox (on page 44) command.
--enable-rate-limit Enables the enforcement of the rate limiting policy.
Important - After you run this command, you must install
the Access Control policy.
-n <NOTIF_RATE> Configures the maximal number of drop notifications per
--notif-rate <NOTIF_RATE> second for each SecureXL device.
Range: 0 - (2^32-1)
Default: 100
-p <PBOX_RATE> Configures the minimal number of reported dropped
--pbox-rate <PBOX_RATE> packets before SecureXL adds a source IPv4 address to
the penalty box.
Range: 0 - (2^32-1)
Default: 500
-t <PBOX_TMO> Configures the number of seconds until SecureXL removes
--pbox-tmo <PBOX_TMO> an IP is from the penalty box.
Range: 0 - (2^32-1)
Default: 180

Example 1 - Get the current DoS configuration on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config get
rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
log blacklist: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: disabled
log pbox: disabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

Example 2 - Enabling the Penalty Box on a non-VSX Gateway

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox
OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
rate limit: disabled (without policy)
pbox: enabled
blacklists: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled

Performance Tuning Administration Guide R80.20 | 42

 SecureXL and Falcon Acceleration Cards in R80.20

log drops: enabled

log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

Making the configuration persistent

The settings defined with the fwaccel dos config set and the fwaccel6 dos config set
commands return to their default values during each reboot. To make these settings persistent,
add the applicable commands to these configuration files:

File Description
$FWDIR/conf/fwaccel_dos_rate_on_ins This shell script for IPv4 must contain only the
tall fwaccel dos config set commands:
#!/bin/bash
fwaccel dos config set <options>
$FWDIR/conf/fwaccel6_dos_rate_on_in This shell script for IPv6 must contain only the
stall fwaccel6 dos config set commands:
#!/bin/bash
fwaccel6 dos config set <options>

Important - Do not include the fw sam_policy (on page 126) commands in these configuration
files. The configured Rate Limiting policy survives reboot. If you add the fw sam_policy
commands, the rate policy installer runs in an infinite loop.
Notes:
• To create or edit these files, log in to Expert mode.
• If these files do not already exist, create them in one of these ways:
• touch $FWDIR/conf/<Name of File>
• vi $FWDIR/conf/<Name of File>
• On VSX Gateway, before you create these files, go to the context of an applicable Virtual
System.
• In Gaia gClish, run: set virtual-system <VSID>
• In Expert mode, run: vsenv <VSID>
• These files must start with the #!/bin/bash line.
• These files must end with a new empty line.
• After you create these files, you must assign the execute permission to them:
chmod +x $FWDIR/conf/<Name of File>
Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file:
!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox

Performance Tuning Administration Guide R80.20 | 43

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel dos pbox

Description
Controls the Penalty Box whitelist in SecureXL.
The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from
suspected sources. The purpose of this feature is to allow the Security Gateway to cope better
under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects
clients that send packets, which the Access Control Policy drops, and clients that violate the IPS
protections. If the SecureXL Penalty Box detects a specific client frequently, it puts that client in a
penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP
address.
The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the
SecureXL Penalty Box never blocks.
Important:
• This command supports only IPv4.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.
• To enforce the Penalty Box in SecureXL, you must first enable the Penalty Box.
See the 'fwaccel dos config' and 'fwaccel6 dos config' (on page 40) commands.
Also see these commands:
• fwaccel dos whitelist (on page 52)
• 'fwaccel synatk whitelist' and 'fwaccel6 synatk whitelist' (on page 103)

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos pbox
flush
whitelist
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
flush Removes (flushes) all source IP addresses from the
Penalty Box.

Performance Tuning Administration Guide R80.20 | 44

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
whitelist <options> Configures the whitelist for source IP addresses in
the SecureXL Penalty Box.
Important - This whitelist overrides which packet the
SecureXL Penalty Box drops. Before you use a
3rd-party or automatic blacklists, add trusted
networks and hosts to the whitelist to avoid outages.
Note - This command is similar to the fwaccel dos
whitelist (on page 52) command.
-a <IPv4 Address>[/<Subnet Prefix>] Adds the specified IP address to the Penalty Box
whitelist.
• <IPv4 Address> - Can be an IP address of a
network or a host.
• <Subnet Prefix> - Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix
/32.
Examples:
• For a host:
192.168.20.30
192.168.20.30/32
• For a network:
192.168.20.0/24
-d <IPv4 Address>[/<Subnet Prefix>] Removes the specified IP address from the Penalty
Box whitelist.
• <IPv4 Address> - Can be an IP address of a
network or a host.
• <Subnet Prefix> - Optional. Must specify the
length of the subnet mask in the format
/<bits>.
Optional for a host IP address.
Mandatory for a network IP address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix
/32.
-F Removes (flushes) all entries from the Penalty Box
whitelist.

Performance Tuning Administration Guide R80.20 | 45

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-l /<Path>/<Name of File> Loads the Penalty Box whitelist entries from the
specified plain-text file.
Important:
• You must manually create and configure this file
with the touch or vi command.
• You must assign at least the read permission to
this file with the chmod +x command.
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start
with the # character in this file.
-L Loads the Penalty Box whitelist entries from the
plain-text file with a predefined name:
$FWDIR/conf/pbox-whitelist-v4.conf
Security Gateway automatically runs this command
fwaccel dos pbox whitelist -L during each
boot.
Important:
• This file does not exist by default.
• You must manually create and configure this file
with the touch or vi command.
• You must assign at least the read permission to
this file with the chmod +x command..
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start
with the # character in this file.
-s Shows the current Penalty Box whitelist entries.

Performance Tuning Administration Guide R80.20 | 46

 SecureXL and Falcon Acceleration Cards in R80.20

Example 1 - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

Example 2 - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

Example 3 - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

Example 4 - Deleting an entry

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 47

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel dos rate' and 'fwaccel6 dos rate'

Description
Shows and installs the Rate Limiting policy in SecureXL.
Important:
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos rate
get '<Rule UID>'
install

Syntax for IPv6

fwaccel6 dos rate
get '<Rule UID>'
install

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).

No Parameters Shows the applicable built-in usage.

get '<Rule UID>' Shows information about the rule specified by its Rule UID or its
zero-based rule index.
The quote marks and angle brackets ('<...>') are mandatory.
install Installs a new rate limiting policy.
Important - This command requires input from the stdin. To use this
command, run:
fw sam_policy get -l -k req_type -t in -v quota |
fwaccel dos rate install
For more information about the fw sam_policy command, see the
R80.20 Performance Tuning Administration Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides
/EN/CP_R80.20_PerformanceTuning_AdminGuide/html_frameset.ht
m - Section Rate Limiting for DoS Mitigation (on page 21) - Section 'fw
sam_policy' and 'fw6 sam_policy' (on page 126).

Performance Tuning Administration Guide R80.20 | 48

 SecureXL and Falcon Acceleration Cards in R80.20

Notes
• If you install a new rate limiting policy with more than one rule, it automatically enables the
rate limiting feature.
To manually disable the rate limiting feature (on page 40) after this command, run:
fwaccel dos config set --disable-rate-limit
• To delete the current rate limiting policy, install a new policy with zero rules.

Performance Tuning Administration Guide R80.20 | 49

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel dos stats' and 'fwaccel6 dos stats'

Description
Shows and clears the DoS real-time statistics in SecureXL.
Important:
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stats
clear
get

Syntax for IPv6

fwaccel6 dos stats
clear
get

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
clear Clears the real-time statistics counters.
get Shows the real-time statistics counters.

Performance Tuning Administration Guide R80.20 | 50

 SecureXL and Falcon Acceleration Cards in R80.20

Example - Get the current DoS statistics

[Expert@MyGW:0]# fwaccel dos stats get
Firewall:
Number of Elements in Tables:
Penalty Box Violating IPs: 0 (size: 8192)
Blacklist Notification Handlers: 0 (size: 1024)
SXL Device 0:
Total Active Connections: 0
Total New Connections/Second: 0
Total Packets/Second: 0
Total Bytes/Second: 0
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 0)
Non-Empty Blacklists: 0 (size: 0)
Blacklisted IPs: 0 (size: 0)
Rate Limit Matches: 0 (size: 0)
Rate Limit Source Only Tracks: 0 (size: 0)
Rate Limit Source and Service Tracks: 0 (size: 0)
SXL Devices in Aggregate:
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0
Non-Empty Blacklists: 0
Blacklisted IPs: 0
Rate Limit Matches: 0
Rate Limit Source Only Tracks: 0
Rate Limit Source and Service Tracks: 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 51

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel dos whitelist

Description
Configures the whitelist for source IP addresses in the SecureXL Penalty Box.
This whitelist overrides which packet the SecureXL Penalty Box drops.
Notes:
• This command supports only IPv4.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.
• This whitelist overrides entries in the blacklist. Before you use a 3rd-party or automatic
blacklists, add trusted networks and hosts to the whitelist to avoid outages.
• This whitelist unblocks IP Options and IP fragments from trusted sources when you explicitly
configure one these SecureXL features:
• --enable-drop-opts
• --enable-drop-frags
See the 'fwaccel dos config' and 'fwaccel6 dos config' (on page 40) command.
• To whitelist the Rate Limiting policy, refer to the bypass action of the fw samp command. For
example, fw samp -a b ...
For more information about the fw sam_policy command, see the R80.20 Performance
Tuning Administration Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Perform
anceTuning_AdminGuide/html_frameset.htm - Section Rate Limiting for DoS Mitigation (on
page 21) - Section 'fw sam_policy' and 'fw6 sam_policy' (on page 126).
• This command is similar to the fwaccel dos pbox whitelist (on page 44) command.
• Also, see the fwaccel synatk whitelist (on page 103) command.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] dos whitelist
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Performance Tuning Administration Guide R80.20 | 52

 SecureXL and Falcon Acceleration Cards in R80.20

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
-a <IPv4 Address>[/<Subnet Prefix>] Adds the specified IP address to the Penalty Box
whitelist.
• <IPv4 Address> - Can be an IPv4 address of a
network or a host.
• <Subnet Prefix> - Must specify the length of the
subnet mask in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix
/32.
Examples:
• For a host:
192.168.20.30
192.168.20.30/32
• For a network:
192.168.20.0/24
-d <IPv4 Address>[/<Subnet Prefix>] Removes the specified IPv4 address from the Penalty
Box whitelist.
• <IPv4 Address> - Can be an IPv4 address of a
network or a host.
• <Subnet Prefix> - Optional. Must specify the
length of the subnet mask in the format
/<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix
/32.
-F Removes (flushes) all entries from the Penalty Box
whitelist.

Performance Tuning Administration Guide R80.20 | 53

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-l /<Path>/<Name of File> Loads the Penalty Box whitelist entries from the
specified plain-text file.
Note - To replace the current whitelist with the
contents of a new file, use both the -F and -l
parameters on the same command line.
Important:
• You must manually create and configure this file
with the touch or vi command.
• You must assign at least the read permission to
this file with the chmod +x command.
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start
with the # character in this file.
-L Loads the Penalty Box whitelist entries from the
plain-text file with a predefined name:
$FWDIR/conf/pbox-whitelist-v4.conf
Security Gateway automatically runs this command
fwaccel dos pbox whitelist -L during each
boot.
Note - To replace the current whitelist with the
contents of a new file, use both the -F and -L
parameters on the same command line.
Important:
• This file does not exist by default.
• You must manually create and configure this file
with the touch or vi command.
• You must assign at least the read permission to
this file with the chmod +x command..
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start
with the # character in this file.
-s Shows the current Penalty Box whitelist entries.

Performance Tuning Administration Guide R80.20 | 54

 SecureXL and Falcon Acceleration Cards in R80.20

Example - Adding a host IP address without optional subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

Example - Adding a host IP address with optional subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

Example - Adding a network IP address with mandatory subnet prefix

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

Example - Deleting an entry

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 55

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel feature' and 'fwaccel6 feature'

Description
Enables and disables the specified SecureXL features.
Important:
• If you disable a SecureXL feature, SecureXL does not accelerate the applicable traffic
anymore.
• This change does not survive reboot.
• In VSX Gateway, this change is global and applies to all Virtual Systems.
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] feature <Name of Feature>
get
off
on

Syntax for IPv6

fwaccel6 feature <Name of Feature>
get
off
on

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
<Name of Feature> Specifies the SecureXL feature.
R80.20 SecureXL supports only this feature:
• Name: sctp
• Description: Stream Control Transmission Protocol (SCTP) - see
sk35113
http://supportcontent.checkpoint.com/solutions?id=sk35113
get Shows the current state of the specified SecureXL feature.
off Disables the specified SecureXL feature.
This means that SecureXL does not accelerate the applicable traffic
anymore.
on Enables the specified SecureXL feature.
This means that SecureXL accelerates the applicable traffic again.

Performance Tuning Administration Guide R80.20 | 56

 SecureXL and Falcon Acceleration Cards in R80.20

Disabling the 'sctp' feature permanently

See Working with Kernel Parameters on Security Gateway (on page 253).
1. A
 dd this line to the $FWDIR/modules/fwkern.conf file:
sim_sctp_disable_by_default=1
2. Reboot.

Example 1 - Default output

[Expert@MyGW:0]# fwaccel feature
Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

[Expert@MyGW:0]#

Example 2 - Disabling and enabling a feature

[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp off
Set operation succeeded
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp on
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 57

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel off' and 'fwaccel6 off'

Description
These commands stop the SecureXL on-the-fly.
Starting from R80.20, you can stop the SecureXL only temporarily. The SecureXL starts
automatically when you start Check Point services (with the cpstart command), or reboot the
Security Gateway.
Important:
• Disable the SecureXL only for debug purposes, if Check Point Support explicitly instructs you
to do so.
• If you disable the SecureXL, this change does not survive reboot.
SecureXL remains disabled until you enable it again on-the-fly, or reboot the Security Gateway.
• If you disable the SecureXL, this change applies only to new connections that arrive after you
disable the acceleration.
SecureXL continues to accelerate the connections that are already accelerated.
Other non-connection oriented processing continues to function (for example, virtual
defragmentation, VPN decrypt).
• On VSX Gateway:
• If you wish to stop the acceleration only for a specific Virtual System, go to the context of
that Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• If you wish to stop the acceleration for all Virtual Systems, you must use the -a parameter.
In this case, it does not matter from which Virtual System context you run this command.
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] off [-a] [-q]

Syntax for IPv6

fwaccel6 off [-a] [-q]

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
-a On VSX Gateway, stops acceleration on all Virtual Systems.
-q Suppresses the output (does not show a returned output).

Performance Tuning Administration Guide R80.20 | 58

 SecureXL and Falcon Acceleration Cards in R80.20

Possible returned output

• SecureXL device disabled
• SecureXL device is not active
• Failed to disable SecureXL device
• fwaccel_off: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel off
SecureXL device disabled.
[Expert@MyGW:0]#

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v
VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC
Stat
-----+---------------------+-----------------------+-----------------+--------------------------+-
--------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel off

SecureXL device disabled. (Virtual ID 1)
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

Performance Tuning Administration Guide R80.20 | 59

 SecureXL and Falcon Acceleration Cards in R80.20

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v
VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC
Stat
-----+---------------------+-----------------------+-----------------+--------------------------+-
--------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel off -a
SecureXL device disabled. (Virtual ID 0)
SecureXL device disabled. (Virtual ID 1)
SecureXL device disabled. (Virtual ID 2)
[Expert@MyVSXGW:1]#

Performance Tuning Administration Guide R80.20 | 60

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel on' and 'fwaccel6 on'

Description
These commands start the acceleration on-the-fly, if it was previously stopped with the fwaccel
off or fwaccel6 off (on page 58) command.
Important:
• On VSX Gateway:
• If you wish to start the acceleration only for a specific Virtual System, go to the context of
that Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• If you wish to start the acceleration for all Virtual Systems, you must use the -a parameter.
In this case, it does not matter from which Virtual System context you run this command.
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] on [-a] [-q]

Syntax for IPv6

fwaccel6 on [-a] [-q]

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
-a On VSX Gateway, starts the acceleration on all Virtual Systems.
-q Suppresses the output (does not show a returned output).

Possible returned output

• SecureXL device is enabled.
• Failed to start SecureXL.
• No license for SecureXL.
• SecureXL is disabled by the firewall. Please try again later.
• The installed SecureXL device is not compatible with the installed firewall
(version mismatch).
• The SecureXL device is in the process of being stopped. Please try again
later.
• SecureXL cannot be started while "flows" are active.
• SecureXL is already started.
• SecureXL will be started after a policy is loaded.

Performance Tuning Administration Guide R80.20 | 61

 SecureXL and Falcon Acceleration Cards in R80.20

• fwaccel: Failed to check FloodGate-1 status. Acceleration will not be

started.
• FW-1: SecureXL acceleration cannot be started while QoS is running in
express mode.
Please disable FloodGate-1 express mode or SecureXL.
• FW-1: SecureXL acceleration cannot be started while QoS is running with
citrix printing rule.
Please remove the citrix printing rule to enable SecureXL.
• FW-1: SecureXL acceleration cannot be started while QoS is running with
UAS rule.
Please remove the UAS rule to enable SecureXL.
• FW-1: SecureXL acceleration cannot be started while QoS is running.
Please remove the QoS blade to enable SecureXL.
• Failed to enable SecureXL device
• fwaccel_on: failed to set process context <VSID>

Example 1 - Output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel on
SecureXL device is enabled.
[Expert@MyGW:0]#

Example 2 - Output from a VSX Gateway for a specific Virtual System

[Expert@MyVSXGW:1]# vsx stat -v
VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC
Stat
-----+---------------------+-----------------------+-----------------+--------------------------+-
--------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |disabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel on
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat -t

Performance Tuning Administration Guide R80.20 | 62

 SecureXL and Falcon Acceleration Cards in R80.20

+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyVSXGW:1]#

Example 3 - Output from a VSX Gateway for all Virtual Systems

[Expert@MyVSXGW:1]# vsx stat -v
VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC
Stat
-----+---------------------+-----------------------+-----------------+--------------------------+-
--------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel on -a
[Expert@MyVSXGW:1]#

Performance Tuning Administration Guide R80.20 | 63

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel ranges' and 'fwaccel6 ranges'

Description
These commands show the SecureXL loaded ranges:
• Ranges of Rule Base source IP addresses
• Ranges of Rule Base destination IP addresses
• Ranges of Rule Base destination ports and protocols
The Security Gateway creates these ranges during the policy installation. The Firewall creates and
offloads ranges to SecureXL when any of these feature is enabled:
• Rulebase ranges for Drop Templates
• Anti-Spoofing enforcement ranges on per-interface basis
• NAT64 ranges
• NAT46 ranges
These ranges are related to matching of connections to SecureXL Drop Templates. These ranges
represent the Source, Destination and Service columns of the Rule Base.
These ranges are not exactly the same as the Rule Base, because as there are objects that cannot
be represented as real (deterministic) IP addresses. For example, Domain objects and Dynamic
objects. The Security Gateway converts such non-deterministic objects to "Any" IP address.
In addition, implied rules are represented in these ranges, except for some specific implied rules.
You can use these commands for troubleshooting.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] ranges
-h
-a
-l
-p <Range ID>
-s <Range ID>

Syntax for IPv6

fwaccel6 ranges
-h
-a
-l
-p <Range ID>
-s <Range ID>

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
-h Shows the applicable built-in usage.

Performance Tuning Administration Guide R80.20 | 64

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-a Shows the full information for all loaded ranges.
or Note - In the list of SecureXL Drop Templates (output of the
No Parameters 'fwaccel templates -d' and 'fwaccel6 templates -d' (on page
110) commands), each Drop Template is assembled from ranges
indexes. To see mapping between range index and the range itself,
run this command fwaccel ranges -a. This lets you understand
better the practical ranges for Drop Templates and when it is
appropriate to use them.
-l Shows the list of loaded ranges:
• 0 - Ranges of Rule Base source IP addresses
• 1 - Ranges of Rule Base destination IP addresses
• 2 - Ranges of Rule Base destination ports and protocols
-p <Range ID> Shows the full information for the specified range.
-s <Range ID> Shows the summary information for the specified range.

Example 1 - Show the list of ranges from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Rule base source ranges (ip):
1 Rule base destination ranges (ip):
2 Rule base dport ranges (port, proto):
[Expert@MyGW:0]#

Example 2 - Show the full information for all loaded ranges from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17

Performance Tuning Administration Guide R80.20 | 65

 SecureXL and Falcon Acceleration Cards in R80.20

(10) 139, 17 - 65535, 65535

[Expert@MyGW:0]#

Example 3 - Show the full information for the specified range from a non-VSX Gateway
[Expert@MyGW:0]# fwaccel ranges -p 0
SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 1
SecureXL device 0:
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 2
SecureXL device 0:
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

Example 4 - Show the summary information for the specified range from a non-VSX
Gateway
[Expert@MyGW:0]# fwaccel ranges -s 0
SecureXL device 0:
List name "Rule base source ranges (ip):", ID 0, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 1
SecureXL device 0:
List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 2
SecureXL device 0:
List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11
[Expert@MyGW:0]#

Example 5 - Show the list of ranges from a VSX Gateway

[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges -l

Performance Tuning Administration Guide R80.20 | 66

 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL device 0:
0 Anti spoofing ranges eth0:
1 Anti spoofing ranges eth1:
[Expert@MyVSXGW:0]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth3:
1 Anti spoofing ranges eth2.52:
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth4:
1 Anti spoofing ranges eth2.53:
[Expert@MyVSXGW:2]#

Example 6 - Show the full information for all loaded ranges from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth0:
(0) 0.0.0.0 - 10.20.29.255
(1) 10.20.31.0 - 126.255.255.255
(2) 128.0.0.0 - 192.168.2.255
(3) 192.168.3.1 - 192.168.3.241
(4) 192.168.3.243 - 192.168.3.254
(5) 192.168.4.0 - 223.255.255.255
(6) 240.0.0.0 - 255.255.255.254
Anti spoofing ranges eth1:
(0) 10.20.30.1 - 10.20.30.241
(1) 10.20.30.243 - 10.20.30.254
[Expert@MyVSXGW:0]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth3:
(0) 40.50.60.0 - 40.50.60.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.52:
(0) 70.80.90.0 - 70.80.90.255
(1) 192.168.196.1 - 192.168.196.1
(2) 192.168.196.3 - 192.168.196.14
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth4:
(0) 100.100.100.0 - 100.100.100.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.53:
(0) 192.168.196.1 - 192.168.196.1
(1) 192.168.196.3 - 192.168.196.14
(2) 200.200.200.0 - 200.200.200.255
[Expert@MyVSXGW:2]#

Performance Tuning Administration Guide R80.20 | 67

 SecureXL and Falcon Acceleration Cards in R80.20

Example 7 - Show the summary information for the specified range from a VSX Gateway
[Expert@MyVSXGW:2]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth3:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.52:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth4:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.53:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:2]#

Performance Tuning Administration Guide R80.20 | 68

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel stat' and 'fwaccel6 stat'

Description
These commands show the SecureXL status, the list of the accelerated interfaces and the list of
the accelerated features on the local Security Gateway, or Cluster Member.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stat [-a] [-t] [-v]

Syntax for IPv6

fwaccel6 stat [-a] [-t] [-v]

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows this information:
• SecureXL instance ID
• SecureXL instance role
• SecureXL status
• Accelerated interfaces
• Accelerated features
In addition, also shows:
• More information about the Cryptography feature
• The status of Accept Templates
• The status of Drop Templates
• The status of NAT Templates
-a On VSX Gateway, shows the information for all Virtual Systems.
-t Shows this information only:
• SecureXL instance ID
• SecureXL instance role
• SecureXL status
• Accelerated interfaces
• Accelerated features
-v On VSX Gateway, shows the information for all Virtual Systems.
The same as the "-a" parameter.

Performance Tuning Administration Guide R80.20 | 69

 SecureXL and Falcon Acceleration Cards in R80.20

Example 1 - Full output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,|
| | | |eth5,eth6 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall

Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyGW:0]#

Example 2 - Brief output from a non-VSX Gateway

[Expert@MyGW:0]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,|
| | | |eth5,eth6,eth7 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 70

 SecureXL and Falcon Acceleration Cards in R80.20

Example 3 - Full output from a VSX Gateway

[Expert@MyVSXGW:1]# vsx stat -v
VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC
Stat
-----+---------------------+-----------------------+-----------------+--------------------------+-
--------
1 | S VS1 | VS1_Policy | 17Sep2018 12:47 | <No Policy> | Trust
2 | S VS2 | VS2_Policy | 17Sep2018 12:47 | <No Policy> | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel stat
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth1,eth2,eth3 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : disabled by Firewall

Layer VS1_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer VS1_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyVSXGW:1]#

Performance Tuning Administration Guide R80.20 | 71

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel stats' and 'fwaccel6 stats'

Description
These commands show acceleration statistics for IPv4 on the local Security Gateway, or Cluster
Member.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

Syntax for IPv6

fwaccel6 stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
-c (on page 81) Shows the statistics for Cluster Correction (see example (on page
81)).
-d (on page 81) Shows the statistics for drops from device (see example (on page 81)).
-l (on page 82) Shows the statistics in legacy mode - as one table (see example (on
page 82)).
-m (on page 83) Shows the statistics for multicast traffic (see example (on page 83)).

-n (on page 83) Shows the statistics for Identity Awareness (NAC) (see example (on
page 83)).
-o (on page 84) Shows the statistics for Reorder Infrastructure (see example (on page
84)).
-p (on page 85) Shows the statistics for SecureXL violations (F2F packets) (see
example (on page 85)).

Performance Tuning Administration Guide R80.20 | 72

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-q (on page 86) Shows the statistics notifications the SecureXL sent to the Firewall
(see example (on page 86)).
-r Resets all the counters.
-s (on page 79) Shows the statistics summary only (see example (on page 79)).

-x (on page 86) Shows the statistics for PXL (see example (on page 86)).
Note - PXL is the technology name for combination of SecureXL and
PSL (Passive Streaming Library).

See the description of the Statistics Counters and examples in the next sections.

Performance Tuning Administration Guide R80.20 | 73

 SecureXL and Falcon Acceleration Cards in R80.20

Description of the Statistics Counters

• The Accelerated Path section:
Counter Description
accel packets Number of accelerated packets.
accel bytes Number of accelerated bytes.
outbound packets Number of outbound packets.
outbound bytes Number of outbound bytes.
conns created Number of connections the SecureXL created.
conns deleted Number of connections the SecureXL deleted.
C total conns Total number of connections the SecureXL currently
handles.
C templates Not in use
Total number of SecureXL templates the SecureXL currently
handles.
C TCP conns Number of TCP connections the SecureXL currently
handles.
C non TCP conns Number of non-TCP connections the SecureXL currently
handles.
conns from templates Not in use
Number of connections the SecureXL created from
SecureXL templates.

nat conns Number of NAT connections.

dropped packets Number of packets the SecureXL dropped.
dropped bytes Number of bytes the SecureXL dropped.
nat templates Not in use
port alloc templates Not in use
conns from nat tmpl Not in use
port alloc conns Not in use
fragments received Number of received fragments.
fragments transmit Number of transmitted fragments.
fragments dropped Number of dropped fragments.
fragments expired Number of expired fragments.
IP options stripped Number of packets, from SecureXL stripped IP options.
IP options restored Number of packets, in which SecureXL restored IP options.
IP options dropped Number of packets with IP options that SecureXL dropped.
corrs created Number of corrections the SecureXL made.

Performance Tuning Administration Guide R80.20 | 74

 SecureXL and Falcon Acceleration Cards in R80.20

Counter Description
corrs deleted Number of corrections the SecureXL deleted.
C corrections Number of corrections the SecureXL currently handles.
corrected packets Number of corrected packets.
corrected bytes Number of corrected bytes.

• The Accelerated VPN Path section:

Counter Description
C crypt conns Number of encrypted connections the SecureXL currently
handles.
enc bytes Number of encrypted traffic bytes.
dec bytes Number of decrypted traffic bytes.
ESP enc pkts Number of ESP encrypted packets.
ESP enc err Number of ESP encryption errors.
ESP dec pkts Number of ESP decrypted packets.
ESP dec err Number of ESP decryption errors.
ESP other err Number of ESP general errors.
espudp enc pkts Not in use
espudp enc err Not in use
espudp dec pkts Not in use
espudp dec err Not in use
espudp other err Not in use
• The Medium Streaming Path section:
Counter Description
PXL packets Number of PXL packets.
PXL is combination of SecureXL and Passive Streaming
Library (PSL), which is an IPS infrastructure that
transparently listens to TCP traffic as network packets, and
rebuilds the TCP stream out of these packets. Passive
Streaming can listen to all TCP traffic, but process only the
data packets, which belong to a previously registered
connection.
PXL async packets Number of PXL packets the SecureXL handled
asynchronously.
PXL bytes Number of PXL bytes.
C PXL conns Number of PXL connections the SecureXL currently
handles.
C PXL templates Not in use
Number of PXL templates.

Performance Tuning Administration Guide R80.20 | 75

 SecureXL and Falcon Acceleration Cards in R80.20

Counter Description
PXL FF conns Number of PXL Fast Forward connections.
PXL FF packets Number of PXL Fast Forward packets.
PXL FF bytes Number of PXL Fast Forward bytes.
PXL FF acks Number of PXL Fast Forward acknowledgments.

• The Inline Streaming Path section:

Counter Description
PSL Inline packets Number of accelerated PSL packets.
PSL Inline bytes Number of accelerated PSL bytes.
CPAS Inline packets Number of accelerated CPAS packets.
CPAS Inline bytes Number of accelerated CPAS bytes.

• The QoS General Information section:

Counter Description
Total QoS Conns Total number of QoS connections.
QoS Classify Conns Number of classified QoS connections.
QoS Classify flow Number of classified QoS flows.
Reclassify QoS polic Number of reclassify QoS requests.

• The Firewall QoS Path section:

Counter Description
Enqueued IN packets Number of waiting packets in Firewall QoS inbound queue.
Enqueued OUT packets Number of waiting packets in Firewall QoS outbound queue.
Dequeued IN packets Number of processed packets in Firewall QoS inbound
queue.
Dequeued OUT packets Number of processed packets in Firewall QoS outbound
queue.
Enqueued IN bytes Number of waiting bytes in Firewall QoS inbound queue.
Enqueued OUT bytes Number of waiting bytes in Firewall QoS outbound queue.
Dequeued IN bytes Number of processed bytes in Firewall QoS inbound queue.
Dequeued OUT bytes Number of processed bytes in Firewall QoS outbound
queue.

• The Accelerated QoS Path section:

Counter Description
Enqueued IN packets Number of waiting packets in SecureXL QoS inbound queue.
Enqueued OUT packets Number of waiting packets in SecureXL QoS outbound
queue.
Dequeued IN packets Number of processed packets in SecureXL QoS inbound
queue.

Performance Tuning Administration Guide R80.20 | 76

 SecureXL and Falcon Acceleration Cards in R80.20

Counter Description
Dequeued OUT packets Number of processed packets in SecureXL QoS outbound
queue.
Enqueued IN bytes Number of waiting bytes in SecureXL QoS inbound queue.
Enqueued OUT bytes Number of waiting bytes in SecureXL QoS outbound queue.
Dequeued IN bytes Number of processed bytes in SecureXL QoS inbound
queue.
Dequeued OUT bytes Number of processed bytes in SecureXL QoS outbound
queue.

• The Firewall Path section:

Counter Description
F2F packets Number of packets that SecureXL forwarded to the Firewall
kernel in Slow Path.
F2F bytes Number of bytes that SecureXL forwarded to the Firewall
kernel in Slow Path.
TCP violations Number of packets, which are in violation of the TCP state.
C anticipated conns Number of anticipated connections SecureXL currently
handles.
port alloc f2f Not in use
F2V conn match pkts Number of packets that matched a SecureXL connection
and SecureXL forwarded to the Firewall kernel.
F2V packets Number of packets that SecureXL forwarded to the Firewall
kernel and the Firewall re-injected back to SecureXL.
F2V bytes Number of bytes that SecureXL forwarded to the Firewall
kernel and the Firewall re-injected back to the SecureXL.

• The GTP section:

Counter Description
gtp tunnels created Number of created GTP tunnels.
gtp tunnels Number of GTP tunnels the SecureXL currently handles.
gtp accel pkts Number of accelerated GTP packets.
gtp f2f pkts Number of GTP packets the SecureXL forwarded to the
Firewall kernel.
gtp spoofed pkts Number of spoofed GTP packets.
gtp in gtp pkts Number of GTP-in-GTP packets.
gtp signaling pkts Number of signaling GTP packets.
gtp tcpopt pkts Number of GTP packets with TCP Options.
gtp apn err pkts Number of GTP packets with APN errors.

Performance Tuning Administration Guide R80.20 | 77

 SecureXL and Falcon Acceleration Cards in R80.20

• The General section:

Counter Description
memory used Not in use
free memory Not in use
C used templates Not in use
pxl tmpl conns Not in use
C conns from tmpl Not in use
Number of current connections that SecureXL created from
SecureXL Templates.
C tcp handshake conn Number of current TCP connections that are not yet
established.
C tcp established co Number of established TCP connections the SecureXL
currently handles.
C tcp closed conns Number of closed TCP connections the SecureXL currently
handles.
C tcp pxl handshake Number of not yet established PXL TCP connections the
SecureXL currently handles.
C tcp pxl establishe Number of established PXL TCP connections the SecureXL
currently handles.
C tcp pxl closed con Number of closed PXL TCP connections the SecureXL
currently handles.
outbound pxl packets Not in use

Performance Tuning Administration Guide R80.20 | 78

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats -s

Example of statistics summary:
fwaccel stats -s

Accelerated conns/Total conns : 0/0 (0%)

Accelerated pkts/Total pkts : 0/8 (0%)
F2Fed pkts/Total pkts : 8/8 (100%)
F2V pkts/Total pkts : 0/8 (0%)
CPASXL pkts/Total pkts : 0/8 (0%)
PSLXL pkts/Total pkts : 0/8 (0%)
QOS inbound pkts/Total pkts : 0/8 (0%)
QOS outbound pkts/Total pkts : 0/8 (0%)
Corrected pkts/Total pkts : 0/8 (0%)

Performance Tuning Administration Guide R80.20 | 79

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats

Example of the default output:
fwaccel stats

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------

Accelerated Path
--------------------------------------------------------------------------------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
C total conns 0 C TCP conns 0
C non TCP conns 0 nat conns 0
dropped packets 0 dropped bytes 0
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0

Accelerated VPN Path

--------------------------------------------------------------------------------------
C crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0

Medium Streaming Path

--------------------------------------------------------------------------------------
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
C CPASXL conns 0 C PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0

Inline Streaming Path

--------------------------------------------------------------------------------------
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0

QoS Paths
--------------------------------------------------------------------------------------
QoS General Information:
------------------------
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0

FireWall QoS Path:

------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Accelerated QoS Path:

---------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Firewall Path
--------------------------------------------------------------------------------------
F2F packets 35324 F2F bytes 1797781
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0

GTP
--------------------------------------------------------------------------------------
gtp tunnels created 0 gtp tunnels 0

Performance Tuning Administration Guide R80.20 | 80

 SecureXL and Falcon Acceleration Cards in R80.20

gtp accel pkts 0 gtp f2f pkts 0

gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0

General
--------------------------------------------------------------------------------------
memory used 38798784 C tcp handshake conns 0
C tcp established conns 0 C tcp closed conns 0
C tcp pxl handshake conns 0 C tcp pxl established conns 0
C tcp pxl closed conns 0 outbound cpasxl packets 0
outbound pslxl packets 0 outbound cpasxl bytes 0
outbound pslxl bytes 0 DNS DoR stats 0

(*) Statistics marked with C refer to current value, others refer to total value

Example: fwaccel stats -c

Example of statistics for Cluster Correction:
fwaccel stats -c

Cluster Correction stats:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
Sent pkts (total) 0 Sent with metadata 0
Received pkts (total) 0 Received with metadata 0
Sent bytes 0 Received bytes 0
Send errors 0 Receive errors 0

Example: fwaccel stats -d

Example of statistics for drops from device:
fwaccel stats -d

Reason Value Reason Value

-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 0 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Expired Fragments 0

Performance Tuning Administration Guide R80.20 | 81

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats -l

Example of the output in legacy mode (as one table):
fwaccel stats -l

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------
- 0 accel packets 0
accel bytes 0 outbound packets 0
outbound bytes 0 conns created 0
conns deleted 0 C total conns 0
C TCP conns 0 C non TCP conns 0
nat conns 0 dropped packets 0
dropped bytes 0 fragments received 0
fragments transmit 0 fragments dropped 0
fragments expired 0 IP options stripped 0
IP options restored 0 IP options dropped 0
corrs created 0 corrs deleted 0
C corrections 0 corrected packets 0
corrected bytes 0 C crypt conns 0
enc bytes 0 dec bytes 0
ESP enc pkts 0 ESP enc err 0
ESP dec pkts 0 ESP dec err 0
ESP other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0
acct update interval 3600 CPASXL packets 0
PSLXL packets 0 CPASXL async packets 0
PSLXL async packets 0 CPASXL bytes 0
PSLXL bytes 0 C CPASXL conns 0
C PSLXL conns 0 CPASXL conns created 0
PSLXL conns created 0 PXL FF conns 0
PXL FF packets 0 PXL FF bytes 0
PXL FF acks 0 PXL no conn drops 0
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
F2F packets 35383 F2F bytes 1801493
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0
gtp tunnels created 0 gtp tunnels 0
gtp accel pkts 0 gtp f2f pkts 0
gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0 memory used 38798784
C tcp handshake conns 0 C tcp established conns 0
C tcp closed conns 0 C tcp pxl handshake conns 0
C tcp pxl established conns 0 C tcp pxl closed conns 0
outbound cpasxl packets 0 outbound pslxl packets 0
outbound cpasxl bytes 0 outbound pslxl bytes 0
DNS DoR stats 0
(*) Statistics marked with C refer to current value, others refer to total value

Performance Tuning Administration Guide R80.20 | 82

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats -m

Example of statistics for multicast traffic:
fwaccel stats -m

Name Value Name Value

-------------------- --------------- -------------------- ---------------
in packets 0 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0

Example: fwaccel stats -n

Example of statistics for Identity Awareness (NAC):
fwaccel stats -n

Name Value Name Value

-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0

Performance Tuning Administration Guide R80.20 | 83

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats -o

Example of statistics for Reorder Infrastructure:
fwaccel stats -o

Appliaction: F2V
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: Route
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: New connection

Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0

Performance Tuning Administration Guide R80.20 | 84

 SecureXL and Falcon Acceleration Cards in R80.20

Ack notif failed 0

Ack respones handling failed 0
----------------------------------------------------

Appliaction: F2P
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Example: fwaccel stats -p

Example of statistics for SecureXL violations (F2F packets):
fwaccel stats -p

F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 3036
TCP-SYN miss conn 8 TCP-other miss conn 32224
UDP miss conn 3772 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0

Performance Tuning Administration Guide R80.20 | 85

 SecureXL and Falcon Acceleration Cards in R80.20

Example: fwaccel stats -q

Example of statistics for notifications the SecureXL sent to the Firewall:
fwaccel stats -q

Notification Packets Notification Packets

--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 0 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 14871 ntPacketTaggingViolat 0
ntDosNotify 28 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0

Example: fwaccel stats -x

Example of statistics for PXL:
fwaccel stats -x

PXL Release Context statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
End Handler 0 Post Sync 0
Stop Stream 0 kbuf fail 0
Set field failure 0 Notif set field fail 0
Non SYN seq fail 0 Tmpl kbuf fail 0
Tmpl set field fail 0 Segment Injection 0
Init app fail 0 Expiration 0
Newconn set field fail 0 Newconn fail 0
CPHWD dec 0 No PSL policy 0

PXL Exception statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
urgent packets 0 invalid SYN retrans 0
SYN seq not init 0 old pkts out win 0
old pkts out win trunc 0 old pkts out win strip 0
new pkts out win 0 incorrect retrans 0
TCP pkts with bad csum 0 ACK unprocessed data 0
old ACK out win 0 Max segments reached 0
No resources 0 Hold timeout 0

Performance Tuning Administration Guide R80.20 | 86

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk' and 'fwaccel6 synatk'

Description
These commands control the Accelerated SYN Defender (on page 23) on the local Security
Gateway, or Cluster Member.
Important - See sk120476 http://supportcontent.checkpoint.com/solutions?id=sk120476 for
information about the 'SYN Attack' protection in SmartConsole.

Syntax for IPv4

fwaccel synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
whitelist <options>

Syntax for IPv6

fwaccel6 synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
whitelist <options>

Parameters
Parameter Description
No Parameters Shows the applicable built-in usage.
-a (on page 89) Applies the configuration from the default file.

-c <options> (on page 90) Applies the configuration from the specified file.
-d (on page 91) Disables the Accelerated SYN Defender on all interfaces.
-e (on page 92) Enables the Accelerated SYN Defender on interfaces with topology
"External".
Enables the Accelerated SYN Defender in Monitor (Detect only) mode
on interfaces with topology "Internal".
-g (on page 93) Enables the Accelerated SYN Defender on all interfaces.

Performance Tuning Administration Guide R80.20 | 87

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-m (on page 94) Enables the Accelerated SYN Defender in Monitor (Detect only) mode
on all interfaces.
In this state, the Accelerated SYN Defender only sends a log when it
recognizes a TCP SYN Flood attack.
-t <options> (on page 95) Configures the threshold numbers of half-opened TCP connections
that trigger the Accelerated SYN Defender.
config (on page 96) Shows the current Accelerated SYN Defender configuration.

monitor <options> (on Shows the Accelerated SYN Defender status.

page 99)
state <options> (on Controls the Accelerated SYN Defender states.
page 102)
whitelist <options> Controls the Accelerated SYN Defender whitelist.
(on page 103)

Performance Tuning Administration Guide R80.20 | 88

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -a' and 'fwaccel6 synatk -a'

Description
Applies the Accelerated SYN Defender (on page 23) configuration from the default
$FWDIR/conf/synatk.conf file.
Notes:
• Both IPv4 and IPv6 use the same configuration file.
• Interface specific state settings that you define in the configuration file, override the settings
that you define with these commands:
• {fwaccel | fwaccel6} synatk -d (on page 91)
• {fwaccel | fwaccel6} synatk -e (on page 91)
• {fwaccel | fwaccel6} synatk -g (on page 93)
• {fwaccel | fwaccel6} synatk -m (on page 94)

Syntax for IPv4

fwaccel synatk -a

Syntax for IPv6

fwaccel6 synatk -a

Performance Tuning Administration Guide R80.20 | 89

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -c <Configuration File>' and 'fwaccel6 synatk -c <Configuration File>'

Description
Applies the Accelerated SYN Defender (on page 23) configuration from the specified file.
Important - If you use this parameter, then it must be the first parameter in the syntax.
Notes:
• Both IPv4 and IPv6 use the same configuration file.
• Interface specific state settings that you define in the configuration file, override the settings
that you define with these commands:
• {fwaccel | fwaccel6} synatk -d (on page 91)
• {fwaccel | fwaccel6} synatk -e (on page 91)
• {fwaccel | fwaccel6} synatk -g (on page 93)
• {fwaccel | fwaccel6} synatk -m (on page 94)

Syntax for IPv4

fwaccel synatk -c <Configuration File>

Syntax for IPv6

fwaccel6 synatk -c <Configuration File>

Parameters
Parameter Description
<Configuration File>
Specifies the full path and the name of the file.
For reference, see the default file:
$FWDIR/conf/synatk.conf

Performance Tuning Administration Guide R80.20 | 90

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -d' and 'fwaccel6 synatk -d'

Description
Disables the Accelerated SYN Defender (on page 23) on all interfaces.
Notes:
• This command:
a) M
 odifies the default configuration file $FWDIR/conf/synatk.conf, or the configuration
file specified with the -c parameter.
b) Loads the modified file.
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show:
• Configuration: Disabled
• Enforce: Disable
• State: Disable
• Outputs of the 'fwaccel synatk config' and 'fwaccel6 synatk config' (on page 96)
commands show:
• enabled 0
• enforce 0

Syntax for IPv4

fwaccel synatk -d

Syntax for IPv6

fwaccel6 synatk -d

Performance Tuning Administration Guide R80.20 | 91

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -e' and 'fwaccel6 synatk -e'

Description
Enables the Accelerated SYN Defender (on page 23) on interfaces with topology "External".
Enables the Accelerated SYN Defender (on page 23) in Monitor (Detect only) mode on interfaces
with topology "Internal".
Notes:
• This command:
a) M
 odifies the default configuration file $FWDIR/conf/synatk.conf, or the configuration
file specified with the -c parameter.
b) Loads the modified file.
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show for "External" interfaces:
• Configuration: Enforcing
• Enforce: Prevent
• State: Ready (may change later depending on what the SYN Defender detects)
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show for "Internal" interfaces:
• Configuration: Enforcing
• Enforce: Detect
• State: Monitor
• Outputs of the 'fwaccel synatk config' and 'fwaccel6 synatk config' (on page 96)
commands show:
• enabled 1
• enforce 1

Syntax for IPv4

fwaccel synatk -e

Syntax for IPv6

fwaccel6 synatk -e

Performance Tuning Administration Guide R80.20 | 92

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -g' and 'fwaccel6 synatk -g'

Description
Enables the Accelerated SYN Defender (on page 23) on all interfaces.
Notes:
• This command:
a) M
 odifies the default configuration file $FWDIR/conf/synatk.conf, or the configuration
file specified with the -c parameter.
b) Loads the modified file.
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show for "External" interfaces:
• Configuration: Enforcing
• Enforce: Prevent
• State: Ready (may change later depending on what the SYN Defender detects)
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show for "Internal" interfaces:
• Configuration: Enforcing
• Enforce: Detect
• State: Monitor
• Outputs of the 'fwaccel synatk config' and 'fwaccel6 synatk config' (on page 96)
commands show:
• enabled 1
• enforce 2

Syntax for IPv4

fwaccel synatk -g

Syntax for IPv6

fwaccel6 synatk -g

Performance Tuning Administration Guide R80.20 | 93

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -m' and 'fwaccel6 synatk -m'

Description
Enables the Accelerated SYN Defender (on page 23) in Monitor (Detect only) mode on all
interfaces.
In this state, the Accelerated SYN Defender only sends a log when it recognizes a TCP SYN Flood
attack.
Notes:
• This command:
a) M
 odifies the default configuration file $FWDIR/conf/synatk.conf, or the configuration
file specified with the -c parameter.
b) Loads the modified file.
• Outputs of the 'fwaccel synatk monitor' and 'fwaccel6 synatk monitor' (on page 99)
commands show:
• Configuration: Monitoring
• Enforce: Detect
• State: Monitor
• Outputs of the 'fwaccel synatk config' and 'fwaccel6 synatk config' (on page 96)
commands show:
• enabled 1
• enforce 0

Syntax for IPv4

fwaccel synatk -m

Syntax for IPv6

fwaccel6 synatk -m

Performance Tuning Administration Guide R80.20 | 94

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk -t <Threshold>' and 'fwaccel6 synatk -t <Threshold>'

Description
Configures the threshold numbers of half-opened TCP connections that trigger the Accelerated
SYN Defender (on page 23).
Notes:
• This command:
a) M
 odifies the default configuration file $FWDIR/conf/synatk.conf, or the configuration
file specified with the -c parameter.
b) Loads the modified file.
• Threshold values are independent for IPv4 and IPv6.

Syntax for IPv4

fwaccel synatk -t <Threshold>

Syntax for IPv6

fwaccel6 synatk -t <Threshold>

Thresholds
• Global high attack threshold number is configured to the specified value <Threshold>.
This is the number of half-open TCP connections on all interfaces required for the Accelerated
SYN Defender to engage.
• Valid values: 100 and greater
• Default: 10000
• High attack threshold number is configured to 1/2 of the specified value <Threshold>.
This is the high number of half-open TCP connections on an interface required for the
Accelerated SYN Defender to engage.
• Valid values: (Low attack threshold) < (High attack threshold) <= (Global high attack
threshold)
• Default: 5000
• Low attack threshold number is configured to 1/10 of the specified value <Threshold>.
This is the low number of half-open TCP connections on an interface required for the
Accelerated SYN Defender to engage.
• Valid values: 10 and greater
• Default: 1000

Performance Tuning Administration Guide R80.20 | 95

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk config' and 'fwaccel6 synatk config'

Description
Shows the current Accelerated SYN Defender (on page 23) configuration.

Syntax for IPv4

fwaccel synatk config

Syntax for IPv6

fwaccel6 synatk config

Example
[Expert@MyGW:0]# fwaccel synatk config
enabled 0
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000
[Expert@MyGW:0]#

Description of Configuration Parameters

Parameter Description
enabled Shows if the Accelerated SYN Defender is enabled or
disabled.
• Valid values: 0 (disabled), 1 (enabled)
• Default: 0
enforce When the Accelerated SYN Defender is enabled,
shows it enforces the protection.
Valid values:
• 0 - The Accelerated SYN Defender is in Monitor
(Detect only) mode on all interfaces.
• 1 - The Accelerated SYN Defender is engaged
only on external interfaces when the number of
half-open TCP connections exceeds the
threshold.
• 2 - The Accelerated SYN Defender is engaged on
both external and internal interfaces when the
number of half-open TCP connections exceeds
the threshold.

Performance Tuning Administration Guide R80.20 | 96

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
global_high_threshold Global high attack threshold number.
See the 'fwaccel synatk -t <Threshold>' and
'fwaccel6 synatk -t <Threshold>' (on page 95)
commands.
periodic_updates For internal Check Point use only.
• Valid values: 0 (disabled), 1 (enabled)
• Default: 1
cookie_resolution_shift For internal Check Point use only.
• Valid values: 1-7
• Default: 6
min_frag_sz During the TCP SYN Flood attack, the Accelerated
SYN Defender prevents TCP fragments smaller than
this minimal size value.
• Valid values: 80 and greater
• Default: 80
high_threshold High attack threshold number.
See the 'fwaccel synatk -t <Threshold>' and
'fwaccel6 synatk -t <Threshold>' (on page 95)
commands.
low_threshold Low attack threshold number.
See the 'fwaccel synatk -t <Threshold>' and
'fwaccel6 synatk -t <Threshold>' (on page 95)
commands.
score_alpha For internal Check Point use only.
• Valid values: 1-127
• Default: 100
monitor_log_interval (msec) Interval, in milliseconds, between successive
warning logs in the Monitor (Detect only) mode.
• Valid values: 1000 and greater
• Default: 60000
grace_timeout (msec) Maximal time, in milliseconds, to stay in the Grace
state (which is a transitional state between Ready
and Active ).
In the Grace state, the Accelerated SYN Defender
stops challenging Clients for TCP SYN Cookie, but
continues to validate TCP SYN Cookies it receives
from Clients.
• Valid values: 10000 and greater
• Default: 30000

Performance Tuning Administration Guide R80.20 | 97

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
min_time_in_active (msec) Minimal time, in milliseconds, to stay in the Active
mode.
In the Active mode, the Accelerated SYN Defender is
actively challenging TPC SYN packets with SYN
Cookies.
• Valid values: 10000 and greater
• Default: 60000

Performance Tuning Administration Guide R80.20 | 98

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk monitor' and 'fwaccel6 synatk monitor'

Description
Shows the Accelerated SYN Defender (on page 23) status.
Important - To enable the Accelerated SYN Defender in Monitor (Detect only) mode on all
interfaces, you must run the 'fwaccel synatk -m' or 'fwaccel6 synatk -m' (on page 94)
command.

Syntax for IPv4

fwaccel synatk monitor
[-p]
[-p] -a
[-p] -s
[-p] -v

Syntax for IPv6

fwaccel6 synatk monitor
[-p]
[-p] -a
[-p] -s
[-p] -v

Parameters
Parameter Description
-p Shows the Accelerated SYN Defender status for each SecureXL
instance ("PPAK ID: 0" is the Host Security Appliance).
[-p] -a Shows the Accelerated SYN Defender statistics for all interfaces (for
each SecureXL instance).
[-p] -s Shows the attack state in short form (for each SecureXL instance).
[-p] -v Shows the attack state in verbose form (for each SecureXL instance).

Note - You can specify only one of these options: -a, -s, or -v.

Example 1 - Default output before and after enabling the Accelerated SYN Defender
[Expert@MyGW:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Disabled |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Disable | Disable | N/A | N/A |
| eth1 | Internal | Disable | Disable | N/A | N/A |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk -m
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |

Performance Tuning Administration Guide R80.20 | 99

 SecureXL and Falcon Acceleration Cards in R80.20

| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

Example 2 - Showing the Accelerated SYN Defender status for each SecureXL instance
[Expert@MyGW:0]# fwaccel synatk monitor -p
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+

PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Monitoring |
| Status Normal |
| Non established connections 0 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 | External | Detect | Monitor | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

Example 3 - Showing the Accelerated SYN Defender statistics for all interfaces and for
each SecureXL instance.
[Expert@MyGW:0]# fwaccel synatk monitor -p -a
Global:
status attached
nr_active 0

Firewall
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0

Performance Tuning Administration Guide R80.20 | 100

 SecureXL and Falcon Acceleration Cards in R80.20

peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0

PPAK ID: 0
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0
[Expert@MyGW:0]#

Example 4 - Showing the attack state in short form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -s
M,N,0,0

PPAK ID: 0
----------
M,N,0,0
[Expert@MyGW:0]#

Example 5 - Showing the attack state in verbose form (for each SecureXL instance)
[Expert@MyGW:0]# fwaccel synatk monitor -p -v
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+

PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 101

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk state' and 'fwaccel6 synatk state'

Description
Controls the Accelerated SYN Defender (on page 23) states.
The states are independent for IPv4 and IPv6.
Important - This command is not intended for end-user usage. State transitions (between Ready,
Grace and Active) occur automatically. This command provides a way to force temporarily a state
transition on an interface or group of interfaces.

Syntax for IPv4

fwaccel synatk state
-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

Syntax for IPv6

fwaccel6 synatk state
-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

Parameters
Important - You can specify only one of these parameters: -a, -d, -g, -m, or -r.

Parameter Description
-h Shows the applicable built-in usage.
-a Sets the state to Active.
-d Sets the state to Disabled.
-g Sets the state to Grace.
-i all Applies the change to all interfaces (this is the default).
-i external Applies the change only to external interfaces.
-i internal Applies the change only to internal interfaces.
-i <Name of Interface> Applies the change to the specified interface.
-m Sets the state to Monitor (Detect only) mode.
-r Sets the state to Ready.

Performance Tuning Administration Guide R80.20 | 102

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel synatk whitelist' and 'fwaccel6 synatk whitelist'

Description
Controls the Accelerated SYN Defender (on page 23) whitelist.
Notes:
• This whitelist overrides which packet the Accelerated SYN Defender drops. Before you use a
3rd-party or automatic blacklists, add trusted networks and hosts to the whitelist to avoid
outages.
• Also, see the fwaccel dos whitelist (on page 52) command.
Important - In Cluster, you must configure the Rate Limiting in the same way on all the Cluster
Members.

Syntax for IPv4

fwaccel synatk whitelist
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Syntax for IPv6

fwaccel6 synatk whitelist
-a <IPv6 Address>[/<Subnet Prefix>]
-d <IPv6 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

Parameters
Parameter Description
No Parameters Shows the applicable built-in usage.

Performance Tuning Administration Guide R80.20 | 103

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-a <IPv4 Address>[/<Subnet
Adds the specified IPv4 address to the Accelerated SYN
Prefix>]
Defender whitelist.
• <IPv4 Address> - Can be an IPv4 address of a network
or a host.
• <Subnet Prefix> - Must specify the length of the subnet
mask in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.
Examples:
• For a host:
192.168.20.30
192.168.20.30/32
• For a network:
192.168.20.0/24

-a <IPv6 Address>[/<Subnet Adds the specified IPv6 address to the Accelerated SYN
Prefix>] Defender whitelist.
• <IPv6 Address> - Can be an IPv6 address of a network
or a host.
• <Subnet Prefix> - Must specify the length of the subnet
mask in the format /<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /128.
Examples:
• For a host:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:0db8:85a3:0000:0000:8a2e:0370:7334/
128
• For a network:
2001:cdba:9abc:5678::/64

Performance Tuning Administration Guide R80.20 | 104

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-d <IPv4 Address>[/<Subnet
Removes the specified IPv4 address from the Accelerated
Prefix>]
SYN Defender whitelist.
• <IPv4 Address> - Can be an IPv4 address of a network
or a host.
• <Subnet Prefix> - Optional. Must specify the length of
the subnet mask in the format /<bits>.
Optional for a host IPv4 address.
Mandatory for a network IPv4 address.
Range - from /1 to /32.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /32.
-d <IPv6 Address>[/<Subnet Removes the specified IPv6 address from the Accelerated
Prefix>] SYN Defender whitelist.
• <IPv6 Address> - Can be an IPv6 address of a network
or a host.
• <Subnet Prefix> - Optional. Must specify the length of
the subnet mask in the format /<bits>.
Optional for a host IPv6 address.
Mandatory for a network IPv6 address.
Range - from /1 to /128.
Important - If you do not specify the subnet prefix
explicitly, this command uses the subnet prefix /128.
-F
Removes (flushes) all entries from the Accelerated SYN
Defender whitelist.
-l /<Path>/<Name of File>
Loads the Accelerated SYN Defender whitelist entries
from the specified plain-text file.
Note - To replace the current whitelist with the contents of
a new file, use both the -F and -l parameters on the
same command line.
Important:
• You must manually create and configure this file with
the touch or vi command.
• You must assign at least the read permission to this
file with the chmod +x command.
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start with
the # character in this file.

Performance Tuning Administration Guide R80.20 | 105

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-L
Loads the Accelerated SYN Defender whitelist entries
from the plain-text file with a predefined name:
$FWDIR/conf/synatk-whitelist-v4.conf
Security Gateway automatically runs these commands
{fwaccel | fwaccel6} synatk whitelist -L during
each boot.
Note - To replace the current whitelist with the contents of
a new file, use both the -F and -L parameters on the
same command line.
Important:
• This file does not exist by default.
• You must manually create and configure this file with
the touch or vi command.
• You must assign at least the read permission to this
file with the chmod +x command..
• Each entry in this file must be on a separate line.
• Each entry in this file must be in this format:
<IPv4 Address>[/<Subnet Prefix>]
• SecureXL ignores empty lines and lines that start with
the # character in this file.
-s
Shows the current Accelerated SYN Defender whitelist
entries.

Example
[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.40.55
[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.40.55/32
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.40.55

Performance Tuning Administration Guide R80.20 | 106

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel tab' and 'fwaccel6 tab'

Description
These commands show the contents of the specified SecureXL kernel table.
Notes:
• Dynamic tables, such as the connections table can change while this command prints their
contents. This may cause some values to be missed or reported twice.
• For some tables, the command prints their contents on the screen.
• For some tables, the command prints their contents to the /var/log/messages file.
• Also, see the fw tab command.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>
fwaccel [-i <SecureXL ID>] tab -s -t <Name of Kernel Table>

Syntax for IPv6

fwaccel6 tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>
fwaccel6 tab -s -t <Name of Kernel Table>

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the applicable built-in usage.
-f Formats the output.
We recommend to always use this parameter.
-m <Number of Rows> Specifies how many rows to show from the kernel
table.
Note - The command counts from the top of the
table.
Default : 1000
-s Shows summary information only.

Performance Tuning Administration Guide R80.20 | 107

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-t <Name of Kernel Table> Specifies the kernel table.
This command supports only these kernel tables:
• connections
• dos_ip_blacklists
• dos_pbox
• dos_pbox_violating_ips
• dos_rate_matches
• dos_rate_track_src
• dos_rate_track_src_svc
• drop_templates
• frag_table
• gtp_apns
• gtp_tunnels
• if_by_name
• inbound_SAs
• invalid_replay_counter
• ipsec_mtu_icmp
• mcast_drop_conns
• outbound_SAs
• PMTU_table
• profile
• reset_table
• vpn_link_selection
• vpn_trusted_ifs

Performance Tuning Administration Guide R80.20 | 108

 SecureXL and Falcon Acceleration Cards in R80.20

Examples
[Expert@MyGW:0]# fwaccel tab -f -m 200 -t connections
Table connections is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t inbound_SAs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t outbound_SAs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t vpn_link_selection
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t drop_templates
Table drop_templates is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t vpn_trusted_ifs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t profile
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t mcast_drop_conns
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t invalid_replay_counter
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t ipsec_mtu_icmp
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t gtp_tunnels
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t gtp_apns
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t if_by_name
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t PMTU_table
Table PMTU_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t frag_table
Table frag_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t reset_table
Table reset_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_ip_blacklists
Table dos_ip_blacklists is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_pbox
Table dos_pbox is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_matches
Table dos_rate_matches is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src
Table dos_rate_track_src is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src_svc
Table dos_rate_track_src_svc is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_pbox_violating_ips
Table dos_pbox_violating_ips is not active for SecureXL device 0.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 109

 SecureXL and Falcon Acceleration Cards in R80.20

'fwaccel templates' and 'fwaccel6 templates'

Description
Shows the contents of the SecureXL templates tables:
• Accept Templates
• Drop Templates
Important - Based on the number of current templates, these commands can consume memory
at very high level.

Syntax for IPv4

fwaccel [-i <SecureXL ID>] templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

Syntax for IPv6

fwaccel6 templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

Parameters
Parameter Description
-i <SecureXL ID> Specifies the SecureXL instance ID (for IPv4 only).
No Parameters Shows the contents of the SecureXL Accept Templates table (Table
Name - cphwd_tmpl, Table ID - 8111).
-h Shows the applicable built-in usage.
-d Shows the contents of the SecureXL Drop Templates table.
-m <Number of Rows> Specifies how many rows to show from the templates table.
Note - The command counts from the top of the table.
Default : 1000
-s Shows the summary of SecureXL Connections Templates (number of
templates)
-S Shows statistics for the SecureXL Connections Templates.

Performance Tuning Administration Guide R80.20 | 110

 SecureXL and Falcon Acceleration Cards in R80.20

Accept Templates flags

One or more of these flags appears in the output:

Flag Description
A Connection is accounted (SecureXL counts the number of packets and bytes).
B Connection is created for a rule that contains an Identity Awareness object, or for a rule
below that rule.
D Connection is created for a rule that contains a Domain object, or for a rule below that
rule.
I Identity Awareness (NAC) is enabled for this connection.
N Connection is NATed.
O Connection is created for a rule that contains a Dynamic object, or for a rule below that
rule.
Q QoS is enabled for this connection.
R Connection is created for a rule that contains a Traceroute object, or for a rule below
that rule.
S PXL (combination of SecureXL and PSL (Passive Streaming Library)) is enabled for this
connection.
T Connection is created for a rule that contains a Time object, or for a rule below that rule.
U Connection is unidirectional.
Z Connection is created for a rule that contains a Security Zone object, or for a rule below
that rule.

Drop Templates flags

One or more of these flags appears in the output:

Flag Description
D Drop template exists for this connection.
L Log and Drop action for this connection.

Performance Tuning Administration Guide R80.20 | 111

 SecureXL and Falcon Acceleration Cards in R80.20

Example 1 - Default output

[Expert@MyGW:0]# fwaccel templates
Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f
--------------- ----- --------------- ----- -- ------------ ---- --- ------- -------
192.168.10.20 * 192.168.10.50 80 6 0 0 0 eth5/eth1 eth1/eth5
[Expert@MyGW:0]#

Example 2 - Drop Templates

[Expert@MyGW:0]# fwaccel templates -d
The SecureXL drop templates table is empty
[Expert@MyGW:0]#

Example 3 - Summary of SecureXL Connections Templates

[Expert@MyGW:0]# fwaccel templates -s
Total number of templates: 1
[Expert@MyGW:0]#

Example 4 - Templates statistics

[Expert@MyGW:0]# fwaccel templates -S

Templates stats:

Name Value Name Value

-------------------- ------------ -------------------- ------------
C templates 0 conns from templates 0
nat templates 0 conns from nat tmpl 0
C CPASXL templates 0 C PSLXL templates 0
C used templates 0 cpasxl tmpl conns 0
pslxl tmpl conns 0 C conns from tmpl 0

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 112

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel ver
Description
Shows this information:
• Firewall Version and Build
• Accelerator Version
• Firewall API version
• Accelerator API version

Syntax
fwaccel ver

Example
[Expert@MyGW:0]# fwaccel ver
Firewall version: R80.20 - Build 240
Acceleration Device: Performance Pack
Accelerator Version 2.1
Firewall API version: 3.0NG (19/11/2015)
Accelerator API version: 3.0NG (19/11/2015)
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 113

 SecureXL and Falcon Acceleration Cards in R80.20

'sim' and 'sim6'

Description
The sim command controls the SecureXL device (infrastructure) for IPv4 traffic while a Security
Gateway is running.
The sim6 command controls the SecureXL device (infrastructure) for IPv6 traffic while a Security
Gateway is running.
The SecureXL default status after reboot is determined by the configuration in the cpconfig menu.

Syntax for IPv4

sim [-i <SecureXL ID>]
affinity <options>
affinityload
ctl get <options>
ctl set <options>
enable_aesni
if
nonaccel <options>
ver <options>

Syntax for IPv6

sim6
affinity <options>
affinityload
ctl get <options>
ctl set <options>
enable_aesni
if
nonaccel <options>
ver <options>

Parameters
Parameter Description
No Parameters Shows the built-in usage.
help
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).
affinity <options> (on Controls the affinity settings of network interfaces to CPU cores.
page 116)
affinityload (on page Applies the SecureXL SIM Affinity in the 'Automatic' mode.
118)
ctl get <options> To get a value of a kernel parameter, follow Working with Kernel
Parameters on Security Gateway (on page 253).
ctl set <options> To set a value of a kernel parameter, follow Working with Kernel
Parameters on Security Gateway (on page 253).
enable_aesni (on page Enables AES-NI http://en.wikipedia.org/wiki/AES_instruction_set (if
119) this computer supports this feature).
if (on page 120) Shows the list of interfaces that SecureXL uses.

Performance Tuning Administration Guide R80.20 | 114

 SecureXL and Falcon Acceleration Cards in R80.20

nonaccel <options> (on Sets the specified interface(s) as non-accelerated.

page 124) Clears the specified interface(s) from non-accelerated state.
ver <options> (on page Shows this information:
125) • SecureXL (Performance Pack) version
• Kernel version

Performance Tuning Administration Guide R80.20 | 115

 SecureXL and Falcon Acceleration Cards in R80.20

sim affinity
Description
Controls the SecureXL affinity settings of network interfaces to CPU cores.
Important - SecureXL can affine network interfaces only to CPU cores that run as CoreXL SND.
For more information, see sk98737 - ATRG: CoreXL
http://supportcontent.checkpoint.com/solutions?id=sk98737.

Syntax for IPv4

sim [-i <SecureXL ID>] affinity
-a
-h
-l
-s

Syntax for IPv6

sim6 affinity
-a
-h
-l
-s

Parameters
Parameter Description
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).
-a Configures the affinity in 'Automatic' mode.
SecureXL periodically examines the load on the CPU cores and the amount
of traffic on the interfaces. Based on the results, SecureXL can reassign
interfaces to other CPU cores to distribute their load better.
-h Shows the applicable built-in usage.
-l Shows the current affinity settings.
-s Configures the affinity in 'Static' ('Manual') mode.
SecureXL does not reassign interfaces to other CPU cores to distribute
their load better.

Performance Tuning Administration Guide R80.20 | 116

 SecureXL and Falcon Acceleration Cards in R80.20

Example 1 - Default output

[Expert@MyGW:0]# sim affinity
Usage: sim affinity <options>

Options:
-l -
-s - set affinity settings manually
-a - set affinity settings automatically
-h - this help message

[Expert@MyGW:0]#

Example 2 - SIM Affinity is in Automatic mode

[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 3 | 21
1 | Yes | 2 | 6 | 13
2 | Yes | 1 | 5 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# sim affinity -l
eth6 : 0
eth0 : 0
eth3 : 0
eth1 : 0
eth4 : 0
eth2 : 0
eth5 : 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 117

 SecureXL and Falcon Acceleration Cards in R80.20

sim affinityload
Description
Configures the SecureXL affinity settings of network interfaces to CPU cores in 'Automatic' mode.
This command is the same as the sim affinity -a (on page 116) command.

Syntax for IPv4

sim [-i <SecureXL ID>] affinityload

Syntax for IPv6

sim6 affinityload

Parameters
Parameter Description
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).

Example
[Expert@MyGW:0]# sim affinityload
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 118

 SecureXL and Falcon Acceleration Cards in R80.20

sim enable_aesni
Description
Enables SecureXL support for AES Instruction Set (AES-NI
http://en.wikipedia.org/wiki/AES_instruction_set), if this computer supports it.

Syntax for IPv4

sim [-i <SecureXL ID>] enable_aesni

Syntax for IPv6

sim6 enable_aesni

Possible command outputs

• sim_aesni_enable: Enabled AES-NI, but machine does not have this feature
• sim_aesni_enable: Enabled AES-NI, and the machine supports this feature
• sim_aesni_enable: Failed to enable AES-NI. RC=-1

Parameters
Parameter Description
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).

Example
[Expert@MyGW:0]# sim enable_aesni
ioctl 33 to the sim device failed (ppak_id=0, rc=-1, errno=1)
sim_aesni_enable: Failed to enable AES-NI. RC=-1
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 119

 SecureXL and Falcon Acceleration Cards in R80.20

sim if
Description
Shows the list of interfaces that SecureXL uses.

Syntax for IPv4

sim [-i <SecureXL ID>] if

Syntax for IPv6

sim6 if

Parameters
Parameter Description
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).

Example
[Expert@MyGW:0]# sim if
Name | Address | Netmask | CXL Address | CXL Netmask | MTU | F | SIM F | IRQ
| IFN:FWN:DVN | Dev
--------------------------------------------------------------------------------------------------
----------------------------------
eth0 | 192.168.3.242 | 0.0.0.0 | 192.168.3.243 | 255.255.255.0 | 1500 | 039 | 00080 | 67
| 2: 1: 2 | 0x0x3e836000
eth1 | 10.20.30.242 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 029 | 00088 | 75
| 3: 2: 3 | 0x0x3d508000
eth2 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 59
| 4: 3: 4 | 0x0x3d6b4000
eth3 | 192.168.196.18 | 0.0.0.0 | 40.50.60.52 | 0.0.0.0 | 1500 | 029 | 00080 | 67
| 5: 4: 5 | 0x0x3dbc1000
eth4 | 192.168.196.18 | 0.0.0.0 | 100.100.100.53 | 0.0.0.0 | 1500 | 029 | 00080 | 83
| 6: 5: 6 | 0x0x3d678000
eth5 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 75
| 7: 6: 7 | 0x0x3c6ba000
eth6 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 0.0.0.0 | 1500 | 001 | 00080 | 59
| 8: 7: 8 | 0x0x3e370000
eth2.53 | 192.168.196.2 | 0.0.0.0 | 200.200.200.53 | 0.0.0.0 | 1500 | 029 | 00580 | 0
| 11: 10: 11 | 0x0x2ca90000
eth2.52 | 192.168.196.2 | 0.0.0.0 | 70.80.90.52 | 0.0.0.0 | 1500 | 029 | 00580 | 0
| 12: 11: 12 | 0x0x2c980000
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 120

 SecureXL and Falcon Acceleration Cards in R80.20

Explanation about the configuration flags in the "F" and "SIM F" columns
The "F" column shows the internal configuration flags that Firewall set on these interfaces.
The "SIM F" column shows the internal configuration flags that SecureXL set on these interfaces.
Flag Description
0x001 If this flag is set, the SecureXL drops the packet at the end of the inbound
inspection, if the packet is a "cut-through" packet. In outbound, SecureXL
forwards all the packets to the network.
0x002 If this flag is set, the SecureXL sends an appropriate notification whenever a TCP
state change occurs (connection is established / torn down).
0x004 If this flag is set, the SecureXL it sets the UDP header's checksum field correctly
when the SecureXL encapsulates an encrypted packet (UDP encapsulation).
If flag is not set, SecureXL sets the UDP header's checksum field to zero. It is
safe to ignore this flag, if it is set to 0 (SecureXL still calculates the UDP packet's
checksum).
0x008 If this flag is set, the SecureXL does not create new connections that match a
template, and SecureXL drops the packet that matches the template, when the
Connections Table reaches the specified limit.
If this flag is not set, the SecureXL forwards the packet to the Firewall.
0x010 If this flag is set, the SecureXL forwards fragments to the Firewall.
0x020 If this flag is set, the SecureXL does not create connections from TCP templates
anymore. The Firewall can still offload connections to SecureXL. This flag only
disables only the creation of TCP templates.
0x040 If this flag is set, the SecureXL periodically notifies the Firewall, so it refreshes
the accelerated connections in the Firewall kernel tables.
0x080 If this flag is set, the SecureXL does not create connections from non-TCP
templates anymore. The Firewall can still offload connections to SecureXL. This
flag only disables only the creation of non-TCP templates.
0x100 If this flag is set, the SecureXL allows sequence verification violations for
connections that did not complete the TCP 3-way handshake process (otherwise,
SecureXL must forward the violating packets to the Firewall).
0x200 If this flag is set, the SecureXL allows sequence verification violations for
connections that completed the TCP 3-way handshake process (otherwise,
SecureXL must forward the violating packets to the Firewall).
0x400 If this flag is set, the SecureXL forwards TCP [RST] packets to the Firewall.
0x0001 If this flag is set, the SecureXL notifies the Firewall about HitCount data.
0x0002 If this flag is set, the VSX Virtual System acts as a junction, rather than a normal
Virtual System (only the local Virtual System flag is applicable).
0x0004 If this flag is set, the SecureXL disables the reply counter of inbound encrypted
traffic. This makes SecureXL kernel module act in the same way as the VPN
kernel module does.
0x0008 If this flag is set, the SecureXL enables the MSS Clamping. Refer to the kernel
parameters 'fw_clamp_tcp_mss' and 'fw_clamp_vpn_mss' in sk101219
http://supportcontent.checkpoint.com/solutions?id=sk101219.
Performance Tuning Administration Guide R80.20 | 121
 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
0x0010 If this flag is set, the SecureXL disables the "No Match Ranges" (NMR)
Templates (see sk117755
http://supportcontent.checkpoint.com/solutions?id=sk117755).
0x0020 If this flag is set, the SecureXL disables the "No Match Time" (NMT) Templates
(see sk117755 http://supportcontent.checkpoint.com/solutions?id=sk117755).
0x0040 If this flag is set, the SecureXL does not send Drop Templates notifications
(about dropped packets) to the Firewall (to maintain the drop counters). For
example, if you set the value of the kernel parameter
activate_optimize_drops_support_now to 1, it disables the Drop
Templates notifications.
0x0080 If this flag is set, the SecureXL enables the MultiCore support for IPsec VPN (see
sk118097 http://supportcontent.checkpoint.com/solutions?id=sk118097).
0x0100 If this flag is set, the SecureXL enables the support for CoreXL Dynamic
Dispatcher (see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261).
0x0800 If this flag is set, the SecureXL does not enforce the Path MTU Discovery for IP
multicast packets.
0x1000 If this flag is set, the SecureXL disables the SIM "drop_templates" feature.
0x2000 If this flag is set, it indicates that an administrator enabled the Link Selection
Load Sharing feature.
0x4000 If this flag is set, the SecureXL disables the asynchronous notification feature.
0x8000 If this flag is set, it indicates that the Firewall Connections Table capacity is
unlimited.

Performance Tuning Administration Guide R80.20 | 122

 SecureXL and Falcon Acceleration Cards in R80.20

Examples:

Value Description
0x039 Means the sum of these flags:
• 0x001
• 0x008
• 0x010
• 0x020
0x00008a16 Means the sum of these flags:
• 0x0002
• 0x0004
• 0x0010
• 0x0200
• 0x0800
• 0x8000
0x00009a16 Means the sum of these flags:
• 0x0002
• 0x0004
• 0x0010
• 0x0200
• 0x0800
• 0x1000
• 0x8000
•

Performance Tuning Administration Guide R80.20 | 123

 SecureXL and Falcon Acceleration Cards in R80.20

sim nonaccel
Description
• Sets the specified interfaces as non-accelerated.
• Clears the specified interfaces from non-accelerated state.

Syntax for IPv4

sim [-i <SecureXL ID>] nonaccel
-c <Name of Interface 1> [<Name of Interface 2> ... <Name of Interface N>]
-s <Name of Interface 1> [<Name of Interface 2> ... <Name of Interface N>]

Syntax for IPv6

sim6 nonaccel
-c <Name of Interface 1> [<Name of Interface 2> ... <Name of Interface N>]
-s <Name of Interface 1> [<Name of Interface 2> ... <Name of Interface N>]

Parameters
Parameter Description
-i <SecureXL ID>
Specifies the SecureXL instance ID (for IPv4 only).
-c Sets the specified interfaces as non-accelerated.
-s Clears the specified interfaces from non-accelerated state.
<Name of Specifies the interface.
Interface>

Example
[Expert@MyGW:0]# sim nonaccel -s eth0
Interface eth0 set as non-accelerated.

Note: Changes will not take affect until the next time acceleration
is started or the relevant interface(s) are restarted.
[Expert@MyGW:0]#

[Expert@MyGW:0]# sim nonaccel -c eth0

Interface eth0 set as accelerated.

Note: Changes will not take affect until the next time acceleration
is started or the relevant interface(s) are restarted.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 124

 SecureXL and Falcon Acceleration Cards in R80.20

sim ver
Description
Shows this information:
• SecureXL (Performance Pack) version
• Kernel version

Syntax for IPv4

sim ver [-k]

Syntax for IPv6

sim6 ver [-k]

Parameters
Parameter Description
No Parameter Shows only the SecureXL (Performance Pack) version
-k
Shows this information:
• SecureXL (Performance Pack) version
• Kernel version

Example
[Expert@MyGW:0]# sim ver
This is Check Point Performance Pack version: R80.20 - Build 145
Kernel version: R80.20 - Build 145
[Expert@MyGW:0]#
[Expert@MyGW:0]# sim ver -k
This is Check Point Performance Pack version: R80.20 - Build 145
Kernel version: R80.20 - Build 145
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 125

 SecureXL and Falcon Acceleration Cards in R80.20

'fw sam_policy' and 'fw6 sam_policy'

Description
Manages the Suspicious Activity Policy editor that lets you work with these types of rules:
• Suspicious Activity Monitoring (SAM) rules.
See sk112061: How to create and view Suspicious Activity Monitoring (SAM) Rules
http://supportcontent.checkpoint.com/solutions?id=sk112061.
• Rate Limiting rules.
See sk112454: How to configure Rate Limiting rules for DoS Mitigation
http://supportcontent.checkpoint.com/solutions?id=sk112454.
Also, see these commands:
• fw sam
• sam_alert
Notes:
• You can run these commands interchangeably: 'fw sam_policy' and 'fw samp'.
• Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db
file.
• The SAM Policy management file is $FWDIR/database/sam_policy.mng.
• You can run these commands in Gaia Clish, or Expert mode.
Important:
• Configuration you make with these commands, survives reboot.
• VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See
sk79700 http://supportcontent.checkpoint.com/solutions?id=sk79700.
• The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to
set an expiration that gives you time to investigate, but does not affect performance. The best
practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is
risky, edit the Security Policy, educate users, or otherwise handle the risk.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

Performance Tuning Administration Guide R80.20 | 126

 SecureXL and Falcon Acceleration Cards in R80.20

Syntax for IPv6

fw6 [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

Parameters

Parameter Description
-d Runs the command in debug mode.
Use only if you troubleshoot the command itself.
add <options> (on page Adds one Rate Limiting rule one at a time.
128)
batch (on page 138) Adds or deletes many Rate Limiting rules at a time.
del <options> (on page Deletes one configured Rate Limiting rule one at a time.
140)
get <options> (on page Shows all the configured Rate Limiting rules.
142)

Performance Tuning Administration Guide R80.20 | 127

 SecureXL and Falcon Acceleration Cards in R80.20

'fw sam_policy add' and 'fw6 sam_policy add'

Description
The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:
• Add one Suspicious Activity Monitoring (SAM) rule at a time.
• Add one Rate Limiting rule at a time.
Notes:
• You can run these commands interchangeably: 'fw sam_policy add' and 'fw samp add'.
• Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db
file.
• The SAM Policy management file is $FWDIR/database/sam_policy.mng.
• You can run these commands in Gaia Clish, or Expert mode.
Important:
• Configuration you make with these commands, survives reboot.
• VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See
sk79700 http://supportcontent.checkpoint.com/solutions?id=sk79700.
• The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to
set an expiration that gives you time to investigate, but does not affect performance. The best
practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is
risky, edit the Security Policy, educate users, or otherwise handle the risk.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n
<"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]
ip <IP Filter Arguments>
quota <Quota Filter Arguments>

Syntax for IPv6

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>]
[-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]
ip <IP Filter Arguments>
quota <Quota Filter Arg

Parameters

Parameter Description
-d Optional.
Runs the command in debug mode.
Use only if you troubleshoot the command itself.
Note - If you use this parameter, then redirect the output to a file, or
use the script command to save the entire CLI session.

Performance Tuning Administration Guide R80.20 | 128

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-u Optional.
Specifies that the rule category is User-defined.
Default rule category is Auto.
-a {d | n | b} Mandatory.
Specifies the rule action if the traffic matches the rule conditions:
• d - Drop the connection.
• n - Notify (generate a log) about the connection and let it through.
• b - Bypass the connection - let it through without checking it
against the policy rules.
Note - Rules with action set to Bypass cannot have a log or limit
specification. Bypassed packets and connections do not count
towards overall number of packets and connection for limit
enforcement of type ratio.
-l {r | a} Optional.
Specifies which type of log to generate for this rule for all traffic that
matches:
• -r - Generate a regular log
• -a - Generate an alert log
-t <Timeout> Optional.
Specifies the time period (in seconds), during which the rule will be
enforced.
Default timeout is indefinite.
-f <Target> Optional.
Specifies the target Security Gateways, on which to enforce the Rate
Limiting rule.
<Target> can be one of these:
• all - This is the default option. Specifies that the rule should be
enforced on all managed Security Gateways.
• Name of the Security Gateway or Cluster object - Specifies that
the rule should be enforced only on this Security Gateway or
Cluster object (the object name must be as defined in the
SmartConsole).
• Name of the Group object - Specifies that the rule should be
enforced on all Security Gateways that are members of this Group
object (the object name must be as defined in the SmartConsole).

Performance Tuning Administration Guide R80.20 | 129

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-n "<Rule Name>" Optional.
Specifies the name (label) for this rule.
You must enclose this string in double quotes.
The length of this string is limited to 128 characters.
Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"
-c "<Rule Comment>" Optional.
Specifies the comment for this rule.
You must enclose this string in double quotes.
The length of this string is limited to 128 characters.
Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"This\ is\ a\ comment\ with\ a\ backslash\ \\"
-o "<Rule Originator>" Optional.
Specifies the name of the originator for this rule.
You must enclose this string in double quotes.
The length of this string is limited to 128 characters.
Before each space or a backslash character in this string, you must
write a backslash (\) character. Example:
"Created\ by\ John\ Doe"
-z "<Zone>" Optional.
Specifies the name of the Security Zone for this rule.
You must enclose this string in double quotes.
The length of this string is limited to 128 characters.
ip <IP Filter Arguments> Mandatory (use this ip parameter, or the quota parameter).
Configures the Suspicious Activity Monitoring (SAM) rule.
Specifies the IP Filter Arguments for the SAM rule (you must use at
least one of these options):
[-C] [-s <Source IP>] [-m <Source Mask>] [-d <Destination
IP>] [-M <Destination Mask>] [-p <Port>] [-r <Protocol>]

Performance Tuning Administration Guide R80.20 | 130

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
quota <Quota Filter Mandatory (use this quota parameter, or the ip parameter).
Arguments> Configures the Rate Limiting rule.
Specifies the Quota Filter Arguments for the Rate Limiting rule:
• [flush true]
• [source-negated {true | false}] source <Source>
• [destination-negated {true | false}] destination
<Destination>
• [service-negated {true | false}] service <Protocol and
Port numbers>
• [<Limit1 Name> <Limit1 Value>] [<Limit2 Name> <Limit2
Value>] ...[<LimitN Name> <LimitN Value>]
• [track <Track>]
See the explanations below.
Important - The Quota rules are not applied immediately to the
Security Gateway. They are only registered in the Suspicious Activity
Monitoring (SAM) policy database. To apply all the rules from the SAM
policy database immediately, add flush true in the fw samp add
command.

Explanation for the IP Filter Arguments syntax for Suspicious Activity Monitoring (SAM) rules:

Argument Description
-C Specifies that open connections should be closed.
-s <Source IP> Specifies the Source IP address.
-m <Source Mask> Specifies the Source subnet mask (in dotted decimal
format - x.y.z.w).
-d <Destination IP> Specifies the Destination IP address.
-M <Destination Mask> Specifies the Destination subnet mask (in dotted decimal
format - x.y.z.w).
-p <Port> Specifies the port number (see IANA Service Name and
Port Number Registry
https://www.iana.org/assignments/service-names-port-n
umbers/service-names-port-numbers.xhtml).
-r <Protocol> Specifies the protocol number (see IANA Protocol
Numbers)
https://www.iana.org/assignments/protocol-numbers/prot
ocol-numbers.xhtml

Performance Tuning Administration Guide R80.20 | 131

 SecureXL and Falcon Acceleration Cards in R80.20

Explanation for the Quota Filter Arguments syntax for Rate Limiting rules:

Argument Description
flush true Specifies to compile and load the quota rule to the
SecureXL immediately.
[source-negated {true | Specifies the source type and its value:
false}] source <Source>
• any
The rule is applied to packets sent from all sources.
• range:<IP Address>
or
range:<IP Address Start>-<IP Address End>
The rule is applied to packets sent from:
• Specified IPv4 addresses (x.y.z.w)
• Specified IPv6 addresses (xxxx:yyyy:...:zzzz)
• cidr:<IP Address>/<Prefix>
The rule is applied to packets sent from:
• IPv4 address with Prefix from 0 to 32
• IPv6 address with Prefix from 0 to 128
• cc:<Country Code>
The rule matches the country code to the source IP
addresses assigned to this country, based on the Geo
IP database.
The two-letter codes are defined in ISO 3166-1 alpha-2
https://www.iso.org/iso-3166-country-codes.html.
• asn:<Autonomous System Number>
The rule matches the AS number of the organization to
the source IP addresses that are assigned to this
organization, based on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a number
unique to the specific organization.
Notes:
• Default is: source-negated false
• The source-negated true processes all source
types, except the specified type.

Performance Tuning Administration Guide R80.20 | 132

 SecureXL and Falcon Acceleration Cards in R80.20

Argument Description
[destination-negated {true | Specifies the destination type and its value:
false}] destination
<Destination> • any
The rule is applied to packets sent to all destinations.
• range:<IP Address>
or
range:<IP Address Start>-<IP Address End>
The rule is applied to packets sent to:
• Specified IPv4 addresses (x.y.z.w)
• Specified IPv6 addresses (xxxx:yyyy:...:zzzz)
• cidr:<IP Address>/<Prefix>
The rule is applied to packets sent to:
• IPv4 address with Prefix from 0 to 32
• IPv6 address with Prefix from 0 to 128
• cc:<Country Code>
The rule matches the country code to the destination IP
addresses assigned to this country, based on the Geo
IP database.
The two-letter codes are defined in ISO 3166-1 alpha-2
https://www.iso.org/iso-3166-country-codes.html.
• asn:<Autonomous System Number>
The rule matches the AS number of the organization to
the destination IP addresses that are assigned to this
organization, based on the Geo IP database.
The valid syntax is ASnnnn, where nnnn is a number
unique to the specific organization.
Notes:
• Default is: destination-negated false
• The destination-negated true will process all
destination types except the specified type

Performance Tuning Administration Guide R80.20 | 133

 SecureXL and Falcon Acceleration Cards in R80.20

Argument Description
[service-negated {true | Specifies the Protocol number (see IANA Protocol
false}] service <Protocol and Numbers
Port numbers> https://www.iana.org/assignments/protocol-numbers/prot
ocol-numbers.xhtml) and Port number (see IANA Service
Name and Port Number Registry
https://www.iana.org/assignments/service-names-port-n
umbers/service-names-port-numbers.xhtml):
• <Protocol>
IP protocol number in the range 1-255
• <Protocol Start>-<Protocol End>
Range of IP protocol numbers
• <Protocol>/<Port>
IP protocol number in the range 1-255 and TCP/UDP
port number in the range 1-65535
• <Protocol>/<Port Start>-<Port End>
IP protocol number and range of TCP/UDP port
numbers from 1 to 65535
Notes:
• Default is: service-negated false
• The service-negated true will process all traffic
except the traffic with the specified protocols and ports

Performance Tuning Administration Guide R80.20 | 134

 SecureXL and Falcon Acceleration Cards in R80.20

Argument Description
[<Limit 1 Name> <Limit 1 Value>] Specifies quota limits and their values.
[<Limit 2 Name> <Limit 2 Value>] Note - Separate multiple quota limits with spaces.
...
[<Limit N Name> <Limit N Value>] • concurrent-conns <Value>
Specifies the maximal number of concurrent active
connections that match this rule.
• concurrent-conns-ratio <Value>
Specifies the maximal ratio of the concurrent-conns
value to the total number of active connections through
the Security Gateway, expressed in parts per 65536
(formula: N / 65536).
• pkt-rate <Value>
Specifies the maximum number of packets per second
that match this rule.
• pkt-rate-ratio <Value>
Specifies the maximal ratio of the pkt-rate value to the
rate of all connections through the Security Gateway,
expressed in parts per 65536 (formula: N / 65536).
• byte-rate <Value>
Specifies the maximal total number of bytes per
second in packets that match this rule.
• byte-rate-ratio <Value>
Specifies the maximal ratio of the byte-rate value to
the bytes per second rate of all connections through
the Security Gateway, expressed in parts per 65536
(formula: N / 65536).
• new-conn-rate <Value>
Specifies the maximal number of connections per
second that match the rule.
• new-conn-rate-ratio <Value>
Specifies the maximal ratio of the new-conn-rate value
to the rate of all connections per second through the
Security Gateway, expressed in parts per 65536
(formula: N / 65536).
[track <Track>] Specifies the tracking option:
• source
Counts connections, packets, and bytes for specific
source IP address, and not cumulatively for this rule.
• source-service
Counts connections, packets, and bytes for specific
source IP address, and for specific IP protocol and
destination port, and not cumulatively for this rule.

Performance Tuning Administration Guide R80.20 | 135

 SecureXL and Falcon Acceleration Cards in R80.20

Example 1 - Rate Limiting rule with a range

fw sam_policy add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

Explanations:
• This rule drops all connections (-a d) that exceed the quota set by this rule.
• This rule logs packets (-l r) that exceed the quota set by this rule.
• This rule will expire in 3600 seconds (-t 3600).
• This rule limits the rate of creation of new connections to 5 connections per second
(new-conn-rate 5) for any traffic (service any) from the source IP addresses in the range
172.16.7.11 - 172.16.7.13 (source range:172.16.7.11-172.16.7.13).
Note: The limit of the total number of log entries per second is configured with the fwaccel dos
config set -n <rate> command.
• This rule will be compiled and loaded on the SecureXL, together with other rules in the
Suspicious Activity Monitoring (SAM) policy database immediately, because this rule includes
the flush true parameter.

Example 2 - Rate Limiting rule with a service specification

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true
source cc:QQ byte-rate 0

Explanations:
• This rule logs and lets through all packets (-a n) that exceed the quota set by this rule.
• This rule does not expire (the timeout parameter is not specified). To cancel it, you must
delete it explicitly.
• This rule applies to all packets except (service-negated true) the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53 (service 1,50-51,6/443,17/53).
• This rule applies to all packets from source IP addresses that are assigned to the country with
specified country code (cc:QQ).
• This rule does not let any traffic through (byte-rate 0) except the packets with IP protocol
number 1, 50-51, 6 port 443 and 17 port 53.
• This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the flush true parameter.

Example 3 - Rate Limiting rule with ASN

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service
any pkt-rate 0

Explanations:
• This rule drops (-a d) all packets that match this rule.
• This rule does not expire (the timeout parameter is not specified). To cancel it, you must
delete it explicitly.
• This rule applies to packets from the Autonomous System number 64500 (asn:AS64500).
• This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120
(cidr:[::FFFF:C0A8:1100]/120).

Performance Tuning Administration Guide R80.20 | 136

 SecureXL and Falcon Acceleration Cards in R80.20

• This rule applies to all traffic (service any).

• This rule does not let any traffic through (pkt-rate 0).
• This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the flush true parameter.

Example 4 - Rate Limiting rule with whitelist

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

Explanations:
• This rule bypasses (-a b) all packets that match this rule.
Note: The Access Control Policy and other types of security policy rules still apply.
• This rule does not expire (the timeout parameter is not specified). To cancel it, you must
delete it explicitly.
• This rule applies to packets from the source IP addresses in the range 172.16.8.17 -
172.16.9.121 (range:172.16.8.17-172.16.9.121).
• This rule applies to packets sent to TCP port 80 (service 6/80).
• This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the flush true parameter.

Example 5 - Rate Limiting rule with tracking

fw sam_policy add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source

Explanations:
• This rule drops (-a d) all packets that match this rule.
• This rule does not log any packets (the -l r parameter is not specified).
• This rule does not expire (the timeout parameter is not specified). To cancel it, you must
delete it explicitly.
• This rule applies to all traffic (service any).
• This rule applies to all sources except (source-negated true) the source IP addresses that
are assigned to the country with specified country code (cc:QQ).
• This rule limits the maximal number of concurrent active connections to 655/65536=~1%
(concurrent-conns-ratio 655) for any traffic (service any) except (service-negated
true) the connections from the source IP addresses that are assigned to the country with
specified country code (cc:QQ).
• This rule counts connections, packets, and bytes for traffic only from sources that match this
rule, and not cumulatively for this rule.
• This rule will not be compiled and installed on the SecureXL immediately, because it does not
include the flush true parameter.

Performance Tuning Administration Guide R80.20 | 137

 SecureXL and Falcon Acceleration Cards in R80.20

'fw sam_policy batch' and 'fw6 sam_policy batch'

Description
The 'fw sam_policy batch' and 'fw6 sam_policy batch' commands let you:
• Add and delete many Suspicious Activity Monitoring (SAM) rules at a time.
• Add and delete many Rate Limiting rules at a time.
Notes:
• You can run these commands interchangeably: 'fw sam_policy batch' and 'fw samp
batch'.
• Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db
file.
• The SAM Policy management file is $FWDIR/database/sam_policy.mng.
• You can run these commands in Gaia Clish, or Expert mode.
Important:
• Configuration you make with these commands, survives reboot.
• VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See
sk79700 http://supportcontent.checkpoint.com/solutions?id=sk79700.
• The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to
set an expiration that gives you time to investigate, but does not affect performance. The best
practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is
risky, edit the Security Policy, educate users, or otherwise handle the risk.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all of the Cluster Members.

Procedure
Step Description
1 Start the batch mode:
For IPv4: fw sam_policy batch << EOF
For IPv6: fw6 sam_policy batch << EOF

2 Enter the applicable commands as described below:

• Enter one add (on page 128) or del (on page 140) command on each line, on as many
lines as necessary.
Start each line with only add or del parameter (not with fw samp).
• Use the same set of parameters and values as described in 'fw sam_policy add'
and 'fw6 sam_policy add' (on page 128).
• Terminate each line with a Return (ASCII 10 - Line Feed) character.
3 End the batch mode:
Write EOF and press Enter.

Performance Tuning Administration Guide R80.20 | 138

 SecureXL and Falcon Acceleration Cards in R80.20

Example for IPv4 Rate Limiting rule

fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources"
quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF

Performance Tuning Administration Guide R80.20 | 139

 SecureXL and Falcon Acceleration Cards in R80.20

'fw sam_policy del' and 'fw6 sam_policy del'

Description
The 'fw sam_policy del' and 'fw6 sam_policy del' commands let you:
• Delete one configured Suspicious Activity Monitoring (SAM) rule at a time.
• Delete one configured Rate Limiting rule at a time.
Notes:
• You can run these commands interchangeably: 'fw sam_policy del add' and 'fw samp
del'.
• Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db
file.
• The SAM Policy management file is $FWDIR/database/sam_policy.mng.
• You can run these commands in Gaia Clish, or Expert mode.
Important:
• Configuration you make with these commands, survives reboot.
• VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See
sk79700 http://supportcontent.checkpoint.com/solutions?id=sk79700.
• The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to
set an expiration that gives you time to investigate, but does not affect performance. The best
practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is
risky, edit the Security Policy, educate users, or otherwise handle the risk.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all of the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy del '<Rule UID>'

Syntax for IPv6

fw6 [-d] sam_policy del '<Rule UID>'

Parameters
Parameter Description
-d Enables the debug mode for the fw command. By default, writes to the
screen.
Note - If you use this parameter, then redirect the output to a file, or use
the script command to save the entire CLI session.

Performance Tuning Administration Guide R80.20 | 140

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
'<Rule UID>' Specifies the UID of the rule you wish to delete.
Important:
• The quote marks and angle brackets ('<...>') are mandatory.
• To see the Rule UID, run the 'fw sam_policy get' and 'fw6
sam_policy get' (on page 142) commands.

Procedure
Step Description
1 List all the existing rules in the Suspicious Activity Monitoring policy database:
For IPv4: fw sam_policy get
For IPv6: fw6 sam_policy get
The rules show in this format:
operation=add uid=<Value1,Value2,Value3,Value4> target=... timeout=...
action=... log= ... name= ... comment=... originator= ...
src_ip_addr=... req_tpe=...
Example for IPv4:
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all
timeout=300 action=notify log=log name=Test\ Rule comment=Notify\
about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip
2 Delete a rule from the list by its UID.
For IPv4: fw [-d] sam_policy del '<Rule UID>'
For IPv6: fw6 [-d] sam_policy del '<Rule UID>'
Example for IPv4:
fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'
3 Enter this flush-only add rule:
For IPv4: fw samp add -t 2 quota flush true
For IPv6: fw6 samp add -t 2 quota flush true
Explanation:
The fw samp del and fw6 samp del commands only remove a rule from the persistent
database. The Security Gateway continues to enforce the deleted rule until the next time
you compiled and load a policy. To force the rule deletion immediately, you must enter a
flush-only add rule right after the fw samp del and fw6 samp del command. This
flush-only add rule immediately deletes the rule you specified in the previous step, and
times out in 2 seconds. It is a good practice to specify a short timeout period for the
flush-only rules. This prevents accumulation of rules that are obsolete in the database.

Performance Tuning Administration Guide R80.20 | 141

 SecureXL and Falcon Acceleration Cards in R80.20

'fw sam_policy get' and 'fw6 sam_policy get'

Description
The 'fw sam_policy get' and 'fw6 sam_policy get' commands let you:
• Show all the configured Suspicious Activity Monitoring (SAM) rules.
• Show all the configured Rate Limiting rules.
Notes:
• You can run these commands interchangeably: 'fw sam_policy get add' and 'fw samp
get'.
• Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db
file.
• The SAM Policy management file is $FWDIR/database/sam_policy.mng.
• You can run these commands in Gaia Clish, or Expert mode.
Important:
• VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See
sk79700 http://supportcontent.checkpoint.com/solutions?id=sk79700.
• The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to
set an expiration that gives you time to investigate, but does not affect performance. The best
practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is
risky, edit the Security Policy, educate users, or otherwise handle the risk.
• On VSX Gateway, first go to the context of an applicable Virtual System.
In Gaia Clish, run: set virtual-system <VSID>
In Expert mode, run: vsenv <VSID>
• In Cluster, you must configure the SecureXL in the same way on all of the Cluster Members.

Syntax for IPv4

fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}]
[-n]]

Syntax for IPv6

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v
'<Value>'}] [-n]]

Parameters
Note - All these parameters are optional.

Parameter Description
-d Runs the command in debug mode.
Use only if you troubleshoot the command itself.

Performance Tuning Administration Guide R80.20 | 142

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-l Controls how to print the rules:
• In the default format (without -l), the output shows each rule on a
separate line.
• In the list format (with -l), the output shows each parameter of a rule
on a separate line.
• See 'fw sam_policy add' and 'fw6 sam_policy add' (on page 128).
-u '<Rule UID>' Prints the rule specified by its Rule UID or its zero-based rule index.
The quote marks and angle brackets ('<...>') are mandatory.
-k '<Key>' Prints the rules with the specified predicate key.
The quote marks are mandatory.
-t <Type> Prints the rules with the specified predicate type.
For Rate Limiting rules, you must always use "-t in".
+{-v '<Value>'} Prints the rules with the specified predicate values.
The quote marks are mandatory.
-n Negates the condition specified by these predicate parameters:
• -k
• -t
• +-v

Example 1 - Output in the default format

[Expert@GW:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300

action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\
1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

Example 2 - Output in the list format

[Expert@GW:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip

Performance Tuning Administration Guide R80.20 | 143

 SecureXL and Falcon Acceleration Cards in R80.20

Example 3 - Printing a rule by its Rule UID

[Expert@GW:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300
action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\
1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

Example 4 - Printing rules that match the specified filters

[Expert@MyGW:0]# fw samp get
no corresponding SAM policy requests
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13
new-conn-rate 5 flush true
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 144

 SecureXL and Falcon Acceleration Cards in R80.20

The /proc/ppk/ and /proc/ppk6/ entries

Description
SecureXL supports Linux /proc entries. The read-only entries in the /proc/ppk/ and /proc/ppk6/
contain various data about SecureXL.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of File>

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of File>

Files
File Description
affinity (on page 147) Contains status and the thresholds for SecureXL New Affinity
mechanism.
conf (on page 148) Contains the SecureXL configuration and basic statistics.

conns (on page 149) Contains the list of the SecureXL connections.
cpls (on page 150) Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).

cqstats (on page 151) Contains statistics for SecureXL connections queue.

drop_statistics (on Contains SecureXL statistics for dropped packets.

page 152)
ifs (on page 153) Contains the list of interfaces that SecureXL uses.

mcast_statistics (on Contains SecureXL statistics for multicast traffic.

page 157)
nac (on page 158) Contains SecureXL statistics for Identity Awareness Network Access
Control (NAC) traffic.
notify_statistics Contains SecureXL statistics for notifications SecureXL sent to
(on page 159) Firewall about accelerated connections.
profile_cpu_stat (on Contains IDs of the CPU cores and status of Traffic Profiling
page 160)
rlc (on page 161) Contains SecureXL statistics for drops due to Rate Limiting for DoS
Mitigation (on page 21).
statistics (on page Contains SecureXL overall statistics.
162)

Performance Tuning Administration Guide R80.20 | 145

 SecureXL and Falcon Acceleration Cards in R80.20

stats (on page 164) Contains the IRQ numbers and names of interfaces the SecureXL
uses.
viol_statistics (on Contains SecureXL statistics for violations - packets SecureXL
page 165) forwarded (F2F) to the Firewall.

Performance Tuning Administration Guide R80.20 | 146

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/affinity
Description
Contains status and the thresholds for SecureXL New Affinity mechanism.
Notes:
• This feature is activated only if there is no massive VPN traffic, and the packets-per-second
rate (cut-through) is high enough to benefit from the New Affinity mechanism.
• This feature is activated only if CPU strength is greater than 3 GHz.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/affinity

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/affinity

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/affinity
Current accelerated PPS : 0
Current enc. bytes rate : 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 147

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/conf
Description
Contains the SecureXL configuration and basic statistics.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conf

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conf

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conf

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conf

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/conf
Flags : 0x00000192
Accounting Update Interval : 3600
Conn Refresh Interval : 512
SA Sync Notification Interval : 0
UDP Encapsulation Port : 0
Min TCP MSS : 0
TCP End Timeout : 5
Connection Limit : 14900

Total Number of conns : 0

Number of Crypt conns : 0
Number of TCP conns : 0
Number of Non-TCP conns : 0
Total Number of corrs : 0

Debug flags :
0 : 0x1
1 : 0x1
2 : 0x1
3 : 0x801
4 : 0x1
5 : 0x1
6 : 0x1
7 : 0x1
8 : 0x100
9 : 0x8
10 : 0x1
11 : 0x10
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 148

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/conns
Description
Contains the list of the SecureXL connections.
Important - This file is for future use. Run the 'fwaccel conns' and 'fwaccel6 conns' (on page
30) commands.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conns

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conns

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conns

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conns

Performance Tuning Administration Guide R80.20 | 149

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/cpls
Description
Contains SecureXL configuration for ClusterXL Load Sharing (CPLS).
Important - This file is for future use. Refer to the fwaccel cfg -h (on page 27) command.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cpls

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cpls

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cpls
fwha_conf_flags: 638
fwha_df_type: 0
fwha_member_id: 1
fwha_port: 8116
FWHAP MAC magic: 2
Forwarding MAC magic: 1
My state: ACTIVE
udp_enc_port: 0
selection table size: 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 150

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/cqstats
Description
Contains statistics for SecureXL connections queue.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cqstats

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/cqstats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cqstats

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/cqstats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/cqstats
Name Value Name Value
-------------------- --------------- -------------------- ---------------
Queued pkts 0 Queue fail 0
Dequeue & f2f 0 Dequeue & drop 0
Dequeue & resume 0 Async index req 0
Err Async index req 0 Async index cb 0
Err Async index cb 0 Queue alloc fail 0
Queue empty err 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 151

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/drop_statistics
Description
Contains SecureXL statistics for dropped packets.
Note - This is the same information that the fwaccel stats -d (on page 72) command shows.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/drop_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/drop_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics
Reason Packets Reason Packets
-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 24987 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Defrag timeout 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 152

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/ifs
Description
Contains the list of interfaces that SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/ifs

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/ifs

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/ifs
No | Interface | Address | IRQ | F | SIM F | Dev | Output Func |
Features
--------------------------------------------------------------------------------------------------
-----------
2 | eth0 | 192.168.3.242 | 67 | 39 | 80 | 0xffff81023e836000 | 0x000013a0
3 | eth1 | 10.20.30.242 | 75 | 29 | 88 | 0xffff81023d508000 | 0x000013a0
4 | eth2 | 0.0.0.0 | 59 | 1 | 80 | 0xffff81023d6b4000 | 0x000013a0
5 | eth3 | 192.168.196.18 | 67 | 29 | 80 | 0xffff81023dbc1000 | 0x000013a0
6 | eth4 | 192.168.196.18 | 83 | 29 | 80 | 0xffff81023d678000 | 0x000013a0
7 | eth5 | 0.0.0.0 | 75 | 1 | 80 | 0xffff81023c6ba000 | 0x000013a0
8 | eth6 | 0.0.0.0 | 59 | 1 | 80 | 0xffff81023e370000 | 0x000013a0
11 | eth2.53 | 192.168.196.2 | 0 | 29 | 580 | 0xffff81022ca90000 | 0x000013a0
12 | eth2.52 | 192.168.196.2 | 0 | 29 | 580 | 0xffff81022c980000 | 0x000013a0
[Expert@MyGW:0]#

Example for IPv6

[Expert@MyGW:0]# cat /proc/ppk6/ifs
No | Interface | Address | IRQ | F | SIM F | Dev | Output Func | Features
--------------------------------------------------------------------------------------------------
-----------
2 | eth0 | fe80:0:0:0:250:56ff:fea3:3038 | 67 | 39 | 80 | 0xffff81023f57e000 |
0x000013a0
3 | eth1 | fe80:0:0:0:250:56ff:fea3:770b | 75 | 29 | 80 | 0xffff81023b9d7000 |
0x000013a0
4 | eth2 | fe80:0:0:0:250:56ff:fea3:c39 | 59 | 1| 80 | 0xffff81023e161000 |
0x000013a0
7 | eth5 | fe80:0:0:0:250:56ff:fea3:4242 | 75 | 1| 80 | 0xffff81023de56000 |
0x000013a0
8 | eth6 | fe80:0:0:0:250:56ff:fea3:2039 | 59 | 1| 480 | 0xffff81023c06a000 |
0x000013a0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 153

 SecureXL and Falcon Acceleration Cards in R80.20

Explanation about the configuration flags in the "F" and "SIM F" columns
The "F" column shows the internal configuration flags that Firewall set on these interfaces.
The "SIM F" column shows the internal configuration flags that SecureXL set on these interfaces.
Flag Description
0x001 If this flag is set, the SecureXL drops the packet at the end of the inbound
inspection, if the packet is a "cut-through" packet. In outbound, SecureXL
forwards all the packets to the network.
0x002 If this flag is set, the SecureXL sends an appropriate notification whenever a TCP
state change occurs (connection is established / torn down).
0x004 If this flag is set, the SecureXL it sets the UDP header's checksum field correctly
when the SecureXL encapsulates an encrypted packet (UDP encapsulation).
If flag is not set, SecureXL sets the UDP header's checksum field to zero. It is
safe to ignore this flag, if it is set to 0 (SecureXL still calculates the UDP packet's
checksum).
0x008 If this flag is set, the SecureXL does not create new connections that match a
template, and SecureXL drops the packet that matches the template, when the
Connections Table reaches the specified limit.
If this flag is not set, the SecureXL forwards the packet to the Firewall.
0x010 If this flag is set, the SecureXL forwards fragments to the Firewall.
0x020 If this flag is set, the SecureXL does not create connections from TCP templates
anymore. The Firewall can still offload connections to SecureXL. This flag only
disables only the creation of TCP templates.
0x040 If this flag is set, the SecureXL periodically notifies the Firewall, so it refreshes
the accelerated connections in the Firewall kernel tables.
0x080 If this flag is set, the SecureXL does not create connections from non-TCP
templates anymore. The Firewall can still offload connections to SecureXL. This
flag only disables only the creation of non-TCP templates.
0x100 If this flag is set, the SecureXL allows sequence verification violations for
connections that did not complete the TCP 3-way handshake process (otherwise,
SecureXL must forward the violating packets to the Firewall).
0x200 If this flag is set, the SecureXL allows sequence verification violations for
connections that completed the TCP 3-way handshake process (otherwise,
SecureXL must forward the violating packets to the Firewall).
0x400 If this flag is set, the SecureXL forwards TCP [RST] packets to the Firewall.
0x0001 If this flag is set, the SecureXL notifies the Firewall about HitCount data.
0x0002 If this flag is set, the VSX Virtual System acts as a junction, rather than a normal
Virtual System (only the local Virtual System flag is applicable).
0x0004 If this flag is set, the SecureXL disables the reply counter of inbound encrypted
traffic. This makes SecureXL kernel module act in the same way as the VPN
kernel module does.
0x0008 If this flag is set, the SecureXL enables the MSS Clamping. Refer to the kernel
parameters 'fw_clamp_tcp_mss' and 'fw_clamp_vpn_mss' in sk101219
http://supportcontent.checkpoint.com/solutions?id=sk101219.
Performance Tuning Administration Guide R80.20 | 154
 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
0x0010 If this flag is set, the SecureXL disables the "No Match Ranges" (NMR)
Templates (see sk117755
http://supportcontent.checkpoint.com/solutions?id=sk117755).
0x0020 If this flag is set, the SecureXL disables the "No Match Time" (NMT) Templates
(see sk117755 http://supportcontent.checkpoint.com/solutions?id=sk117755).
0x0040 If this flag is set, the SecureXL does not send Drop Templates notifications
(about dropped packets) to the Firewall (to maintain the drop counters). For
example, if you set the value of the kernel parameter
activate_optimize_drops_support_now to 1, it disables the Drop
Templates notifications.
0x0080 If this flag is set, the SecureXL enables the MultiCore support for IPsec VPN (see
sk118097 http://supportcontent.checkpoint.com/solutions?id=sk118097).
0x0100 If this flag is set, the SecureXL enables the support for CoreXL Dynamic
Dispatcher (see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261).
0x0800 If this flag is set, the SecureXL does not enforce the Path MTU Discovery for IP
multicast packets.
0x1000 If this flag is set, the SecureXL disables the SIM "drop_templates" feature.
0x2000 If this flag is set, it indicates that an administrator enabled the Link Selection
Load Sharing feature.
0x4000 If this flag is set, the SecureXL disables the asynchronous notification feature.
0x8000 If this flag is set, it indicates that the Firewall Connections Table capacity is
unlimited.

Performance Tuning Administration Guide R80.20 | 155

 SecureXL and Falcon Acceleration Cards in R80.20

Examples:

Value Description
0x039 Means the sum of these flags:
• 0x001
• 0x008
• 0x010
• 0x020
0x00008a16 Means the sum of these flags:
• 0x0002
• 0x0004
• 0x0010
• 0x0200
• 0x0800
• 0x8000
0x00009a16 Means the sum of these flags:
• 0x0002
• 0x0004
• 0x0010
• 0x0200
• 0x0800
• 0x1000
• 0x8000
•

Performance Tuning Administration Guide R80.20 | 156

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/mcast_statistics
Description
Contains SecureXL statistics for multicast traffic.
Note - This is the same information that the fwaccel stats -m (on page 72) command shows.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/mcast_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/mcast_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics
Name Value Name Value
-------------------- --------------- -------------------- ---------------
in packets 0 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 157

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/nac
Description
Contains SecureXL statistics for Identity Awareness Network Access Control (NAC) traffic.
Note - This is the same information that the fwaccel stats -n (on page 72) command shows.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/nac

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/nac

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/nac

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/nac

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/nac
Name Value Name Value
-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 158

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/notify_statistics
Description
Contains SecureXL statistics for notifications SecureXL sent to Firewall about accelerated
connections.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/notify_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/notify_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics
Notification Packets Notification Packets
--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 421 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 2509 ntPacketTaggingViolat 0
ntDosNotify 0 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 159

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/profile_cpu_stat
Description
This file is for Check Point use only.
Contains IDs of the CPU cores and status of Traffic Profiling:
• The first column shows the IDs of the CPU cores.
• The second column shows the status of Traffic Profiling for the applicable CPU core.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/profile_cpu_stat

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/profile_cpu_stat

Example for IPv4 from a Security Gateway with 4 CPU cores

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat
0 0
1 0
2 0
3 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 160

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/rlc
Description
Contains SecureXL statistics for drops due to Rate Limiting for DoS Mitigation (on page 21).

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/rlc

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/rlc

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/rlc
Total drop packets : 0
Total drop bytes : 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 161

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/statistics
Description
Contains SecureXL overall statistics.
To see these statistics in a better way, run the 'fwaccel stats' and 'fwaccel6 stats' (on page
72) commands.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/statistics
Name Value Name Value
-------------------- --------------- -------------------- ---------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
current total conns 0 TCP conns 0
non TCP conns 0 nat conns 0
dropped packets 728 dropped bytes 107978
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0
crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0 acct update interval 3600
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
CPASXL conns 0 PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0 PSL Inline packets 0
PSL Inline bytes 0 CPAS Inline packets 0
CPAS Inline bytes 0 Total QoS conns 0
CLASSIFY 0 CLASSIFY_FLOW 0
RECLASSIFY_POLICY 0 Enq-IN FW pkts 0
Enq-OUT FW pkts 0 Deq-IN FW pkts 0
Deq-OUT FW pkts 0 Enq-IN FW bytes 0
Performance Tuning Administration Guide R80.20 | 162
 SecureXL and Falcon Acceleration Cards in R80.20

Enq-OUT FW bytes 0 Deq-IN FW bytes 0

Deq-OUT FW bytes 0 Enq-IN AXL pkts 0
Enq-OUT AXL pkts 0 Deq-IN AXL pkts 0
Deq-OUT AXL pkts 0 Enq-IN AXL bytes 0
Enq-OUT AXL bytes 0 Deq-IN AXL bytes 0
Deq-OUT AXL bytes 0 F2F packets 0
F2F bytes 0 TCP violations 0
F2V conn match pkts 0 F2V packets 0
F2V bytes 0 gtp tunnels created 0
gtp tunnels 0 gtp accel pkts 0
gtp f2f pkts 0 gtp spoofed pkts 0
gtp in gtp pkts 0 gtp signaling pkts 0
gtp tcpopt pkts 0 gtp apn err pkts 0
memory used 38799384 C tcp handshake conn 0
C tcp estab. conns 0 C tcp closed conns 0
C tcp pxl hnshk conn 0 C tcp pxl est. conn 0
C tcp pxl closed 0 ob cpasxl packets 0
ob pslxl packets 0 ob cpasxl bytes 0
ob pslxl bytes 0 DNS DoR stats 0
trimmed pkts
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 163

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/stats
Description
Contains the IRQ numbers and names of interfaces the SecureXL uses.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/stats

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/stats

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/stats
IRQ | Interface
---------------------------
67 eth0
75 eth1
59 eth2
67 eth3
83 eth4
75 eth5
59 eth6
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 164

 SecureXL and Falcon Acceleration Cards in R80.20

/proc/ppk/viol_statistics
Description
Contains SecureXL statistics for violations - packets SecureXL forwarded (F2F) to the Firewall.
Note - This is the same information that the fwaccel stats -p (on page 72) command shows.

Syntax for IPv4

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Syntax for IPv6

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/viol_statistics

Example for IPv4

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 150
TCP-SYN miss conn 6 TCP-other miss conn 4256
UDP miss conn 11105353 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 165

 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL Debug
In This Section:
fwaccel dbg....................................................................................................167
SecureXL Debug Procedure ............................................................................171
SecureXL Debug Modules and Debug Flags......................................................174

To understand how SecureXL processes the traffic, enable the SecureXL debug while the traffic
passes through the Security Gateway.
Important - Debug increases the load on Security Gateway's CPU. We recommend you schedule a
maintenance window to debug the SecureXL.
In addition, see Kernel Debug on Security Gateway (on page 262).

Performance Tuning Administration Guide R80.20 | 166

 SecureXL and Falcon Acceleration Cards in R80.20

fwaccel dbg
Description
This command controls the SecureXL debug. See SecureXL Debug (on page 166).
Important - In Cluster, you must configure the SecureXL in the same way on all the Cluster
Members.

Syntax
fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

Parameters
Parameter Description
-h Shows the applicable built-in help.
-m <Name of SecureXL Debug Specifies the name of the SecureXL debug module.
Module> To see the list of available debug modules, run:
fwaccel dbg
all Enables all debug flags for the specified debug module.
+ <Debug Flags> Enables the specified debug flags for the specified debug
module:
Syntax:
+ Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the plus (+)
character.
- <Debug Flags> Disables all debug flags for the specified debug module.
Syntax:
- Flag1 [Flag2 Flag3 ... FlagN]
Note - You must press the space bar key after the minus
(-) character.
reset Resets all debug flags for the specified debug module to
their default state.

Performance Tuning Administration Guide R80.20 | 167

 SecureXL and Falcon Acceleration Cards in R80.20

Parameter Description
-f "<5-Tuple Debug Filter>"
Configures the debug filter to show only debug messages
that contain the specified connection.
The filter is a string of five numbers separated with
commas:
"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"
Notes:
• You can configure only one debug filter at one time.
• You can use the asterisk "*" as a wildcard for an IP
Address, Port number, or Protocol number.
• For more information, see IANA - Port Numbers
https://www.iana.org/assignments/service-names-por
t-numbers/service-names-port-numbers.xhtml and
IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml.
-f reset Resets the current debug filter.
list Shows all enabled debug flags in all debug modules.
resetall Reset all debug flags for all debug modules to their default
state.

Example 1 - Default output

[Expert@MyGW:0]# fwaccel dbg
Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf
stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf
add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl
get_state upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan
pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl

Module: vpn

Performance Tuning Administration Guide R80.20 | 168

 SecureXL and Falcon Acceleration Cards in R80.20

err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

Example 2 - Enabling and disabling of debug flags

[Expert@MyGW:0]# fwaccel dbg -m default + err conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Performance Tuning Administration Guide R80.20 | 169

 SecureXL and Falcon Acceleration Cards in R80.20

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

Example 3 - Resetting all debug flags in all debug modules

[Expert@MyGW:0]# fwaccel dbg resetall
Debug state was reset to default.
[Expert@MyGW:0]#

Example 4 - Configuring debug filter for an SSH connection from 192.168.20.30 to

172.16.40.50
[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6
Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<*,*,*,*,*>"

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 170

 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL Debug Procedure

By default, SecureXL writes the output debug information to the /var/log/messages file.
To collect the applicable SecureXL debug and to make its analysis easier, perform the steps
below.
Note - For more information, see the R80.20 Next Generation Security Gateway Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_NextGenSec
urityGateway_Guide/html_frameset.htm - Chapter Kernel Debug on Security Gateway (on page
262).
Important:
• We strongly recommend to schedule a full maintenance window to minimize the impact on
your production traffic.
• We strongly recommend to connect over serial console to your Security Gateway.
This is to avoid a possible issue when you cannot work with the CLI because of a high load on
the CPU.
• In cluster, you must collect this debug from all Cluster Members in the same way.
• Debug the specific SecureXL instance only when you are sure that only that SecureXL instance
processes the traffic.
Procedure:

Step Description
1 Connect to the command line on you Security Gateway.
2 Log in to the Expert mode.
3 Reset all kernel debug flags in all kernel debug modules:
fw ctl debug 0
4 Reset all the SecureXL debug flags in all SecureXL debug modules.
• For all SecureXL instances:
fwaccel dbg resetall
• For a specific SecureXL instance:
fwaccel -i <SecureXL ID> dbg resetall
5 Allocate the kernel debug buffer:
fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}]
6 Make sure the Security Gateway allocated the kernel debug buffer:
fw ctl debug | grep buffer
7 Configure the applicable kernel debug modules and kernel debug flags:
fw ctl debug -m <Name of Kernel Debug Module> {all | + <Kernel Debug Flags>}

Performance Tuning Administration Guide R80.20 | 171

 SecureXL and Falcon Acceleration Cards in R80.20

Step Description
8 Configure the applicable SecureXL debug modules and SecureXL debug flags.
• For all SecureXL instances:
fwaccel dbg -m <Name of SecureXL Debug Module> {all | + <SecureXL Debug
Flags>}
• For a specific SecureXL instance:
fwaccel -i <SecureXL ID> dbg -m <Name of SecureXL Debug Module> {all |
+ <SecureXL Debug Flags>}
9 Examine the kernel debug configuration for kernel debug modules:
fw ctl debug
10 Examine the SecureXL debug configuration for SecureXL debug modules.
• For all SecureXL instances:
fwaccel dbg list
• For specific SecureXL instance:
fwaccel -i <SecureXL ID> dbg list
11 Remove all entries from both the Firewall Connections table and SecureXL Connections
table:
fw tab -t connections -x -y
Important:
• This step makes sure that you collect the debug of the real issue that is not affected
by the existing connections.
• This command deletes all existing connections. This interrupts all connections,
including the SSH.
Run this command only if you are connected over a serial console to your Security
Gateway.
12 Remove all entries from the Firewall Templates table:
fw tab -t cphwd_tmpl -x -y
Note - This command does not interrupt the existing connections. This step makes sure
that you collect the debug of the real issue that is not affected by the existing connection
templates.
13 Start the kernel debug:
fw ctl kdebug -T -f > /var/log/kernel_debug.txt
14 Replicate the issue, or wait for the issue to occur.
15 Stop the kernel debug:
Press CTRL+C.
16 Reset all kernel debug flags in all kernel debug modules:
fw ctl debug 0

Performance Tuning Administration Guide R80.20 | 172

 SecureXL and Falcon Acceleration Cards in R80.20

Step Description
17 Reset all the SecureXL debug flags in all SecureXL debug modules.
• For all SecureXL instances:
fwaccel dbg resetall
• For specific SecureXL instance:
fwaccel -i <SecureXL ID> dbg resetall
18 Examine the kernel debug configuration to make sure it returned to the default:
fw ctl debug
19 Examine the SecureXL debug configuration to make sure it returned to the default.
• For all SecureXL instances:
fwaccel dbg list
• For specific SecureXL instance:
fwaccel -i <SecureXL ID> dbg list
20 Collect and analyze the debug output file:
/var/log/kernel_debug.txt

Performance Tuning Administration Guide R80.20 | 173

 SecureXL and Falcon Acceleration Cards in R80.20

SecureXL Debug Modules and Debug Flags

To see the available SecureXL debug modules and their debug flags, run: fwaccel dbg
• Module default
Flag Description
acct Connection accounting information
ant Anticipated connections
conf Configuration of the SecureXL (for example, interfaces)
conn Processing of connections
conn_app Processing of connections
corr Correction layer
cpdrv Currently not in use
del Deletion of connections
drv Driver information
err General errors
gtp Processing of GTP tunnel connections
gtp_pkt Processing of GTP tunnel packets
htab Hash table
infra_ids Allocating IDs for a given range in Identity Awareness
init Initialization
ioctl Changes in the configuration, which were initiated from the user
space
iter Connection table iterator
kdrv Driver information
lock Lock initializing and finalizing
nat Processing of NAT connections
offload Offloading of connections from the Firewall to the SecureXL
queue Connections queue
relations Related connections (such as FTP data connections)
rngs Handling of SecureXL ranges
rngs_print Printing of SecureXL ranges
routing Handling of SecureXL routing
stat Handling of SecureXL statistics
svm Registering templates or connections for System Counters in
Security Gateway object in SmartConsole
tag Tags that were added to the packets by the SecureXL before
forwarding them to the Firewall
Performance Tuning Administration Guide R80.20 | 174
 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
tcp_sv Verification of sequence in TCP packets
update Updates of connections
util Utilization

• Module pkt (Packet)

Flag Description
acct Connection accounting information
caf Mirror and Decrypt feature - Mirror only of all traffic
corr Correction layer
cpls ClusterXL Load Sharing
deliver Packet delivery
drop Packets dropped by SecureXL
err General errors
f2f Reason for forwarding a packet to the Firewall
frag Processing of fragments
nat Processing of NAT connections
notif Notifications sent to the Firewall
pkt Processing of packets
pxl PXL (PacketXL) handling - API between the SecureXL and
PSL (Packet Streaming Layer), which is a TCP Streaming engine
that parses TCP streams
qos QoS acceleration
routing Handling of SecureXL routing
spoof Handling of SecureXL Anti-Spoofing
sv Validation of sequence in TCP packets
tcp_state Validation of TCP state in TCP packets
tcp_state_pkt Validation of TCP packets
user Currently not in use
vlan Handling of VLAN tags
wrp Handling of WRP interfaces in VSX

• Module db (Database)
Flag Description
ant Anticipated connections
del Deleting of data from the SecureXL database

Performance Tuning Administration Guide R80.20 | 175

 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
err General errors
get Retrieving of data from the SecureXL database
init Initializing and finalizing of SecureXL database
nmr "No Match Ranges" templates, which allow SecureXL Accept
Templates for rules that contain Dynamic objects or Domain
objects (or for rules located below such rules)
nmt "No Match Time" templates, which allow SecureXL Accept
Templates for rules that contain Time objects (or for rules
located below such rules)
profile Operations on profile table
save Saving of data to the SecureXL database
tmo Handling of timeouts for SecureXL database entries
tmpl Handling of SecureXL templates database

• Module api (Application Programmable Interface)

Flag Description
acct Connection accounting information
add Adding of connections
add_sa Offloading of VPN SA to SecureXL
conf Configuration of the SecureXL (for example, interfaces)
del Deletion of connections
del_all_sas Deletion of all VPN SAs from SecureXL
del_all_tmpl Deletion of the SecureXL Templates
del_sa Deletion of VPN SA from SecureXL
err General errors
get_features Getting features buffer (in SecureXL initialization)
get_stat Retrieving of SecureXL statistics
get_state Getting the connection state from SecureXL
get_tab Some extra printouts when processing SecureXL tables
gtp Processing of GTP tunnel connections
infra SecureXL infrastructure
init Enabling and disabling of SecureXL
long_ver Prints additional verbose information about connections
misc Prints additional information about SecureXL internals
notif Notifications sent to the Firewall

Performance Tuning Administration Guide R80.20 | 176

 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
pxl PXL (PacketXL) handling - API between the SecureXL and
PSL (Packet Streaming Layer), which is a TCP Streaming engine
that parses TCP streams
qos QoS acceleration
reset_stat Prints statistics IDs that are reset
stat Handling of SecureXL statistics
sv Validation of sequence in TCP packets
tag Tags that were added to the packets by the SecureXL before
forwarding them to the Firewall
tmpl Handling of SecureXL Templates
tmpl_info Information about SecureXL Templates
upd_conf Update of SecureXL in ClusterXL Load Sharing
upd_if_inf Prints some text that shows if SecureXL updated information
about interfaces
upd_link_sel Updates of VPN Link Selection
update Updates of connections

vpn Processing of VPN connection

• Module adp (acceleration cards - sk116242

http://supportcontent.checkpoint.com/solutions?id=sk116242)
Flag Description
ac_print Prints additional information
bond Information about Bond interfaces
bpl Information about packet processing in the backplane
bplinf Information about packet processing in the backplane
drop Information about packet drops in the backplane
err General errors
eth Information about ports from the acceleration card's point of view
heth Information about ports from the Host Security Appliance's point of
view
if Information about interfaces
inf Information about slots and ports
ipsctl Information about slots
mbeinf Information about packet processing in the backplane
mbs Information about packet processing in the backplane

Performance Tuning Administration Guide R80.20 | 177

 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
nh Handling of next hop routing
rt Handling of general routing
wrp Handling of WRP interfaces in VSX
xmode Events in the known neighbors database
xnp Information about slots

• Module infras (Identity Awareness - Identities Infrastructure)

Flag Description
err General errors
pm Pattern Matcher
reorder Reordering of packets in queue

• Module nac (Identity Awareness - Network Access Control)

Flag Description
db Updating, adding, deleting of identities
db_get Updating, fetching, searching of identities
err General errors
idnt Identity Tags
ioctl Changes in the configuration, which were initiated from the user
space
nac Network Access Control
offload Offloading of connections from the Firewall to the SecureXL
pkt Forwarding of connections to Firewall (when identity is not found
or revoked, or NAC packet tagging verification failed)

pkt_ex NAC packet-tagging verification

signature Signing of packets

• Module vpn (VPN)

Flag Description
err General errors
linksel VPN Link Selection
routing VPN Encryption routing information
vpn Processing of VPN connections
vpnpkt Processing of VPN packets

Performance Tuning Administration Guide R80.20 | 178

 SecureXL and Falcon Acceleration Cards in R80.20

• Module cpaq (Internal Asynchronous Queue)

Flag Description
cbuf Information about queue buffers
client Information about queue clients
error General errors
exp Information about expiration of queue items
init Initializing of queue
opreg Currently not in use
server Information about queue servers
transport Information about sending messages in queue
transport_utils Additional information about sending messages in queue

• Module dos (Denial of Service Defender)

Flag Description
detailed Detailed tracing of DoS Rate Limiting logic in the packet flow.
Important - This debug flag is not suitable for large traffic
volumes because it prints a large number of messages. This
causes high load on the CPU.
drop Dropped packets
err General errors
fw1-cfg Information about DoS Rate Limiting configuration in the
Firewall kernel module
fw1-pkt Information about DoS Rate Limiting packet flow in the Firewall
kernel module
sim-cfg Information about DoS Rate Limiting configuration in the
SecureXL kernel module
sim-pkt Information about DoS Rate Limiting packet flow in the SecureXL
kernel module

• Module synatk (Accelerated SYN Defender)

Flag Description
conf Receiving and updating of Accelerated SYN Defender module's
configuration
conn Handling of TCP connections
err General errors
init Initializing of the Accelerated SYN Defender module
log Prints time of the last sent monitor log and interval between the
monitor logs

Performance Tuning Administration Guide R80.20 | 179

 SecureXL and Falcon Acceleration Cards in R80.20

Flag Description
msg Information about internal messages in the Accelerated SYN
Defender module
pkt Handling of TCP packets
proxy Currently not in use
state Information about states of the Accelerated SYN Defender
module

• Module tmpl (Drop Templates)

Flag Description
err General errors
dtmpl_get Getting of Drop Templates
dtmpl_notif Notifications about Drop Templates
tmpl Information about Drop Templates

Performance Tuning Administration Guide R80.20 | 180

CHAPT ER3

CoreXL
In This Section:
Enabling and Disabling CoreXL........................................................................182
Default Configuration of CoreXL ......................................................................183
Configuring I Pv4 and IPv6 CoreXL Firewall instances ........................................185
CoreXL Unsupported Features ........................................................................189
Configuring Affinity Settings ............................................................................190
Performance Tuning.......................................................................................192
CoreXL Commands.........................................................................................202

CoreXL is a performance-enhancing technology for Security Gateways on multi-core platforms.

CoreXL makes it possible for the CPU cores to perform multiple tasks concurrently. This
enhances the Security Gateway performance.
CoreXL provides almost linear scalability of performance, according to the number of processing
cores on a single machine. The increase in performance does not require changes to management
or to network topology.
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each
replicated copy of the Firewall kernel, or CoreXL Firewall instance, runs on one CPU core. These
CoreXL Firewall instances handle traffic concurrently, and each CoreXL Firewall instance is a
complete and independent Firewall inspection kernel. When CoreXL is enabled, all the Firewall
kernel instances in the Security Gateway process traffic through the same interfaces and apply
the same security policy.
CoreXL Firewall instances work with SecureXL instances.

Performance Tuning Administration Guide R80.20 | 181

 CoreXL

Enabling and Disabling CoreXL

Important Notes for Cluster:
• You must configure the CoreXL in the same way on all the cluster members. Otherwise, a
cluster member with a greater number of CoreXL Firewall instances by design enters the
Down state (see sk42096 http://supportcontent.checkpoint.com/solutions?id=sk42096).
• If you enable CoreXL, disable CoreXL, or change the number of CoreXL Firewall instances, you
should treat this change as a version upgrade.
Schedule a full maintenance window and follow the instructions in the R80.20 Installation and
Upgrade Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installati
on_and_Upgrade_Guide/html_frameset.htm - Chapter Upgrading ClusterXL Deployments.
Perform either a Minimal Effort Upgrade procedure (requires downtime), or a Zero Downtime
Upgrade procedure (no downtime, but active connections are lost). Instead of the version
upgrade, configure the CoreXL on each cluster member.

To change the CoreXL configuration:

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to Gaia Clish or Expert mode.
3 Run:
cpconfig
4 Enter the number of the Check Point CoreXL option.
5 Enter the number of the applicable option:
(1) Change the number of firewall instances
(2) Change the number of IPv6 firewall instances
(3) Disable Check Point CoreXL
6 Follow the instructions on the screen.
7 Exit from the cpconfig menu.
8 Reboot the Security Gateway.

Performance Tuning Administration Guide R80.20 | 182

 CoreXL

Default Configuration of CoreXL

When you enable CoreXL, the default number of CoreXL Firewall instances is based on the total
number of CPU cores.
The default affinity setting for all interfaces is automatic when SecureXL is enabled. See Allocation
of Processing CPU Cores (on page 192).
Traffic from all interfaces is directed to the CPU cores that run the CoreXL Secure Network
Distributor (SND).

Default number of IPv4 CoreXL Firewall instances:

Number of Default number of Default number of
CPU cores CoreXL IPv4 Secure Network
FW instances Distributors (SNDs)
1 1 (CoreXL is disabled) 0 (CoreXL is disabled)
2 2 2
4 3 1
6-20 Number of CPU cores, minus 2 2
More than 20 Number of CPU cores, minus 4. 4
However, no more than 40.

The numbers of CoreXL Firewall instances start from zero.

The numbers of CPU cores start from the highest CPU ID allowed by the current Check Point
license on your Security Gateway.
Refer to the ID and CPU columns in this example:
fw ctl multik stat

ID | Active | CPU | Connections | Peak

----------------------------------------------
0 | Yes | 7 | 5 | 21
1 | Yes | 6 | 3 | 23
2 | Yes | 5 | 5 | 25
3 | Yes | 4 | 4 | 21
4 | Yes | 3 | 5 | 21
5 | Yes | 2 | 5 | 20

fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 0 | 4
1 | Yes | 6 | 0 | 4

Performance Tuning Administration Guide R80.20 | 183

 CoreXL

Maximal number of IPv4 CoreXL Firewall instances:

Gaia kernel edition Check Point Appliance Open Server
64-bit 40 40

Notes:
• Starting in R80.20, the Gaia kernel edition is 64-bit only.
• The total number of IPv4 CoreXL Firewall instances and IPv6 CoreXL Firewall instances cannot
exceed the numbers in the table above.

Performance Tuning Administration Guide R80.20 | 184

 CoreXL

Configuring IPv4 and IPv6 CoreXL Firewall instances

Important Notes for Cluster:
• You must configure the CoreXL in the same way on all the cluster members. Otherwise, a
cluster member with a greater number of CoreXL Firewall instances by design enters the
Down state (see sk42096 http://supportcontent.checkpoint.com/solutions?id=sk42096).
• If you enable CoreXL, disable CoreXL, or change the number of CoreXL Firewall instances, you
should treat this change as a version upgrade.
Schedule a full maintenance window and follow the instructions in the R80.20 Installation and
Upgrade Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installati
on_and_Upgrade_Guide/html_frameset.htm - Chapter Upgrading ClusterXL Deployments.
Perform either a Minimal Effort Upgrade procedure (requires downtime), or a Zero Downtime
Upgrade procedure (no downtime, but active connections are lost). Instead of the version
upgrade, configure the CoreXL on each cluster member.

IPv4 CoreXL Firewall instances and IPv6 CoreXL Firewall instances:

After you enable Gaia IPv6 support on the Security Gateway (see R80.20 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_Admin
Guide/html_frameset.htm), you can configure the CPU cores to run different combinations of IPv4
and IPv6 CoreXL Firewall instances:
• The number of IPv4 CoreXL Firewall instances you can configure is from a minimum of two to
a maximum equal to the total number of CPU cores on the Security Gateway:
2 <= (Number of IPv4 CoreXL Firewall instances) <= (Total Number of CPU
cores)
• By default, the number of IPv6 CoreXL Firewall instances is set to two.
When SMT (Hyper-Threading) http://supportcontent.checkpoint.com/solutions?id=sk93000 is
enabled, the default number of IPv6 CoreXL Firewall instances is four.
• The number of IPv6 CoreXL Firewall instances you can configure is from a minimum of two to
a maximum equal to the total number of IPv4 CoreXL Firewall instances. The number of IPv6
CoreXL Firewall instances cannot exceed the number of IPv4 CoreXL Firewall instances:
2 <= (Number of IPv6 CoreXL Firewall instances) <= (Total Number of IPv4
CoreXL Firewall instances)
• The total number of IPv4 and IPv6 CoreXL Firewall instances cannot exceed forty:
(Number of IPv4 CoreXL Firewall instances) + (Number of IPv6 CoreXL
Firewall instances) <= 40

Performance Tuning Administration Guide R80.20 | 185

 CoreXL

To configure the number of IPv4 CoreXL Firewall instances:

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to Gaia Clish or Expert mode.
3 Run:
cpconfig
4 Enter the number of the Check Point CoreXL option.
5 Enter 1 for the option Change the number of firewall instances.
6 Enter the total number of IPv4 CoreXL Firewall instances you wish the Security Gateway
to run.
Note - You can only select a number from the range shown.
Follow the instructions on the screen.
7 Exit from the cpconfig menu.
8 Reboot the Security Gateway.

To configure the number of IPv6 CoreXL Firewall instances:

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to Gaia Clish or Expert mode.
3 Run:
cpconfig
4 Enter the number of the Check Point CoreXL option.
5 Enter 2 for the option Change the number of IPv6 firewall instances.
6 Enter the total number of IPv6 CoreXL Firewall instances you wish the Security Gateway
to run.
Note - You can only select a number from the range shown.
Follow the instructions on the screen.
7 Exit from the cpconfig menu.
8 Reboot the Security Gateway.

Performance Tuning Administration Guide R80.20 | 186

 CoreXL

Example CoreXL configuration:

Security Gateway has four CPU cores.
By default, there are three IPv4 CoreXL Firewall instances and two IPv6 CoreXL Firewall
instances:

CPU Core IPv4 CoreXL Firewall instances IPv6 CoreXL Firewall instances
CPU 0 N/A N/A
CPU 1 fw4_2 N/A
CPU 2 fw4_1 fw6_1

CPU 3 fw4_0 fw6_0

• IPv4 CoreXL Firewall instances: The minimum allowed number is two and the maximum is
four
• IPv6 CoreXL Firewall instances: The minimum allowed number is two and the maximum is
three
To increase the number of IPv6 CoreXL Firewall instances to four, first you must increase the
number of IPv4 CoreXL Firewall instances to the maximum of four and reboot:
CoreXL is currently enabled with 3 IPv4 firewall instances and 2 IPv6 firewall instances.

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances
(3) Disable Check Point CoreXL

(4) Exit
Enter your choice (1-4) : 1

How many IPv4 firewall instances would you like to enable (2 to 4) [3] ? 4

CoreXL was enabled successfully with 4 firewall instances.

Important: This change will take effect after reboot.

After the reboot, the CoreXL configuration on the Security Gateway looks like this:

CPU Core IPv4 CoreXL Firewall instances IPv6 CoreXL Firewall instances
CPU 0 fw4_3 N/A
CPU 1 fw4_2 N/A
CPU 2 fw4_1 fw6_1

CPU 3 fw4_0 fw6_0

Increase the number of IPv6 CoreXL Firewall instances to four and reboot:
CoreXL is currently enabled with 4 IPv4 firewall instances and 2 IPv6 firewall instances.

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances
(3) Disable Check Point CoreXL

(4) Exit
Enter your choice (1-4) : 2

How many IPv6 firewall instances would you like to enable (2 to 4)[2] ? 4

CoreXL was enabled successfully with 3 IPv6 firewall instances.

Important: This change will take effect after reboot.

Performance Tuning Administration Guide R80.20 | 187

 CoreXL

After the reboot, the CoreXL configuration on the Security Gateway looks like this:

CPU Core IPv4 CoreXL Firewall instances IPv6 CoreXL Firewall instances
CPU 0 fw4_3 fw6_3
CPU 1 fw4_2 fw6_2

CPU 2 fw4_1 fw6_1

CPU 3 fw4_0 fw6_0

Performance Tuning Administration Guide R80.20 | 188

 CoreXL

CoreXL Unsupported Features

R80.20 CoreXL does not support these Check Point features:
• Overlapping NAT
• VPN Traditional Mode
• 6in4 traffic - this traffic is always processed by the global CoreXL Firewall instance #0
(fw_worker_0)
For additional information, see sk61701: CoreXL Known Limitations
http://supportcontent.checkpoint.com/solutions?id=sk61701.

Performance Tuning Administration Guide R80.20 | 189

 CoreXL

Configuring Affinity Settings

The script $FWDIR/scripts/fwaffinity_apply on Security Gateway executes automatically
during boot and controls the affinity settings. When you make a change to affinity settings, the
changes do not take effect until you either reboot the Security Gateway, or manually execute the
$FWDIR/scripts/fwaffinity_apply script.
The $FWDIR/scripts/fwaffinity_apply script configures the interfaces affinity according
to the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change the
interfaces affinity settings, edit that configuration file.
Note - When the SecureXL is enabled, only the SecureXL SIM Affinity (on page 116) configuration
defines the interfaces affinities. Security Gateway ignores the interface affinity settings in the
$FWDIR/conf/fwaffinity.conf file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXL affinity settings.
Each line in this plain-text file uses the same format: <type> <id> <cpu_id>

Data Allowed Values Description

<type> i Configures the affinity of an interface.
n Configures the affinity of a Check Point daemon.
k Configures the affinity of a CoreXL Firewall instance.
<id> Name of Interface If <type> = i.
Name of Daemon If <type> = n.
ID of CoreXL Firewall If <type> = k.
instance
default Configures affinities of interfaces that are not specified
other lines.
<cpu_id> CPU ID Number Specifies the ID numbers of processing CPU cores, to
which you affine an interface, a Check Point daemon, or
a CoreXL Firewall instance.
all Specifies all processing CPU cores as available to
configure the affinity of an interface, a Check Point
daemon, or a CoreXL Firewall instance.
auto Configures Automatic mode.
See Allocation of Processing CPU Cores (on page 192).
ignore No specified affinity.
This is useful to exclude an interface from the "default"
configuration.

Performance Tuning Administration Guide R80.20 | 190

 CoreXL

Notes:
• The default configuration in this file is:
i default auto

• Possible combinations:
• To configure the affinity of an interface:
i <Name of Interface> {<CPU ID Number> | all | ignore | auto}
i default {<CPU ID Number> | all | ignore | auto}
• To configure the affinity of a Check Point daemon:
n <Name of Daemon> {<CPU ID Number> | all | ignore | auto}
• To configure the affinity of a CoreXL Firewall instance:
k <ID of CoreXL Firewall instance> {<CPU ID Number> | all | ignore | auto}
• To view the IRQs of all interfaces, run:
fw ctl affinity -l -v -a (on page 221)
• Interfaces that share an IRQ cannot have different CPU cores as their affinities.
This also applies when one interface is included in the default affinity setting.
You must either configure the same affinity for all interfaces, or use ignore for one of these
interfaces.

The $FWDIR/scripts/fwaffinity_apply Script

Use the following syntax to execute this shell script:
[Expert@MyGW:0]# $FWDIR/scripts/fwaffinity_apply <Parameter>

Parameters
Parameter Description
-q Quiet mode - print only error messages.
-t <Type> Applies affinity only for the specified type:
• i - For an interface
• n - For a Check Point daemon name
• k - For a CoreXL Firewall instance
-f Sets interface affinity even if SecureXL SIM Affinity is set to Automatic
mode.

Performance Tuning Administration Guide R80.20 | 191

 CoreXL

Performance Tuning
In This Section:
Allocation of Processing CPU Cores.................................................................192

Allocation of Processing CPU Cores

The CoreXL software architecture includes the Secure Network Distributor (SND). The SND is
responsible for these:
• Processing the incoming traffic from the network interfaces
• Securely accelerating authorized packets (if SecureXL is enabled)
• Distributing non-accelerated packets between the CoreXL Firewall instances.
The association of a particular interface with a specific processing CPU core is called the
interface's affinity with that CPU core. This affinity causes the interface's traffic to be directed to
that CPU core and the CoreXL SND to run on that CPU core.
The association of a particular CoreXL Firewall instance with a specific CPU core is called the
CoreXL Firewall instance's affinity with that CPU core.
The association of a particular user space process with a specific CPU core is called the
process's affinity with that CPU core.
The default affinity setting for all interfaces is Automatic. Automatic affinity means that if
SecureXL is enabled, the affinity for each interface is reset periodically and balanced between the
available CPU cores. If SecureXL is disabled, the default affinities of all interfaces are with one
available CPU core. In both cases, all processing CPU cores that run a CoreXL Firewall instance,
or defined as the affinity for another user space process, is considered unavailable, and the affinity
for interfaces is not set to those CPU cores.
In some cases, which we discuss in the following sections, it may be advisable to change the
distribution of CoreXL Firewall instances, the CoreXL SND, and other user space processes,
between the processing CPU cores. To do so, you change the affinities of different NICs
(interfaces) or user space processes. However, to ensure CoreXL efficiency, traffic from all
interfaces must be directed to CPU cores that do not run CoreXL Firewall instances. Therefore, if
you change affinities of interfaces or other user space processes, you need to set the number of
CoreXL Firewall instances accordingly. You also must make sure that the CoreXL Firewall
instances run on other processing CPU cores.
Under normal circumstances, we do not recommend for a CoreXL SND and a CoreXL Firewall
instance to share the same CPU core. However, it is necessary for the CoreXL SND and a CoreXL
Firewall instance to share a CPU core when Security Gateway runs on a computer with exactly two
CPU cores.

Performance Tuning Administration Guide R80.20 | 192

 CoreXL

Adding Processing CPU Cores to the Hardware

If you increase the number of processing CPU cores on the computer, it does not automatically
increase the number of CoreXL Firewall instances. You must manually configure the desired
number of CoreXL Firewall instances in the cpconfig menu (on page 185).
Important Notes for Cluster:
• You must configure the CoreXL in the same way on all the cluster members. Otherwise, a
cluster member with a greater number of CoreXL Firewall instances by design enters the
Down state (see sk42096 http://supportcontent.checkpoint.com/solutions?id=sk42096).
• If you enable CoreXL, disable CoreXL, or change the number of CoreXL Firewall instances, you
should treat this change as a version upgrade.
Schedule a full maintenance window and follow the instructions in the R80.20 Installation and
Upgrade Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installati
on_and_Upgrade_Guide/html_frameset.htm - Chapter Upgrading ClusterXL Deployments.
Perform either a Minimal Effort Upgrade procedure (requires downtime), or a Zero Downtime
Upgrade procedure (no downtime, but active connections are lost). Instead of the version
upgrade, configure the CoreXL on each cluster member.

Performance Tuning Administration Guide R80.20 | 193

 CoreXL

Allocating Additional CPU Cores to the CoreXL SND

The default configuration of CoreXL Firewall instances and the CoreXL SNDs might not be optimal
for your needs.
If the default number of CoreXL SNDs is not enough to process the incoming traffic, and your
Security Gateway computer contains enough CPU cores, you can reduce the number of CoreXL
Firewall instances. This automatically allocates additional CPU cores to run the CoreXL SNDs.
This scenario is likely to occur if much of the traffic is accelerated by SecureXL. In this case, the
task load of the CoreXL SNDs may be disproportionate to that of the CoreXL Firewall instances.

To check if the SND is slowing down the traffic:

Step Description
1 Identify the processing CPU core, to which the interfaces direct their traffic:
fw ctl affinity -l -r
2 Under heavy traffic conditions, run the top command.
Examine the values for the different CPU cores in the 'idle' column.

We recommend to allocate an additional CPU core to the CoreXL SND only if all these conditions
are met:
• Your platform has at least eight processing CPU cores.
• In the output of the top command, the 'idle' values for the CPU cores that run the CoreXL
SNDs are in the 0%-5% range.
• In the output of the top command, the sum of the 'idle' values for the CPU cores that run
the CoreXL Firewall instances is significantly higher than 100%.
If at least one of the above conditions is not met, the default CoreXL configuration is sufficient.

To allocate an additional processing CPU core to the CoreXL SND:

Item Description
1 Reduce the number of CoreXL Firewall instances in the cpconfig menu. (on page 185)
2 Set interface affinities to the remaining CPU cores. (on page 195)
3 Reboot to apply the new configuration.

Performance Tuning Administration Guide R80.20 | 194

 CoreXL

Setting Affinities for Interfaces on the Host Security Appliance

Check which processing CPU cores run the CoreXL Firewall instances and which CPU cores
handle the traffic from interfaces. Run:
fw ctl affinity -l -r (on page 221)
Allocate the remaining CPU cores to run the CoreXL SNDs. To do so, configure the affinity of
interfaces to the applicable CPU cores. For more information, see Allocation of Processing CPU
Cores (on page 192).
Note - To set the affinity of VLAN interfaces, use their physical interfaces.

Configuring affinities of interfaces when SecureXL is enabled

If SecureXL is enabled (this is the default), configure the affinities of interfaces with the SecureXL
sim affinity (on page 116) command.
The default SIM Affinity mode for interfaces is Automatic. In the Automatic mode, SecureXL
automatically distributes affinities of interfaces between CPU cores, which do not run CoreXL
Firewall instances and for which no affinities of user space processes are configured.

Configuring affinities of interfaces when SecureXL is disabled

If SecureXL is disabled, Security Gateway loads affinities of interfaces during the boot from the
CoreXL configuration file $FWDIR/conf/fwaffinity.conf. In this configuration file, lines that
begin with the letter "i", define the affinities of interfaces. If SecureXL is enabled, Security
Gateway ignores these lines.
If you allocate only one CPU core to the CoreXL SND, it is best to have that CPU core selected
automatically. To do so, leave the default automatic interface affinity and do not configure explicit
affinities of interfaces to CPU cores.
Make sure the $FWDIR/conf/fwaffinity.conf file contains this line:
i default auto

In addition, make sure that the $FWDIR/conf/fwaffinity.conf file does not contain other
lines that begin with "i", so that no explicit affinities of interfaces are defined. This ensures that
Security Gateway directs all traffic to the remaining CPU cores.
If you allocate more than one processing CPU core to the CoreXL SND, you need to configure
affinities of interfaces explicitly to the remaining CPU cores. If you have multiple interfaces, you
need to decide which interfaces to affine to which CPU cores. Try to achieve a balance of expected
traffic between the CPU cores. You can later examine the traffic balance with the top command.

Performance Tuning Administration Guide R80.20 | 195

 CoreXL

To configure affinities of interfaces explicitly, when SecureXL is disabled

1. Configure the affinity for each interface in the $FWDIR/conf/fwaffinity.conf file (on
page 190).
For each interface, there must be a separate line that begins with the letter "i". Each of these
lines must have this syntax:
i <Name of Interface> <CPU ID>

For example, if you want the traffic from eth0 and eth1 to go to CPU core #0, and the traffic
from eth2 to go to CPU core #1, add these lines:
i eth0 0
i eth1 0
i eth2 1
Alternatively, you can choose to define affinities of interface explicitly for only one processing
CPU core, and define other CPU cores as the default affinity for the remaining interfaces. To do
so, use this syntax:
i default <CPU ID>

For example, if you want the traffic from eth2 to go to CPU core #1, and the traffic from all
other interfaces to go to CPU core #0, add these lines:
i eth2 1
i default 0
2. Apply the new configuration. Run:
[Expert@MyGW:0]# $FWDIR/scripts/fwaffinity_apply

Performance Tuning Administration Guide R80.20 | 196

 CoreXL

Setting Affinities for Falcon Acceleration Cards Ports

To set affinities for Falcon Acceleration Cards ports, you use the standard Linux SMP IRQ Affinity
mechanism.
On the Host appliance, you configure the applicable CPU Bitmasks in the
/proc/irq/<IRQ_Number_of_Card_Port>/smp_affinity files for the IRQ numbers of the
applicable Falcon Acceleration Cards ports.
The /proc/irq/<IRQ_Number_of_Card_Port>/smp_affinity files specify, which target CPU
cores are permitted for a given IRQ source. These files hold bitmasks of allowed CPU cores.

Procedure:
1. Connect to the command line on the Host appliance.
2. Log in to Expert mode.
3. Get the list of slot numbers for the Falcon Acceleration Cards:
fwaccel stat
4. Find the IRQ number for the Falcon Acceleration Card port, which you wish to affine to a
specific CPU core:
cat /proc/interrupts | grep msix | grep np<Slot#>
Example for port np3:
[Expert@FW:0]# cat /proc/interrupts | grep msix | grep np3

51: 9653025 0 0 0 0 6672298 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 PCI-MSI-X bcmnet-np3-msix-2

[Expert@FW:0]#
Notes:
 51 - IRQ number of this Falcon Acceleration Card port
 np3 - Falcon Acceleration Card port identifier
 Compare with the output of the ifconfig eth<Slot#>-01 command

Performance Tuning Administration Guide R80.20 | 197

 CoreXL

5. Find the CPU Bitmask in HEX Format of the CPU core, to which you wish to affine the specific
Falcon Acceleration Card port:
Note - This table addresses 24 CPU cores.
CPU core Bitmask in BIN Format Bitmask in HEX Format
CPU 0 00000001 1
CPU 1 00000010 2
CPU 2 00000100 4
CPU 3 00001000 8
CPU 4 00010000 10
CPU 5 00100000 20
CPU 6 01000000 40
CPU 7 10000000 80
CPU 8 01100100 100
CPU 9 11001000 200
CPU 10 000110010000 400
CPU 11 001100100000 800
CPU 12 001111101000 1000
CPU 13 001111101000 2000
CPU 14 111110100000 4000
CPU 15 0001111101000000 8000
CPU 16 0010011100010000 10000
CPU 17 0100111000100000 20000
CPU 18 1001110001000000 40000
CPU 19 000000010011100010000000 80000
CPU 20 000000011000011010100000 100000
CPU 21 000000110000110101000000 200000
CPU 22 000001100001101010000000 400000
CPU 23 000011000011010100000000 800000

Performance Tuning Administration Guide R80.20 | 198

 CoreXL

6. Write the applicable CPU Bitmask in HEX Format in the

/proc/irq/<IRQ_Number_of_Card_Port>/smp_affinity file:
echo <Hex_Bitmask> > /proc/irq/<IRQ_Number_of_Card_Port>/smp_affinity

Examples:
• Affinity of card port with IRQ 51 to CPU 0:
echo 1 > /proc/irq/51/smp_affinity
• Affinity of a card port with IRQ 59 to CPU 1:
echo 2 > /proc/irq/59/smp_affinity
• Affinity of card port with IRQ 234 to CPU 7:
echo 80 > /proc/irq/234/smp_affinity
7. To make this configuration survive reboot, you need to add all these echo commands at the
bottom of the /etc/rc.d/rc.local shell script:
a) Create a backup copy of this shell script:
cp -v /etc/rc.d/rc.local{,_BKP}
b) Edit this shell script:
vi /etc/rc.d/rc.local

Performance Tuning Administration Guide R80.20 | 199

 CoreXL

Allocating a CPU Core for Heavy Logging

If the Security Gateway generates very large number of logs, it may be advisable to allocate a
processing CPU core to the fwd daemon, which generates the logs.
Note - This change reduces the number of CPU cores available for CoreXL Firewall instances.
Important Notes for Cluster:
• You must configure the CoreXL in the same way on all the cluster members. Otherwise, a
cluster member with a greater number of CoreXL Firewall instances by design enters the
Down state (see sk42096 http://supportcontent.checkpoint.com/solutions?id=sk42096).
• If you enable CoreXL, disable CoreXL, or change the number of CoreXL Firewall instances, you
should treat this change as a version upgrade.
Schedule a full maintenance window and follow the instructions in the R80.20 Installation and
Upgrade Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installati
on_and_Upgrade_Guide/html_frameset.htm - Chapter Upgrading ClusterXL Deployments.
Perform either a Minimal Effort Upgrade procedure (requires downtime), or a Zero Downtime
Upgrade procedure (no downtime, but active connections are lost). Instead of the version
upgrade, configure the CoreXL on each cluster member.

To allocate a processing CPU core to the fwd daemon:

Step Description
1 Connect to the command line on Security Gateway.
2 Log in to Expert mode.
3 Run:
cpconfig
4 Enter the number of the Check Point CoreXL option.
5 Reduce the number of CoreXL Firewall instances (on page 185).
6 Exit from the cpconfig menu.
7 Configure the affinity of the fwd daemon in the $FWDIR/conf/fwaffinity.conf (on
page 190) file:
7A Examine which processing CPU cores run the CoreXL Firewall instances and which CPU
cores handle the traffic from interfaces. Run:
fw ctl affinity -l -r (on page 221)

Performance Tuning Administration Guide R80.20 | 200

 CoreXL

Step Description
7B Edit the $FWDIR/conf/fwaffinity.conf file:
n fwd <CPU ID>
Allocate one of the remaining CPU cores to the fwd daemon. To do so, configure the
affinity of the fwd daemon to that CPU core. For example, to affine the fwd daemon to
CPU core #2, add this line:
n fwd 2
Note: It is important to avoid the CPU cores that run the CoreXL SNDs only if these CPU
cores are explicitly defined for the affinities of interfaces. If affinity of interfaces is
configured in the Automatic mode, the fwd daemon can use all CPU cores that do not run
CoreXL Firewall instances. Traffic from interfaces is automatically diverted to other CPU
cores.
7C Save the changes in the $FWDIR/conf/fwaffinity.conf configuration file.
8 Apply the new configuration:
• To apply immediately, run this script (on page 191):
[Expert@MyGW:0]# $FWDIR/scripts/fwaffinity_apply
• To apply later, reboot the Security Gateway.

Performance Tuning Administration Guide R80.20 | 201

 CoreXL

CoreXL Commands
'fw ctl multik' and 'fw6 ctl multik'
Description
The fw ctl multik and fw6 ctl multik commands control CoreXL for IPv4 and IPv6,
respectively.

Syntax for IPv4

fw ctl multik
add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize

Syntax for IPv6

fw6 ctl multik
add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize

Performance Tuning Administration Guide R80.20 | 202

 CoreXL

Parameters
Parameter Description
add_bypass_port <options> (on Adds the specified TCP and UDP ports to the CoreXL
page 204) Dynamic Dispatcher bypass list.
del_bypass_port <options> (on Removes the specified TCP and UDP ports from the
page 205) CoreXL Dynamic Dispatcher bypass list.
dynamic_dispatching <options> Shows and controls CoreXL Dynamic Dispatcher.
(on page 206) See sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105
261.
gconn <options> (on page 207) Shows statistics about CoreXL Global Connections.

get_instance <options> (on page Shows CoreXL FW instance that processes the specified
211) IPv4 connection.

print_heavy_conn (on page 213) Shows the table with Heavy Connections (that consume the
most CPU resources) in the CoreXL Dynamic Dispatcher.
prioq <options> (on page 215) Configures the CoreXL Firewall Priority Queues.
See sk105762
http://supportcontent.checkpoint.com/solutions?id=sk105
762.
show_bypass_ports (on page 216) Shows the TCP and UDP ports configured in the bypass
port list of the CoreXL Dynamic Dispatcher.
stat (on page 217) Shows the CoreXL status.

start (on page 218) Starts all CoreXL FW instances on-the-fly.

stop (on page 219) Stops all CoreXL FW instances temporarily.

utilize (on page 220) Shows the CoreXL queue utilization for each CoreXL FW
instance.

Performance Tuning Administration Guide R80.20 | 203

 CoreXL

fw ctl multik add_bypass_port

Description
Adds the specified TCP and UDP ports to the bypass port list of the CoreXL Dynamic Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261.
Important - This command saves the configuration in the
$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file manually.

Syntax
fw ctl multik add_bypass_port <Port Number 1>,<Port Number 2>,...,<Port Number N>

Parameters
Parameter Description
<Port Number>
Specifies the numbers of TCP and UDP ports to add to the list.
Important - You can add 10 ports maximum.

Example
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]

Performance Tuning Administration Guide R80.20 | 204

 CoreXL

fw ctl multik del_bypass_port

Description
Removes the specified TCP and UDP ports from the bypass port list of the CoreXL Dynamic
Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261.
Important - This command saves the configuration in the
$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file manually.

Syntax
fw ctl multik del_bypass_port <Port Number 1>,<Port Number 2>,...,<Port Number N>

Parameters
Parameter Description
<Port Number>
Specifies the numbers of TCP and UDP ports to remove from
the list.

Example
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]

Performance Tuning Administration Guide R80.20 | 205

 CoreXL

fw ctl multik dynamic_dispatching

Description
Shows and controls the CoreXL Dynamic Dispatcher that dynamically assigns new connections to
a CoreXL FW instances based on the utilization of CPU cores.
For more information, see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261.

Syntax for IPv4

fw ctl multik dynamic_dispatching
get_mode
off
on

Syntax for IPv6

fw6 ctl multik dynamic_dispatching
get_mode
off
on

Parameters
Parameter Description
get_mode Shows the current state of the CoreXL Dynamic Dispatcher.
off Disables the CoreXL Dynamic Dispatcher.
on Enables the CoreXL Dynamic Dispatcher.

Example
[Expert@MyGW:0]# fw ctl multik dynamic_dispatching get_mode
Current mode is Off
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 206

 CoreXL

fw ctl multik gconn

Description
Shows statistics about CoreXL Global Connections that Security Gateway stores in the kernel table
fw_multik_ld_gconn_table.
The CoreXL Global Connections table contains information about which CoreXL FW instance owns
which connections.
Notes:
• This command does not support VSX.
• This command does not support IPv6.

Syntax
fw [-d] ctl multik gconn
-h
-p
-sec
-seg <Number>

Parameters
Parameter Description
-d Runs the command in debug mode. Use only if you troubleshoot the
command itself.
none Shows the interactive menu for the CoreXL Firewall Priority Queues.
-h Shows the built-in help.
-p Shows the additional information about each CoreXL FW instance,
including the information about Firewall Priority Queues:
• I/O (In or Out)
• Inst. ID (CoreXL FW instance ID)
• Flags
• Seq (Sequence)
• Hold_ref (Hold reference)
• Prio (Firewall Priority Queues mode)
• last_enq_jiff (Jiffies since last enqueue)
• queue_indx (Queue index number)
• conn_tokens (Connection Tokens)
-s Shows the total number of global connections.

Performance Tuning Administration Guide R80.20 | 207

 CoreXL

Parameter Description
-sec Shows the additional information about each CoreXL FW instance:
• I/O (In or Out)
• Inst. ID (CoreXL FW instance ID)
• Flags
• Seq (Sequence)
• Hold_ref (Hold reference)
-seg <Number> Shows the default information about the specified Global Connections
Segment.

Example 1 - Default information

[Expert@MyGW:0]# fw ctl multik gconn
Default:
==================================================================================================
========================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|
==================================================================================================
========================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.52 | 54216 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 54216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
==================================================================================================
========================
FP - from pool. T - temporary connection. PP - pending pernament.
[Expert@MyGW:0]#

Example 2 - Summary information only

[Expert@MyGW:0]# fw ctl multik gconn -s
Summary:
Total number of global connections: 12
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 208

 CoreXL

Example 3 - Additional information about each CoreXL FW instance, including the

information about Firewall Priority Queues
[Expert@MyGW:0]# fw ctl multik gconn -p
Instance section prio info:
==================================================================================================
==================================================================================================
===
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref
|Prio:|last_enq_jiff|queue_indx|conn_tokens
==================================================================================================
==================================================================================================
===
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 35883 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 494 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 35883 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 280 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |Prio:| 0 | -1 | 0 |
==================================================================================================
==================================================================================================
===
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out -
outbound.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 209

 CoreXL

Example 4 - Additional information about each CoreXL FW instance

[Expert@MyGW:0]# fw ctl multik gconn -sec
Instance section:
==================================================================================================
====================================================================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref |
==================================================================================================
====================================================================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 52864 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 60186 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 76 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 479 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 52864 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 257 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.53 | 60186 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
==================================================================================================
====================================================================
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out -
outbound.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 210

 CoreXL

fw ctl multik get_instance

Description
Shows CoreXL FW instance that processes the specified IPv4 connection.
Important - This command works only if the CoreXL Dynamic Dispatcher is disabled (see
sk105261 http://supportcontent.checkpoint.com/solutions?id=sk105261).

Syntax
• To show the CoreXL FW instance that processes the specified IPv4 connection:
fw ctl multik get_instance sip=<Source IPv4 Address> dip=<Destination IPv4
Address> proto=<Protocol Number>

• To show the CoreXL FW instance that processes the specified range of IPv4 connections:
fw ctl multik get_instance sip=<Source IPv4 Address Start>-<Source IPv4 Address
End> dip=<Destination IPv4 Address Start>-<Destination IPv4 Address End>
proto=<Protocol Number>

Parameters
Parameter Description
<Source IPv4 Address>
Source IPv4 address of the specified connection
<Source IPv4 Address Start>
First source IPv4 address of the specified range of IPv4
addresses
<Source IPv4 Address End>
Last source IPv4 address of the specified range of IPv4
addresses
<Destination IPv4 Address>
Destination IPv4 address of the specified connection
<Destination IPv4 Address
First destination IPv4 address of the specified range of IPv4
Start>
addresses
<Destination IPv4 Address
Last destination IPv4 address of the specified range of IPv4
End>
addresses
<Protocol Number>
IANA protocol number
https://www.iana.org/assignments/protocol-numbers/protocol-
numbers.xhtml.
For example:
• 1 = ICMP
• 6 = TCP
• 17 = UDP

Performance Tuning Administration Guide R80.20 | 211

 CoreXL

Example for specified IPv4 connection:

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3 dip=172.30.241.66 proto=6
protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
[Expert@MyGW:0]#

Example for specified range of IPv4 connections:

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3-192.168.2.8 dip=172.30.241.66 proto=6
protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
192.168.2.4 -> 172.30.241.66 => 0
192.168.2.5 -> 172.30.241.66 => 3
192.168.2.6 -> 172.30.241.66 => 5
192.168.2.7 -> 172.30.241.66 => 4
192.168.2.8 -> 172.30.241.66 => 5
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 212

 CoreXL

fw ctl multik print_heavy_conn

Description
Shows the table with Heavy Connections (that consume the most CPU resources) in the CoreXL
Dynamic Dispatcher.
For more information about the CoreXL Dynamic Dispatcher, see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261.
CoreXL suspects that a connection is "heavy" if it meets these conditions:
• Security Gateway detected the suspected connection during the last 24 hours
• The suspected connection lasts more than 10 seconds
• CoreXL FW instance that processes this connection causes a CPU load of over 60%
• The suspected connection utilizes more than 50% of the total work the applicable CoreXL FW
instance does
The output table shows this information about the Heavy Connections:
• Source IP address
• Source Port
• Destination IP address
• Destination Port
• Protocol Number
• CoreXL FW instance ID that processes this connection
• CoreXL FW instance load on the CPU
• Connection's relative load on the CoreXL FW instance
Notes:
• This command shows the suspected heavy connections even if they are already closed.
• In the CPview http://supportcontent.checkpoint.com/solutions?id=sk101878 utility, go to CPU >
Top-Connections > InstancesX-Y > InstanceZ. Refer to the Top Connections section.

Syntax
fw [-d] ctl multik print_heavy_conn

Parameters
Parameter Description
-d Runs the command in debug mode. Use only if you troubleshoot the command
itself.

Performance Tuning Administration Guide R80.20 | 213

 CoreXL

Example
[Expert@MyGW:0]# fw ctl multik print_heavy_conn
Source: 192.168.20.31; SPort: 51006; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50994; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50992; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 214

 CoreXL

fw ctl multik prioq

Description
Configures the CoreXL Firewall Priority Queues. For more information, see sk105762
http://supportcontent.checkpoint.com/solutions?id=sk105762.
Important - This command saves the configuration in the $FWDIR/conf/prioq.conf file. You
must not edit this file manually.

Syntax for IPv4

fw ctl multik prioq
[0]
[1]
[2]

Syntax for IPv6

fw6 ctl multik prioq
[0]
[1]
[2]

Parameters
Parameter Description
No Shows the interactive menu for configuration of the CoreXL Firewall Priority
Parameters Queues.
0 Disables the CoreXL Firewall Priority Queues.
1 Enables the CoreXL Firewall Priority Queues.
2 Enables the CoreXL Firewall Priority Queues in the Eviluator-only mode
(evaluation of "evil" connections).

Example
[Expert@MyGW:0]# fw ctl multik prioq
Current mode is Off

Available modes:
0. Off
1. Eviluator-only
2. On

Choose the desired mode number: (or 3 to Quit)

[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 215

 CoreXL

fw ctl multik show_bypass_ports

Description
Shows the TCP and UDP ports configured in the bypass port list of the CoreXL Dynamic Dispatcher
with the fw ctl multik add_bypass_port (on page 204) command.
For more information about the CoreXL Dynamic Dispatcher, see sk105261
http://supportcontent.checkpoint.com/solutions?id=sk105261.
Important - This command reads the configuration from the
$FWDIR/conf/dispatcher_bypass.conf file. You must not edit this file manually.

Syntax
fw ctl multik show_bypass_ports

Example
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(9999,8888)
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 216

 CoreXL

fw ctl multik stat

Description
Shows information for each CoreXL FW instance.

Syntax for IPv4

fw [-d] ctl multik stat

Syntax for IPv6

fw6 [-d] ctl multik stat

Information in the output

• The ID number of each CoreXL FW instance (numbers starts from zero).
• The state of each CoreXL FW instance.
• The ID number of CPU core, on which the CoreXL FW instance runs (numbers starts from the
highest available CPU ID).
• The number of concurrent connections the CoreXL FW instance currently handles.
• The peak number of concurrent connections the CoreXL FW instance handled from the time it
started.

Parameters
Parameter Description
-d Runs the command in debug mode. Use only if you troubleshoot the command
itself.

Example
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 5 | 21
1 | Yes | 6 | 3 | 23
2 | Yes | 5 | 5 | 25
3 | Yes | 4 | 4 | 21
4 | Yes | 3 | 5 | 21
5 | Yes | 2 | 5 | 20
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 0 | 4
1 | Yes | 6 | 0 | 4
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 217

 CoreXL

fw ctl multik start

Description
Starts all CoreXL FW instances on-the-fly, if they were stopped with the fw ctl multik stop (on
page 219) command.

Syntax for IPv4

fw ctl multik start

Syntax for IPv6

fw6 ctl multik start

Example
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 1 started (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 2 started (3 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
All instances are already active
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 218

 CoreXL

fw ctl multik stop

Description
Stops all CoreXL FW instances on-the-fly.
Important - To start all CoreXL FW instances on-the-fly, run the fw ctl multik start (on page
218) command.

Syntax for IPv4

fw ctl multik stop

Syntax for IPv6

fw6 ctl multik stop

Example
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 2 stopped (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 1 stopped (1 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 13
1 | No | - | 3 | 11
2 | No | - | 7 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
All instances are already inactive
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 219

 CoreXL

fw ctl multik utilize

Description
Shows the CoreXL queue utilization for each CoreXL FW instance.
Note - This command does not support VSX.

Syntax for IPv4

fw ctl multik utilize

Syntax for IPv6

fw6 ctl multik utilize

Example
[Expert@MyGW:0]# fw ctl multik utilize
ID | Utilize(%) | Queue Elements
----------------------------------
0 | 1 | 30
1 | 0 | 10
2 | 0 | 17
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik utilize
ID | Utilize(%) | Queue Elements
----------------------------------
0 | 0 | 0
1 | 0 | 0
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 220

 CoreXL

fw ctl affinity
The fw ctl affinity command shows and configures the CoreXL affinity settings for:
• Interfaces
• User-space processes
• CoreXL FW instances

Performance Tuning Administration Guide R80.20 | 221

 CoreXL

Running the 'fw ctl affinity -l' command in Gateway Mode

Description
The fw ctl affinity -l command shows the current CoreXL affinity settings on a Security
Gateway for:
• Interfaces
• User-space processes
• CoreXL FW instances

Syntax
• To see the built-in help:
fw ctl affinity

• To show all the existing affinities:

fw ctl affinity -l [-a] [-v] [-r] [-q]

• To show the affinity for a specified interface:

fw ctl affinity -l -i <Interface Name>

• To show the affinity for a specified CoreXL FW instance:

fw ctl affinity -l -k <CoreXL FW Instance ID>

• To show the affinity for a specified user-space process by its PID:

fw ctl affinity -l -p <Process ID>

• To show the affinity for a specified user-space process by its name:

fw ctl affinity -l -n <Process Name>

• To show the number of system CPU cores allowed by the installed CoreXL license:
fw -d ctl affinity -corelicnum

Parameters
Parameter Description
-i <Interface Name>
Shows the affinity for the specified interface.
-k <CoreXL FW Instance ID>
Shows the affinity for the specified CoreXL FW instance.
-p <Process ID>
Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its PID.
-n <Process Name>
Shows the affinity for the Check Point user-space process (for
example: fwd, vpnd) specified by its name.
all
Shows the affinity for all CPU cores (numbers start from zero).
<CPU ID0> ... <CPU IDn>
Shows the affinity for the specified CPU cores (numbers start
from zero).
-a
Shows all current CoreXL affinities.
-v
Shows verbose output with IRQ numbers of interfaces.
-r
Shows the CoreXL affinities in reverse order.
-q
Suppresses the errors in the output.

Performance Tuning Administration Guide R80.20 | 222

 CoreXL

Example 1
[Expert@MyGW:0]# fw ctl affinity -l
eth0: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 2
[Expert@MyGW:0]# fw ctl affinity -l -a -v
Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Interface eth2 (irq 83): CPU 0
Interface eth3 (irq 59): CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 223

 CoreXL

Example 3
[Expert@MyGW:0]# fw ctl affinity -l -a -v -r
CPU 0: eth0 (irq 67) eth1 (irq 75) eth2 (irq 83) eth3 (irq 59)
CPU 1:
CPU 2: fw_5
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 3: fw_4
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 4: fw_3
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 5: fw_2
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 6: fw_1
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 7: fw_0
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
All:
[Expert@MyGW:0]#

Example 4
[Expert@MyGW:0]# fw ctl affinity -l -i eth0
eth0: CPU 0
[Expert@MyGW:0]#

Example 5
[Expert@MyGW:0]# ps -ef | grep -v grep | egrep "PID|fwd"
UID PID PPID C STIME TTY TIME CMD
admin 26641 26452 0 Mar27 ? 00:06:56 fwd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -p 26641
Process 26641: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -n fwd
fwd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

Example 6
[Expert@MyGW:0]# fw ctl affinity -l -k 1
fw_1: CPU 6
[Expert@MyGW:0]#

Example 7
[Expert@MyGW:0]# fw -d ctl affinity -corelicnum
[5363 4134733584]@MyGW[4 Apr 18:11:03] Number of system CPUs 8
[5363 4134733584]@MyGW[4 Apr 18:11:03] cplic_get_navailable_cpus: fw_get_allowed_cpus_num returned
invalid value (100000) - all cpus considered as allowed!!!
4
[5363 4134733584]@MyGW[4 Apr 18:11:03] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 224

 CoreXL

Running the 'fw ctl affinity -l' command in VSX Mode

Description
The fw ctl affinity -l command shows the CoreXL affinity settings on a VSX Gateway for:
• Interfaces
• User-space processes
• CoreXL FW instances
Note - Before running the fw ctl affinity -l -x commands, you must go to the context of the
applicable Virtual System or Virtual Router with the Gaia Clish command set virtual-system
<VSID>.

Syntax
• To show the affinities in VSX mode (you can combine the optional parameters):
fw ctl affinity -l -x
[-vsid <VSID ranges>]
[-cpu <CPU ID ranges>]
[-flags {e | k | t | n | h | o}]

• To show the number of system CPU cores allowed by the installed CoreXL license:
fw -d ctl affinity -corelicnum

Parameters
Parameter Description
-vsid <VSID ranges> Shows the affinity for:
• The specified single Virtual System (for example, -vsid 7)
• The specified several Virtual Systems (for example, -vsid 0-2 4)
If you omit the -vsid parameter, the command runs in the current
virtual context.
<CPU ID ranges> Shows the affinity for:
• The specified single CPU (for example, -cpu 7)
• The specified several CPU cores (for example, -cpu 0-2 4)
-flags {e | k | t | n The -flags parameter requires at least one of these arguments:
| h | o}
• e - Do not print the exception processes
• k - Do not print the kernel threads
• t - Print all process threads
• n - Print the process name instead of the
/proc/<PID>/cmdline
• h - Print the CPU mask in Hex format
• o - Print the output into the file called
/tmp/affinity_list_output
Important - You must specify multiple arguments together. For
example: -flags tn

Performance Tuning Administration Guide R80.20 | 225

 CoreXL

Example1
[Expert@VSX_GW:0]# fw ctl affinity -l -x -cpu 0
---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 2 | 0 | 0 | | | K | |
| 3 | 0 | 0 | | | K | |
| 4 | 0 | 0 | | | K | |
| 14 | 0 | 0 | | | K | |
| 99 | 0 | 0 | | | K | |
| 278 | 0 | 0 | | | K | |
| 382 | 0 | 0 | | | K | |
| 674 | 0 | 0 | | | K | |
| 2195 | 0 | 0 | | | K | |
| 6348 | 0 | 0 | | | K | |
| 6378 | 0 | 0 | | | K | |
---------------------------------------------------------------------
PID - represents the pid of the process
VSID - represents the virtual device id
CPU - represents the CPUs assigned to the specific process
SRC - represents the source configuration file of the process - (V)SID / (I)nstance / (P)rocess
V - represents validity,star means that the actual affinity is different than the configured affinity
KT - represents whether the process is a kernel thread
EXC - represents whether the process belongs to the process exception list (vsaffinity_exception.conf)
[Expert@VSX_GW:0]#

Example 2
[Expert@VSX_GW:0]# fw ctl affinity -l -x -vsid 1
---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 3593 | 1 | 1 2 3 | | | | | httpd
| 10997 | 1 | 1 2 3 | | | | | cvpn_rotatelogs
| 11005 | 1 | 1 2 3 | | | | | httpd
| 22294 | 1 | 1 2 3 | | | | | routed
| 22328 | 1 | 1 2 3 | | | | | fwk_wd
| 22333 | 1 | 1 2 3 | P | | | | fwk
| 22488 | 1 | 1 2 3 | | | | | cpd
| 22492 | 1 | 1 2 3 | | | | | fwd
| 22504 | 1 | 1 2 3 | | | | | cpviewd
| 22525 | 1 | 1 2 3 | | | | | mpdaemon
| 22527 | 1 | 1 2 3 | | | | | ci_http_server
| 30629 | 1 | 1 2 3 | | | | | vpnd
| 30631 | 1 | 1 2 3 | | | | | pdpd
| 30632 | 1 | 1 2 3 | | | | | pepd
| 30635 | 1 | 1 2 3 | | | | | fwpushd
| 30743 | 1 | 1 2 3 | | | | | dbwriter
| 30748 | 1 | 1 2 3 | | | | | cvpnproc
| 30752 | 1 | 1 2 3 | | | | | MoveFileServer
| 30756 | 1 | 1 2 3 | | | | | CvpnUMD
| 30760 | 1 | 1 2 3 | | | | | Pinger
| 30764 | 1 | 1 2 3 | | | | | IdlePinger
| 30770 | 1 | 1 2 3 | | | | | cvpnd
---------------------------------------------------------------------
[Expert@VSX_GW:0]#

Performance Tuning Administration Guide R80.20 | 226

 CoreXL

Running the 'fw ctl affinity -s' command in Gateway Mode

Description
The fw ctl affinity -s command configures the CoreXL affinity settings on a Security
Gateway for:
• Interfaces
• User-space processes
• CoreXL FW instances
Notes:
• Changes you make with this command do not survive the Security Gateway reboot. If you want
the settings to survive reboot, do one of these:
• Manually edit the $FWDIR/conf/fwaffinity.conf configuration file.
• Run the sim affinity -s command (configures the affinity for interfaces only).
• The fw ctl affinity -s command cannot configure affinity for interfaces, if you already
configured affinity for interfaces with the SecureXL sim affinity command (in Automatic or
Static mode).

Syntax
• To see the built-in help:
fw ctl affinity

• To configure the affinity for a specified interface by its name:

fw ctl affinity -s -i <Interface Name>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

• To configure the affinity for a specified CoreXL FW instance:

fw ctl affinity -s -k <CoreXL FW Instance ID>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

• To configure the affinity for a specified user-space process by its PID:

fw ctl affinity -s -p <Process ID>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

• To configure the affinity for a specified user-space process by its name:

fw ctl affinity -s -n <Process Name>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

Performance Tuning Administration Guide R80.20 | 227

 CoreXL

Parameters
Parameter Description
-i <Interface Name>
Configures the affinity for the specified interface.
-k <CoreXL FW Instance ID>
Configures the affinity for the specified CoreXL FW instance.
-p <Process ID>
Configures the affinity for the Check Point user-space process
(for example: fwd, vpnd) specified by its PID.
-n <Process Name>
Configures the affinity for the Check Point user-space process
(for example: fwd, vpnd) specified by its name.
Important - The process name is case-sensitive.
all
Configures the affinity for all CPU cores (numbers start from
zero).
<CPU ID0> ... <CPU IDn>
Configures the affinity for the specified CPU cores (numbers
start from zero).

Example 1 - Affine the interface eth1 to the CPU core #1

[Expert@MyGW:0]# fw ctl affinity -s -i eth1 1
eth1: CPU 1 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the CoreXL FW instance #1 to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -k 1 2
fw_1: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 3 - Affine the process CPD by its PID to the CPU core #2
[Expert@MyGW:0]# cpwd_admin list | egrep "PID|cpd"
APP PID STAT #START START_TIME MON COMMAND
CPD 6080 E 1 [13:46:27] 17/9/2018 Y cpd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -p 6080 2
Process 6080: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 4 - Affine the process CPD by its name to the CPU core #2
[Expert@MyGW:0]# fw ctl affinity -s -n cpd 2
cpd: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 228

 CoreXL

Running the 'fw ctl affinity -s' command in VSX Mode

Description
The fw ctl affinity -s command configures the CoreXL affinity settings on a VSX Gateway for:
• Interfaces
• User-space processes
• CoreXL FW instances

Syntax
• To see the built-in help:
fw ctl affinity

• To configure the affinities of Virtual Systems:

fw ctl affinity -s -d [-vsid <VSID ranges>] -cpu <CPU ID ranges>

• To configure the affinities of a specified user-space process:

fw ctl affinity -s -d -pname <Process Name> [-vsid <VSID ranges>]
-cpu all
-cpu <CPU ID ranges>

• To configure the affinities of specified FWK daemon instances (user-space Firewall):

fw ctl affinity -s -d -inst <Instances Ranges> -cpu <CPU ID ranges>

• To configure the affinities of all FWK instances (user-space Firewalls):

fw ctl affinity -s -d -fwkall <Number of CPUs>

• To reset the affinities to defaults:

fw ctl affinity
-vsx_factory_defaults
-vsx_factory_defaults_no_prompt

Important
• These settings do not survive a reboot of the VSX Gateway.
To make these settings permanent, manually edit the $FWDIR/conf/fwaffinity.conf (on page
190) configuration file.
• When you configure affinity of an interface, it automatically configures the affinities of all other
interfaces that share the same IRQ to the same CPU core.

Performance Tuning Administration Guide R80.20 | 229

 CoreXL

Parameters
Parameter Description
-vsid <VSID ranges> Configures the affinity for:
• One specified Virtual System.
For example: -vsid 7
• Several specified Virtual Systems.
For example: -vsid 0-2 4
Note - If you omit the -vsid parameter, the
command uses the current virtual context.
<CPU ID ranges> Configures the affinity to:
• One specified CPU core.
For example: -cpu 7
• Several specified CPU cores.
For example: -cpu 0-2 4
Important - Numbers of CPU cores start from zero.
-pname <Process Name> Configures the affinity for the Check Point daemon
specified by its name (for example: fwd, vpnd).
Important - The process name is case-sensitive.
-inst <Instances Ranges> Configures the affinity for:
• One specified FWK daemon instance.
For example: -inst 7
• Several specified FWK daemon instances.
For example: -inst 0 2 4
-fwkall <Number of CPUs> Configures the affinity for all running FWK daemon
instances to the specified number of CPU cores.
If you need to affine all running FWK daemon
instances to all CPU cores, enter the number of all
available CPU cores.
-vsx_factory_defaults Deletes all existing affinity settings and creates the
default affinity settings during the next reboot.
Before this operation, the command prompts the
user whether to proceed.
Note - You must reboot to complete the operation.
-vsx_factory_defaults_no_prompt Deletes all current affinity settings and creates the
default affinity settings during the next reboot.
Important - Before this operation, the command
does not prompt the user whether to proceed.
Note - You must reboot to complete the operation.

Performance Tuning Administration Guide R80.20 | 230

 CoreXL

Example 1 - Affine the Virtual Devices #0,1,2,4,7,8 to the CPU cores #0,1,2,4
[Expert@MyGW:0]# fw ctl affinity -s -d -vsid 0-2 4 6-8 -cpu 0-2 4
VDevice 0-2 4 6-8 : CPU 0 1 2 4 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the process CPD by its name for Virtual Devices #0-12 to the CPU
core #7
[Expert@MyGW:0]# fw ctl affinity -s -d -pname cpd -vsid 0-12 -cpu 7
VDevice 0-12 : CPU 7 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
Warning: some of the VSIDs did not exist
[Expert@MyGW:0]#

Example 3 - Affine the FWK daemon instances #0,2,4 to the CPU core #5
[Expert@MyGW:0]# fw ctl affinity -s -d -inst 0 2 4 -cpu 5
VDevice 0 2 4: CPU 5 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 4 - Affine all FWK daemon instances to the last two CPU cores
[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 2
VDevice 0-2 : CPU 2 3 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Example 5 - Affine all FWK daemon instances to all CPU cores

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 4
There are configured processes/FWK instances
(y) will override all currently configured affinity and erase the configuration files
(n) will set affinity only for unconfigured processes/threads
Do you want to override existing configurations (y/n) ? y
VDevice 0-2 : CPU all - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

Performance Tuning Administration Guide R80.20 | 231

 CoreXL

fw -i
Description
By default, the fw commands apply to the entire Security Gateway. The fw commands show
aggregated information for all CoreXL FW instances.
The fw -i commands apply to the specified CoreXL FW instance.

Syntax
fw -i <ID of CoreXL FW instance> <Command>

Parameters
Parameter Description
<ID of CoreXL FW instance> Specifies the ID of the CoreXL FW instance.
To see the available IDs, run the command fw ctl multik
stat (on page 217).
<Command> Only these commands support the fw -i syntax:
• fw -i <ID> conntab ...
• fw -i <ID> ctl get ...
• fw -i <ID> ctl leak ...
• fw -i <ID> ctl pstat ...
• fw -i <ID> ctl set ...
• fw -i <ID> monitor ...
• fw -i <ID> tab ...
For details and additional parameters for any of these
commands, refer to the corresponding entry for each command.

Example - Show the Connections table for CoreXL FW instance #1

fw -i 1 tab -t connections

Performance Tuning Administration Guide R80.20 | 232

CHAPT ER4

Multi-Queue
In This Section:
Introduction to M ultiple Traffic Queues ............................................................233
Multi-Queue Administration ............................................................................237
Basic Multi-Queue Configuration .....................................................................238
Advanced Multi- Queue settings .......................................................................240
Special S cenarios and Configurations ..............................................................245
Troubleshooting .............................................................................................248

Introduction to Multiple Traffic Queues

When most of the traffic is accelerated by the SecureXL, the CPU load from the CoreXL (on page
181) SND instances can be very high, while the CPU load from the CoreXL FW instances can be
very low. This is an inefficient utilization of CPU capacity.
By default, the number of CPU cores allocated to CoreXL SND instances is limited by the number
of network interfaces that handle the traffic. Because each interface has one traffic queue, only
one CPU core can handle each traffic queue at a time. This means that each CoreXL SND instance
can use only one CPU core at a time for each network interface.
Check Point Multi-Queue lets you configure more than one traffic queue for each network
interface. For each interface, you can use more than one CPU core (that runs CoreXL SND) for
traffic acceleration. This balances the load efficiently between the CPU cores that run the CoreXL
SND instances and the CPU cores that run CoreXL FW instances.
Important:
• Multi-Queue applies only if SecureXL is enabled (this is the default).
• Multi-Queue on the Falcon Acceleration Cards is enabled and configured automatically.

Multi-Queue Requirements and Limitations

• Multi-Queue is not supported on computers with one CPU core.
• Network interfaces must use the driver that supports Multi-Queue.
• Multi-Queue does not use network interfaces that are currently in the down state.
• The number of queues is limited by the number of CPU cores and the type of interface driver:
Interface Driver Interface Speed Maximal Number of RX Queues
igb 1 Gb 4
ixgbe 10 Gb 16
i40e 40 Gb 14
mlx5_core 40 Gb 10

• You can configure a maximum of five interfaces with Multi-Queue.

• You must reboot the Security Gateway after all changes in the Multi-Queue configuration.

Performance Tuning Administration Guide R80.20 | 233

 Multi-Queue

Deciding Whether to Enable the Multi-Queue

This section helps you decide if you can benefit from the Multi-Queue.
We recommend that you do these steps before you configure the Multi-Queue:
1. Make sure that network interfaces support Multi-Queue.
2. Make sure that SecureXL is enabled.
3. Examine the CPU roles allocation.
4. Examine the CPU cores utilization.
5. Decide if you can allocate more CPU cores to run the CoreXL SND instances.

To make sure that network interfaces support Multi-Queue

Only network cards that use the igb (1Gb), ixgbe (10Gb), i40e (40Gb), or mlx5_core (40Gb) drivers
support the Multi-Queue.
Important - Before you upgrade these drivers, make sure that the latest version supports the
Multi-Queue.
Gateway Type Network Interfaces that Support the Multi-Queue
Check Point These expansion line cards support the Multi-Queue:
Appliance
• CPAC-4-1C
• CPAC-4-1F
• CPAC-8-1C
• CPAC-2-10F
• CPAC-4-10F
• CPAC-2-40F
• CPAC-2-100/25F
• CPAC-2-10-FSR
Open Server Network cards that use one of these drivers support the Multi-Queue:
• igb (1Gb)
• ixgbe (10Gb)
• i40e (40Gb)
• mlx5_core (40Gb)
Notes:
• To view, which driver an interface uses, run this command in the Expert mode:
ethtool -i <Name of Interface>
• When you install a new interface, you must run these two commands:
cpmq reconfigure
reboot

Performance Tuning Administration Guide R80.20 | 234

 Multi-Queue

To make sure that SecureXL is enabled

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to the Gaia Clish, or the Expert mode.
3 Run:
fwaccel stat -t (on page 69)
4 Examine the Status column.
Example from a non-VSX Gateway:
[Expert@MyGW:0]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,| |
| | | |eth5,eth6,eth7 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

5 If the SecureXL is disabled, enable it. Run:

fwaccel on (on page 61)

To examine the CPU roles allocation

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to the Gaia Clish, or the Expert mode.
3 Run:
fw ctl affinity -l [-a][-v][-r] (on page 221)

Example - CPU0 and CPU1 run the CoreXL SND instances:

[Expert@GW:0]# fw ctl affinity -l
Mgmt: CPU 0
eth1-04: CPU 1
eth1-05: CPU 0
eth1-06: CPU 1
eth1-07: CPU 0
fw_0: CPU 5
fw_1: CPU 4
fw_2: CPU 3
fw_3: CPU 2
[Expert@GW:0]#

Performance Tuning Administration Guide R80.20 | 235

 Multi-Queue

To examine the CPU cores utilization

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to the Gaia Clish, or the Expert mode.
3 Run:
top
4 Press 1 to show all the CPU cores.

Example:
• CPU cores that run CoreXL SND instances (CPU0 and CPU1) are approximately 30% idle.
• CPU cores that run CoreXL Firewall instances are approximately 70% idle.
top - 18:02:33 up 8 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48
Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie

Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 28.7%id, 5.9%wa, 0.0%hi, 63.4%si, 0.0%st

Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 27.6%id, 0.0%wa, 0.0%hi, 71.4%si, 0.0%st
Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 66.5%id, 0.0%wa, 4.0%hi, 25.5%si, 0.0%st
Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 71.3%id, 0.0%wa, 0.0%hi, 25.7%si, 0.0%st
Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 69.0%id, 0.0%wa, 0.0%hi, 25.0%si, 0.0%st

Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers

Swap: 14707496k total, 0k used, 14707496k free, 484340k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

3301 root 15 0 0 O 0 R 31 0.0 747:04 [fw_worker_3]
3326 root 15 0 0 O 0 R 29 0.0 593:35 [fw_worker_0]
... ... ...

To decide if you can allocate more CPU cores to run the CoreXL SND instances
If you have more active network interfaces than the CPU cores that run CoreXL SND instances,
you can allocate more CPU cores to run more CoreXL SND instances.
We recommend to configure the Multi-Queue when:
1. CoreXL SND instances cause high CPU load (idle is less than 20%).
2. CoreXL Firewall instances cause low CPU load (idle is greater than 50%).
Note - You cannot assign more CPU cores to run CoreXL SND instances if you change interface
IRQ affinity.

Performance Tuning Administration Guide R80.20 | 236

 Multi-Queue

Multi-Queue Administration
There are two main roles for CPU cores applicable to SecureXL and CoreXL:
• A CPU core that runs SecureXL and CoreXL Secure Network Distributor (SND).
You can manually configure this with the sim affinity -s (on page 116) command.
• A CPU core that runs a CoreXL Firewall instance.
You can manually configure this with the fw ctl affinity (on page 221) command.
For best performance, the same CPU core should not work in both roles - as CoreXL SND and as
CoreXL FW.

Performance Tuning Administration Guide R80.20 | 237

 Multi-Queue

Basic Multi-Queue Configuration

Description
The cpmq utility shows and configures the Multi-Queue on supported interfaces.

Syntax
• To show the existing Multi-Queue configuration:
cpmq get
[-a]
[-v]
[-vv]
[rx_num {igb | ixgbe | i40e | mlx5_core}]

• To configure the Multi-Queue for the specified driver:

cpmq set rx_num
igb {default | <Value>}
ixgbe {default | <Value>}
i40e {default | <Value>}
mlx5_core {default | <Value>}

• To configure the IRQ affinity of the queues:

cpmq set affinity

Parameters
Parameter Description
get
Shows Multi-Queue status only for active supported interfaces.
get -a
Shows Multi-Queue status of all supported interfaces.
• [On] - Multi-Queue is enabled on the interface.
• [Off] - Multi-Queue is disabled on the interface.
• [Pending On] - Multi-Queue is currently disabled on the
interface. Multi-Queue will be enabled on this interface only
after rebooting the Security Gateway. This status can also
indicate bad configuration or system errors.
• [Pending Off] - Multi-Queue is enabled on the interface.
Multi-Queue will be disabled on this interface only after
rebooting the Security Gateway.
Example:
[Expert@GW:0]# cpmq get -a

Active igb interfaces:

eth1-05 [On]
eth1-06 [Off]
eth1-01 [Off]
eth1-03 [Off]
eth1-04 [On]

Non active igb interfaces:

eth1-02 [Off]
[Expert@GW:0]#

Performance Tuning Administration Guide R80.20 | 238

 Multi-Queue

Parameter Description
get -v
Shows Multi-Queue status of supported interfaces with IRQ affinity
information and RX bytes counters.
get -vv
Shows Multi-Queue status of supported interfaces with IRQ affinity
information and RX bytes and packets counters.
set affinity
Configures the IRQ affinity of the queues when:
• Multi-Queue is enabled on an interface
• The interface status is changed to "down"
• The computer was rebooted
Run this command after the interface status is changed back to
"up".
Important - Do not change the IRQ affinity of queues manually.
Changing the IRQ affinity of the queues manually can affect
performance.
set rx_num igb
Configures the number of active RX queues for interfaces that use
default
<Value> the igb driver (1Gb).
set rx_num ixgbe
Configures the number of active RX queues for interfaces that use
default
<Value> the ixgbe driver (10Gb).
set rx_num i40e
Configures the number of active RX queues for interfaces that use
default
<Value> the i40e driver (40Gb).
set rx_num mlx5_core
Configures the number of active RX queues for interfaces that use
default
<Value> the mlx5_core driver (40Gb).
set rx_num <Driver>
Configures the number of active RX queues to the number of CPUs,
default
which are not used by CoreXL FW instances (recommended).
set rx_num <Driver>
Configures the specified number of active RX queues. This number
<Value>
can be between two and the total number of CPU cores.

To see the current Multi-Queue configuration:

On the Security Gateway, run:
cpmq get

Note - Output does not show network interfaces that are currently in the down state.

To configure Multi-Queue:
On the Security Gateway, run:
cpmq set

Notes:
• Multi-Queue lets you configure a maximum of five interfaces.
• You must reboot the Security Gateway after all changes in the Multi-Queue configuration.
• Output does not show network interfaces that are currently in the down state.

Performance Tuning Administration Guide R80.20 | 239

 Multi-Queue

Advanced Multi-Queue settings

Description
Advanced Multi-Queue settings include:
• Controlling the number of queues
• IRQ Affinity
• Viewing the CPU utilization

To see the current number of active RX queues:

On the Security Gateway, run:
cpmq get rx_num
igb
ixgbe
i40e
mlx5_core

To configure the specified number of RX queues:

The number of RX queues depends on the interface driver:

Interface Queues Recommende

Driver d number
of RX queues
igb When you configure the Multi-Queue for an igb interface, it 4
calculates the number of TX and RX queues based on the number of
active RX queues.
Note - The number of queues for the on-board interfaces (Mgmt and
Sync) on Check Point appliances is limited to just two queues
(hardware restriction).
ixgbe • When you configure the Multi-Queue for an ixgbe interface, it 16
creates an RxTx queue for each CPU core. You can control the
number of active RX queues with this command:
cpmq set rx_num ixgbe {default | <Value>}
• All TX queues are active.
i40e When you configure the Multi-Queue for an i40e interface, it 14
calculates the number of TX and RX queues based on the number of
active RX queues with a maximum queue value set to 14.
mlx5_cor When you configure the Multi-Queue for an mlx5_core interface, it 10
e calculates the number of TX and RX queues based on the number of
active RX queues with a maximum queue value set to 10.

Performance Tuning Administration Guide R80.20 | 240

 Multi-Queue

Notes:
• By default, Security Gateway calculates the number of active RX queues based on this formula:
Active RX queues = (Number of CPU cores) - (Number of CoreXL FW instances)
• By default, VSX Gateway calculates the number of active RX queues based on this formula:
Active RX queues = The lowest CPU ID, to which an FWK process is assigned
On the Security Gateway, run:
cpmq set rx_num {igb | ixgbe | i40e | mlx5_core} <Number of Active RX Queues>

To configure the recommended number of RX queues:

On a Security Gateway, the number of active queues changes automatically when you change the
number of CoreXL FW instances in the cpconfig menu (on page 185).
The number of active RX queues does not change, if you configure the number of RX queues
manually.
On the Security Gateway, run:
cpmq set rx_num {igb | ixgbe | i40e | mlx5_core} default

IRQ Affinity of the RX and TX queues:

The Security Gateway configures the IRQ affinity of the queues automatically when it boots.
The configuration depends on the number of CPU cores.
Examples:

SMT on Appliance Example

SMT (HyperThreading) is disabled If you configured rx_num to 3 on an appliance with 4 CPU
cores:
• rxtx-0 -> CPU 0
• rxtx-1 -> CPU 1
• rxtx-2 -> CPU 2
• rxtx-3 -> CPU 3
This is also true in cases, where you assign the RX and TX
queues with a separated IRQ:
• rx-0 -> CPU 0
• tx-0 -> CPU 0
• rx-1 -> CPU 1
• tx-1 -> CPU 1
• and so on.

Performance Tuning Administration Guide R80.20 | 241

 Multi-Queue

SMT on Appliance Example

SMT (HyperThreading) is enabled If you configured rx_num to 3 on an appliance with 8 CPU
(see sk93000 cores:
http://supportcontent.checkpoint.c
• rxtx-0 -> CPU 0
om/solutions?id=sk93000)
• rxtx-1 -> CPU 4
• rxtx-2 -> CPU 1
• rxtx-3 -> CPU 5
Notes:
• You cannot use the sim affinity (on page 116) or the fw ctl affinity (on page 221)
commands to change and query the IRQ affinity of the Multi-Queue interfaces.
• You can reset the affinity of Multi-Queue IRQs. Run: cpmq set affinity
• You can view the affinity of Multi-Queue IRQs. Run: cpmq get -v
Important - Do not change the IRQ affinity of queues manually. This can negatively
affect the performance of your Security Gateway.

To see the CPU utilization:

1. 
Find the CPU cores assigned to Multi-Queue IRQs.
Run:
cpmq get -v

Example:
[Expert@GW:0]# cpmq get -v

Active mlx5_core interfaces:

eth2-01 [On]

Active i40e interfaces:

eth5-01 [On]
eth5-02 [Off]

Active ixgbe interfaces:

eth4-01 [On]
eth4-02 [On]

Active igb interfaces:

Mgmt [On]

The rx_num for mlx5_core is: 10 (default)

The rx_num for i40e is: 10
The rx_num for ixgbe is: 16 (default)
The rx_num for igb is: 2

multi-queue affinity for mlx5_core interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | eth2-01-0 (211) | 0
1 | 2 | eth2-01-2 (227) | 0
2 | 4 | eth2-01-4 (52) | 0
3 | 6 | eth2-01-6 (68) | 0
4 | 8 | eth2-01-8 (84) | 0
5 | 10 | |

multi-queue affinity for i40e interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | i40e-eth5-01-TxRx-0 (99) | 0
1 | 2 | i40e-eth5-01-TxRx-2 (115) | 0
2 | 4 | i40e-eth5-01-TxRx-4 (131) | 0
3 | 6 | i40e-eth5-01-TxRx-6 (147) | 0
4 | 8 | i40e-eth5-01-TxRx-8 (163) | 0
5 | 0 | |

Performance Tuning Administration Guide R80.20 | 242

 Multi-Queue

multi-queue affinity for ixgbe interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | eth4-01-TxRx-0 (156) | 0
| | eth4-02-TxRx-0 (157) |
1 | 2 | eth4-01-TxRx-2 (172) | 0
| | eth4-02-TxRx-2 (173) |
2 | 4 | eth4-01-TxRx-4 (188) | 0
| | eth4-02-TxRx-4 (189) |
3 | 6 | eth4-01-TxRx-6 (204) | 0
| | eth4-02-TxRx-6 (205) |
4 | 8 | eth4-01-TxRx-8 (220) | 0
| | eth4-02-TxRx-8 (221) |
5 | 10 | eth4-01-TxRx-10 (236) | 0
| | eth4-02-TxRx-10 (237) |
6 | 12 | eth4-01-TxRx-12 (61) | 0
| | eth4-02-TxRx-12 (62) |
7 | 14 | eth4-01-TxRx-14 (77) | 0
| | eth4-02-TxRx-14 (78) |
[Expert@GW:0]#

2. Run:
top

3. Press 1 to show all the CPU cores.

Example - The CPU utilization of Multi-Queue CPU cores is approximately 50%, because CPU0
and CPU1 handle the queues:
top - 18:02:33 up 28 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48
Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie

Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 42.7%id, 5.9%wa, 0.0%hi, 49.4%si, 0.0%st

Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 55.2%id, 0.0%wa, 0.0%hi, 43.8%si, 0.0%st
Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 45.5%id, 0.0%wa, 4.0%hi, 46.5%si, 0.0%st
Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 74.5%id, 0.0%wa, 0.0%hi, 22.5%si, 0.0%st
Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 42.6%id, 0.0%wa, 0.0%hi, 51.5%si, 0.0%st

Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers

Swap: 14707496k total, 0k used, 14707496k free, 484340k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

3301 root 15 0 0 O 0 R 17 0.0 2747:04 [fw_worker_3]
3326 root 15 0 0 O 0 R 16 0.0 2593:35 [fw_worker_0]
... ... ...

For more information, run:

cpmq get -vv

Example:
[Expert@GW:0]# cpmq get -vv

Active i40e interfaces:

eth5-01 [On]
eth5-02 [Off]

Active ixgbe interfaces:

eth4-01 [On]
eth4-02 [On]

Active igb interfaces:

Mgmt [On]

The rx_num for i40e is: 10

The rx_num for ixgbe is: 16 (default)
The rx_num for igb is: 2

multi-queue affinity for i40e interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | i40e-eth5-01-TxRx-0 (220) | 0 | 0
1 | 2 | i40e-eth5-01-TxRx-2 (236) | 0 | 0
2 | 4 | i40e-eth5-01-TxRx-4 (61) | 0 | 0
3 | 6 | i40e-eth5-01-TxRx-6 (77) | 0 | 0
4 | 8 | i40e-eth5-01-TxRx-8 (93) | 0 | 0
5 | 0 | | |

Performance Tuning Administration Guide R80.20 | 243

 Multi-Queue

multi-queue affinity for ixgbe interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | eth4-01-TxRx-0 (234) | 0 | 0
| | eth4-02-TxRx-0 (187) | |
1 | 2 | eth4-01-TxRx-2 (59) | 0 | 0
| | eth4-02-TxRx-2 (203) | |
2 | 4 | eth4-01-TxRx-4 (75) | 0 | 0
| | eth4-02-TxRx-4 (219) | |
3 | 6 | eth4-01-TxRx-6 (91) | 0 | 0
| | eth4-02-TxRx-6 (235) | |
4 | 8 | eth4-01-TxRx-8 (107) | 0 | 0
| | eth4-02-TxRx-8 (60) | |
5 | 10 | eth4-01-TxRx-10 (123) | 0 | 0
| | eth4-02-TxRx-10 (76) | |
6 | 12 | eth4-01-TxRx-12 (139) | 0 | 0
| | eth4-02-TxRx-12 (92) | |
7 | 14 | eth4-01-TxRx-14 (155) | 0 | 0
| | eth4-02-TxRx-14 (108) | |

multi-queue affinity for igb interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | Mgmt-TxRx-0 (172) | 2752 | 176674
1 | 0 | | |
[Expert@GW:0]#

Overriding RX queue and interface limitations

Warning - We do not recommend to change this configuration. The Multi-Queue is intended to
work with up to eight RX queues and up to five interfaces.
• The number of RX queues is limited by the number of CPU cores and the type of the interface
driver.
To add more RX queues, run:
cpmq rx_num {igb | ixgbe | i40e | mlx5_core} <number of active RX queues> -f

• Due to IRQ limitations, you can configure a maximum of five interfaces with Multi-Queue.
To add more interfaces, run:
cpmq set -f

Performance Tuning Administration Guide R80.20 | 244

 Multi-Queue

Special Scenarios and Configurations

In This Section:
Default N umber of Active RX Queues ...............................................................245
Changing the S tatus of an Interface with Enabled M ulti- Queue ..........................246
Adding a Network Interface.............................................................................246
Changing the Affinity of CoreXL Firewall instances ...........................................247
Processing Packets that Arrive in the Wrong Order on an Interface that Works in Monitor
Mode .............................................................................................................247

Default Number of Active RX Queues

In Gateway mode - Changing the number of CoreXL Firewall instances when the
Multi-Queue is enabled on some, or all interfaces
For best performance, the Multi-Queue calculates the default number of active RX queues based
on this formula:
Number of active RX queues = (Number of CPU cores) - (Number of CoreXL Firewall
instances)

This configuration is set automatically when you configure the Multi-Queue. When you change the
number of CoreXL Firewall instances, the number of active RX queues changes automatically, if it
is not set manually.

In VSX mode - Changing the number of CPU cores, to which the FWK processes are
assigned
For best performance, the Multi-Queue calculates the default number of active RX queues based
on this formula:

Number of active RX queues = The lowest CPU ID, to which an FWK process is assigned

For example:
[Expert@GW:0]# fw ctl affinity -l
Mgmt: CPU 0
eth1-05: CPU 0
eth1-06: CPU 1
VS_0 fwk: CPU 2 3 4 5
VS_1 fwk: CPU 2 3 4 5
[Expert@GW:0]#

In the example above:

• The number of active RX queues is set to 2.
• This configuration is set automatically when you configure the Multi-Queue.
• It does not automatically update when you change the affinity of Virtual Systems. When you
change the affinity of Virtual Systems, make sure to follow the instructions in Advanced
Multi-Queue settings (on page 240).

Performance Tuning Administration Guide R80.20 | 245

 Multi-Queue

Changing the Status of an Interface with Enabled Multi-Queue

Scenario Instructions
To change the The Multi-Queue saves the configuration when you change the status of an
status of an interface to down.
interface to DOWN
Since the number of interfaces with Multi-Queue enabled is limited to five,
you may need to disable the Multi-Queue on an interface after you change
its status to down. This is needed to enable the Multi-Queue on other
interfaces.

To disable Follow these steps:

Multi-Queue on
1. Activate an interface.
non-active
interfaces 2. Run the cpmq set command and disable the Multi-Queue on that
interface.
3. Deactivate the interface.

To change the You must reset the IRQ affinity for the Multi-Queue interfaces if, in this
status of an order, you:
interface to UP
1. Enabled Multi-Queue on the interface.
2. Changed the status of the interface to down.
3. Rebooted the Security Gateway.
4. Changed the interface status to up.
This problem does not occur if SecureXL Affinity is set to Automatic mode
(sim affinity -a (on page 116)).
To set the static Multi-Queue affinity of interfaces again, run:
cpmq set affinity

Note - To change the state of an interface, see the R80.20 Gaia Administration Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_Admin
Guide/html_frameset.htm.

Adding a Network Interface

When you add a network interface card to a Security Gateway, the Multi-Queue configuration can
change due to the way the operating system indexes the interfaces.
If you added a network interface card to a Security Gateway, make sure to run the Multi-Queue
configuration again, or run:
cpmq reconfigure

If a reconfiguration change is required, the Multi-Queue prompts you to reboot the Security
Gateway.

Performance Tuning Administration Guide R80.20 | 246

 Multi-Queue

Changing the Affinity of CoreXL Firewall instances

For best performance, we recommend that you do not assign both CoreXL SND instance and a
CoreXL Firewall instance to the same CPU core.
When you change the affinity of CoreXL Firewall instances to CPU cores that are assigned with
one of the Multi-Queue queues, we recommend that you configure the number of active RX queues
again based on this formula:

Active RX queues = The lowest CPU number, to which a CoreXL Firewall instance is assigned

You can configure the number of active RX queues with this command:
cpmq set rx_num {igb | ixgbe} {default | <value>}

Processing Packets that Arrive in the Wrong Order on an Interface

that Works in Monitor Mode
Best Practice - If you enable Multi-Queue on an interface that works in Monitor Mode, then enable
the Symmetric Hash for Receive-Side Scaling (RSS). This lets the corresponding interface drivers
handle better packets that arrive in the wrong order (for example, TCP "SYN-ACK" that arrives
before the TCP "SYN"). As a result, the same CPU core handles the applicable Client-to-Server
and Server-to-Client packets.
Follow the instructions in sk101670 http://supportcontent.checkpoint.com/solutions?id=sk101670
to download and run the special shell script asym2sym.sh on the Security Gateway or Cluster
Members.

Performance Tuning Administration Guide R80.20 | 247

 Multi-Queue

Troubleshooting
Scenario Explanation and next steps
After reboot, the wrong interfaces This can happen after changing the physical interfaces on
are configured for Multi-Queue. the Security Gateway.
Follow one of these steps:
• Run:
cpmq reconfigure
reboot
• Configure the Multi-Queue again
After you configure the This can happen when not enough IRQs are available on the
Multi-Queue and reboot the Security Gateway.
Security Gateway, some of the
Follow one of these steps:
configured interfaces show as
Down. • Remove unused expansion cards, if possible

These interfaces were up before • Disable some of the interfaces configured for
the Security Gateway reboot. The Multi-Queue
cpmq get -a command shows the • Manually reduce the number of active RX queues
interface status as Pending on. (rx_num) with the cpmq set rx_num command, and
reboot the Security Gateway
When you change the status of This can happen when an interface status is changed to UP
interfaces, all the interface IRQs after the automatic affinity procedure runs (during each
are assigned to CPU 0, or to all of boot).
the CPU cores.
Run:
cpmq set affinity
This problem does not occur if SecureXL Affinity is set to
Automatic mode (sim affinity -a (on page 116)).

In VSX mode, an fwk process runs This can happen when the affinity of the Virtual System was
on the same CPU core as some of manually changed but Multi-Queue was not reconfigured
the interface queues. accordingly.
Follow one of these steps:
• Run:
cpmq reconfigure
reboot
• Configure the number of active RX queues manually

Performance Tuning Administration Guide R80.20 | 248

 Multi-Queue

Scenario Explanation and next steps

In Gateway mode, after you change When you change the number of CoreXL Firewall
the number of CoreXL Firewall instances, the number of active RX queues automatically
instances, the Multi-Queue is changes based on this formula (if it is not configured
disabled on all interfaces. manually):
Active RX queues = (Number of CPU cores) - (Number of
CoreXL Firewall instances)
If the difference between the number of CPU cores and the
number of CoreXL Firewall instances is 1, Multi-Queue is
disabled.
Configure the number of active RX queues manually with
this command:
cpmq set rx_num {igb | ixgbe | i40e | mlx5_core}
<Value>

Performance Tuning Administration Guide R80.20 | 249

CHAPT ER5

CPView
In This Section:
Overview of CPView ........................................................................................250
CPView User I nterface ....................................................................................250
Using CPView .................................................................................................251

Overview of CPView
Description
CPView is a text based built-in utility on a Check Point computer. CPView Utility shows statistical
data that contain both general system information (CPU, Memory, Disk space) and information for
different Software Blades (only on Security Gateway).
The CPView continuously updates the data in easy to access views.
On Security Gateway, you can use this statistical data to monitor the performance.
For more information, see sk101878
http://supportcontent.checkpoint.com/solutions?id=sk101878.

Syntax
cpview --help

CPView User Interface

The CPView user interface has three sections:

Section Description
Header This view shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation This menu bar is interactive. Move between menus with the arrow keys and
mouse.
A menu can have sub-menus and they show under the menu bar.

View This view shows the statistics collected in that view.

These statistics update at the refresh rate.

Performance Tuning Administration Guide R80.20 | 250

 CPView

Using CPView
Use these keys to navigate the CPView:

Key Description
Arrow keys Moves between menus and views. Scrolls in a view.
Home Returns to the Overview view.
Enter Changes to the View Mode.
On a menu with sub-menus, the Enter key moves you to the lowest level
sub-menu.
Esc Returns to the Menu Mode.
Q Quits CPView.

Use these keys to change CPView interface options:

Key Description
R Opens a window where you can change the refresh rate.
The default refresh rate is 2 seconds.
W Changes between wide and normal display modes.
In wide mode, CPView fits the screen horizontally.
S Manually sets the number of rows or columns.
M Switches on/off the mouse.
P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description
C Saves the current page to a file. The file name format is:
cpview_<cpview process ID>.cap<number of captures>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

Performance Tuning Administration Guide R80.20 | 251

CHAPT ER6

Command Line Reference

See the R80.20 Command Line Interface Reference Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_Refere
nceGuide/html_frameset.htm.

Performance Tuning Administration Guide R80.20 | 252

 Working with Kernel Parameters on Security Gateway
CHAPT ER7

Working with Kernel Parameters on

Security Gateway
In This Section:
Introduction to Kernel Parameters ..................................................................253
FireWall Kernel Parameters ...........................................................................254
SecureXL Kernel Parameters..........................................................................259

Introduction to Kernel Parameters

Kernel parameters let you change the advanced behavior of your Security Gateway.
These are the supported types of kernel parameters:

Type Description
Integer Accepts only one integer value.
String Accepts only a plain-text string.

Important:
• In Cluster, you must see and configure the same value for the same kernel parameter on each
Cluster Member.
• In VSX Gateway, the configured values of kernel parameters apply to all existing Virtual
Systems and Virtual Routers.
Security Gateway gets the names and the default values of the kernel parameters from these
kernel module files:
• $FWDIR/modules/fw_kern_64.o
• $FWDIR/modules/fw_kern_64_v6.o
• $PPKDIR/modules/sim_kern_64.o
• $PPKDIR/modules/sim_kern_64_v6.o

Performance Tuning Administration Guide R80.20 | 253

 Working with Kernel Parameters on Security Gateway

FireWall Kernel Parameters

To change the internal default behavior of Firewall or to configure special advanced settings for
Firewall, you can use Firewall kernel parameters.
The names of applicable Firewall kernel parameters and their values appear in various SK articles
in Support Center http://supportcenter.checkpoint.com, and provided by Check Point Support.

Important
• The names of Firewall kernel parameters are case-sensitive.
• You can configure most of the Firewall kernel parameters on-the-fly with the fw ctl set
command.
This change does not survive a reboot.
• You can configure some of the Firewall kernel parameters only permanently in the special
configuration file ($FWDIR/modules/fwkern.conf or $FWDIR/modules/vpnkern.conf).
This requires a maintenance window, because the new values of the kernel parameters take
effect only after a reboot.
• In a Cluster, you must always configure all the Cluster Members in the same way.

Examples of Firewall kernel parameters

Type Name
Integer fw_allow_simultaneous_ping
fw_kdprintf_limit
fw_log_bufsize
send_buf_limit
String simple_debug_filter_addr_1
simple_debug_filter_daddr_1
simple_debug_filter_vpn_1
ws_debug_ip_str
fw_lsp_pair1

To see the list of the available Firewall integer kernel parameters and their values on
your Security Gateway:
Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 Get the list of the available integer kernel parameters and their values:
[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep
_type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int
1>> /var/log/fw_integer_kernel_parameters.txt 2>>
/var/log/fw_integer_kernel_parameters.txt
4 Analyze the output file:
/var/log/fw_integer_kernel_parameters.txt

Performance Tuning Administration Guide R80.20 | 254

 Working with Kernel Parameters on Security Gateway

To see the list of the available Firewall string kernel parameters and their values on
your Security Gateway:
Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 Get the list of the available integer kernel parameters and their values:
[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep
'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl
get str 1>> /var/log/fw_string_kernel_parameters.txt 2>>
/var/log/fw_string_kernel_parameters.txt
4 Analyze the output file:
/var/log/fw_string_kernel_parameters.txt

To check the current value of a Firewall integer kernel parameter:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish or the Expert mode.
3 Check the current value of an integer kernel parameter:
fw ctl get int <Name of Integer Kernel Parameter> [-a]
Example:
[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 80
[Expert@MyGW:0]#

To check the current value of a Firewall string kernel parameter:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish or the Expert mode.
3 Check the current value of a string kernel parameter:
fw ctl get str <Name of String Kernel Parameter> [-a]
Example:
[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset
fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyGW:0]#

To set a value for a Firewall integer kernel parameter temporarily:

Important - This change does not survive reboot.

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish or the Expert mode.

Performance Tuning Administration Guide R80.20 | 255

 Working with Kernel Parameters on Security Gateway

Step Description
3 Set the new value for an integer kernel parameter:
fw ctl set int <Name of Integer Kernel Parameter> <Integer Value>
Example:
[Expert@MyGW:0]# fw ctl set int send_buf_limit 100
Set operation succeeded
[Expert@MyGW:0]#
4 Make sure the new value is set:
fw ctl get int <Name of Integer Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get int send_buf_limit
send_buf_limit = 100
[Expert@MyGW:0]#

To set a value for a Firewall string kernel parameter temporarily:

Important - This change does not survive reboot.

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish or the Expert mode.
3 Set the new value for a string kernel parameter:
Note - You must write the value in single quotes, or double-quotes.
[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> '<String
Text>'
or
[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> "<String
Text>"
Example:
[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'
Set operation succeeded
[Expert@MyGW:0]#
4 Make sure the new value is set:
fw ctl get str <Name of String Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyGW:0]#

To clear the current value from a Firewall string kernel parameter temporarily:
Important - This change does not survive reboot.

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to Gaia Clish or the Expert mode.

Performance Tuning Administration Guide R80.20 | 256

 Working with Kernel Parameters on Security Gateway

Step Description
3 Clear the current value from a string kernel parameter:
Note - You must set an empty value in single quotes, or double-quotes.
[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> ''
or
[Expert@MyGW:0]# fw ctl set str <Name of String Kernel Parameter> ""
Example:
[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''
Set operation succeeded
[Expert@MyGW:0]#
4 Make sure the value is cleared (the new value is empty):
fw ctl get str <Name of String Kernel Parameter>
Example:
[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip
debug_filter_saddr_ip = ''
[Expert@MyGW:0]#

To set a value for a Firewall kernel parameter permanently:

To make a kernel parameter configuration permanent (to survive reboot), you must edit one of the
applicable configuration files:
• $FWDIR/modules/fwkern.conf
• $FWDIR/modules/vpnkern.conf
The exact instructions are provided in various SK articles in Support Center
http://supportcenter.checkpoint.com, and provided by Check Point Support.

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 See if the configuration file already exists:
[Expert@MyGW:0]# ls -l $FWDIR/modules/fwkern.conf
or
[Expert@MyGW:0]# ls -l $FWDIR/modules/vpnkern.conf
4 If this file already exists, skip to Step 5.
If this file does not exist, then create it manually and then skip to Step 6:
[Expert@MyGW:0]# touch $FWDIR/modules/fwkern.conf
or
[Expert@MyGW:0]# touch $FWDIR/modules/vpnkern.conf
5 Back up the current configuration file:
[Expert@MyGW:0]# cp -v $FWDIR/modules/fwkern.conf{,_BKP}
or
[Expert@MyGW:0]# cp -v $FWDIR/modules/vpnkern.conf{,_BKP}

Performance Tuning Administration Guide R80.20 | 257

 Working with Kernel Parameters on Security Gateway

Step Description
6 Edit the current configuration file:
[Expert@MyGW:0]# vi $FWDIR/modules/fwkern.conf
or
[Expert@MyGW:0]# vi $FWDIR/modules/vpnkern.conf
7 Add the required Firewall kernel parameter with the assigned value in the exact format
specified below.
Important - These configuration files do not support space characters, tabulation
characters, and comments (lines that contain the # character).
• To add an integer kernel parameter:
<Name_of_Integer_Kernel_Parameter>=<Integer_Value>
• To add a string kernel parameter:
<Name_of_String_Kernel_Parameter>='<String_Text>'
or
<Name_of_String_Kernel_Parameter>="<String_Text>"
8 Save the changes in the file and exit the Vi editor.
9 Reboot the Security Gateway.
Important - In cluster, this can cause a failover.
10 Connect to the command line on your Security Gateway.
11 Log in to Gaia Clish or the Expert mode.
12 Make sure the new value of the kernel parameter is set:
• For an integer kernel parameter, run:
fw ctl get int <Name of Integer Kernel Parameter> [-a]
• For a string kernel parameter, run:
fw ctl get str <Name of String Kernel Parameter> [-a]

For more information, see sk26202: Changing the kernel global parameters for Check Point
Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk26202.

Performance Tuning Administration Guide R80.20 | 258

 Working with Kernel Parameters on Security Gateway

SecureXL Kernel Parameters

To change the internal default behavior of SecureXL or to configure special advanced settings for
SecureXL, you can use SecureXL kernel parameters.
The names of applicable SecureXL kernel parameters and their values appear in various SK
articles in Support Center http://supportcenter.checkpoint.com, and provided by Check Point
Support.

Important
• The names of SecureXL kernel parameters are case-sensitive.
• You cannot configure SecureXL kernel parameters on-the-fly with the fw ctl set command.
You must configure them only permanently in the special configuration file
($PPKDIR/conf/simkern.conf).
Schedule a maintenance window, because this procedure requires a reboot.
• For some SecureXL kernel parameters, you cannot get their current value on-the-fly with the
fw ctl get command (see sk43387
http://supportcontent.checkpoint.com/solutions?id=sk43387).
• In a Cluster, you must always configure all the Cluster Members in the same way.

Examples of SecureXL kernel parameters

Type Name
Integer num_of_sxl_devices
sim_ipsec_dont_fragment
tcp_always_keepalive
sim_log_all_frags
simple_debug_filter_dport_1
simple_debug_filter_proto_1
String simple_debug_filter_addr_1
simple_debug_filter_daddr_2
simlinux_excluded_ifs_list

To see the list of the available SecureXL integer kernel parameters and their values on
your Security Gateway:
Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 Get the list of the available integer kernel parameters and their values:
[Expert@MyGW:0]# modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort
-u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw
ctl get int 1>> /var/log/sxl_integer_kernel_parameters.txt 2>>
/var/log/sxl_integer_kernel_parameters.txt
4 Analyze the output file:
/var/log/sxl_integer_kernel_parameters.txt

Performance Tuning Administration Guide R80.20 | 259

 Working with Kernel Parameters on Security Gateway

To see the list of the available SecureXL string kernel parameters and their values on
your Security Gateway:
Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 Get the list of the available integer kernel parameters and their values:
[Expert@MyGW:0]# modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort
-u | grep 'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs
-n 1 fw ctl get str 1>> /var/log/sxl_string_kernel_parameters.txt 2>>
/var/log/sxl_string_kernel_parameters.txt
4 Analyze the output file:
/var/log/sxl_string_kernel_parameters.txt

To set a value for a SecureXL kernel parameter permanently:

Step Description
1 Connect to the command line on your Security Gateway.
2 Log in to the Expert mode.
3 See if the configuration file already exists:
[Expert@MyGW:0]# ls -l $PPKDIR/conf/simkern.conf
4 If this file already exists, skip to Step 5.
If this file does not exist, then create it manually and then skip to Step 6:
[Expert@MyGW:0]# touch $PPKDIR/conf/simkern.conf
5 Back up the current configuration file:
[Expert@MyGW:0]# cp -v $PPKDIR/conf/simkern.conf{,_BKP}
6 Edit the current configuration file:
[Expert@MyGW:0]# vi $PPKDIR/conf/simkern.conf
7 Add the required SecureXL kernel parameter with the assigned value in the exact format
specified below.
Important - This configuration file does not support space characters, tabulation
characters, and comments (lines that contain the # character).
• To add an integer kernel parameter:
<Name_of_SecureXL_Integer_Kernel_Parameter>=<Integer_Value>
• To add a string kernel parameter:
<Name_of_SecureXL_String_Kernel_Parameter>="<String_Text>"
or
<Name_of_SecureXL_String_Kernel_Parameter>="<String_Text>"
8 Save the changes in the file and exit the Vi editor.
9 Reboot the Security Gateway.
Important - In cluster, this can cause a failover.
10 Connect to the command line on your Security Gateway.
11 Log in to Gaia Clish or the Expert mode.

Performance Tuning Administration Guide R80.20 | 260

 Working with Kernel Parameters on Security Gateway

Step Description
12 Make sure the new value of the kernel parameter is set:
• For an integer kernel parameter, run:
fw ctl get int <Name of Integer Kernel Parameter> [-a]
• For a string kernel parameter, run:
fw ctl get str <Name of String Kernel Parameter> [-a]

For more information, see sk26202: Changing the kernel global parameters for Check Point
Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk26202.

Performance Tuning Administration Guide R80.20 | 261

CHAPT ER8

Kernel Debug on Security Gateway

In This Section:
Kernel Debug Syntax ......................................................................................262
Kernel Debug Filters ......................................................................................268
Kernel Debug Procedure ................................................................................272
Kernel Debug Procedure with Connection Life Cycle.........................................274
Kernel Debug Modules and Debug Flags ..........................................................279

Kernel Debug Syntax

During a kernel debug session, Security Gateway prints special debug messages that help Check
Point Support and R&D understand how the Security Gateway processes the applicable
connections.
Important - In cluster, you must configure perform the kernel debug procedure on all Cluster
Members in the same way.

Action plan to collect a kernel debug:

Note - See the Kernel Debug Procedure (on page 272), or the Kernel Debug Procedure with
Connection Life Cycle (on page 274).
Step Action Description
1 Configure the applicable debug In this step, you prepare the kernel debug options:
settings:
a) R
 estore the default debug settings, so that any
a) R
 estore the default other debug settings do not interfere with the
settings. kernel debug.
b) Allocate the debug buffer. b) Allocate the kernel debug buffer, in which
Security Gateway holds the applicable debug
messages.

2 Configure the applicable kernel In this step, you prepare the applicable kernel debug
debug modules and their debug modules and their debug flags, so that Security
flags. Gateway collects only applicable debug messages.

3 Start the collection of the kernel In this step, you configure Security Gateway to write the
debug into an output file. debug messages from the kernel debug buffer into an
output file.

4 Stop the kernel debug. In this step, you configure Security Gateway to stop
writing the debug messages into an output file.

5 Restore the default kernel debug In this step, you restore the default kernel debug
settings. options.

Performance Tuning Administration Guide R80.20 | 262

 Kernel Debug on Security Gateway

To see the built-in help for the kernel debug:

fw ctl debug -h

To restore the default kernel debug settings:

• To reset all debug flags and enable only the default debug flags in all kernel modules:
fw ctl debug 0

• To disable all debug flags including the default flags in all kernel modules:
Note - We do not recommend this because it disables even the basic default debug messages.
fw ctl debug -x

To allocate the kernel debug buffer:

fw ctl debug -buf 8200 [-v {"<List of VSIDs>" | all}] [-k]

Notes:
• Security Gateway allocates the kernel debug buffer with the specified size for every CoreXL FW
instance.
• The maximal supported buffer size is 8192 kilobytes.

To configure the debug modules and debug flags:

• General syntax:
fw ctl debug [-d <Strings to Search>] [-v {"<List of VSIDs>" | all}] -m <Name
of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

fw ctl debug [-s "<String to Stop Debug>"] [-v {"<List of VSIDs>" | all}] -m
<Name of Debug Module> {all | + <List of Debug Flags> | - <List of Debug Flags>}

• To see a list of all debug modules and their flags:

Note - The list of kernel modules depends on the Software Blades you enabled on the Security
Gateway.
fw ctl debug -m

• To see a list of debug flags that are already enabled:

fw ctl debug

• To enable all debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> all

• To enable the specified debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> + <List of Debug Flags>

• To disable the specified debug flags in the specified kernel module:

fw ctl debug -m <Name of Debug Module> - <List of Debug Flags>

To collect the kernel debug output:

• General syntax (only supported parameters are listed):
fw ctl kdebug [-p <List of Fields>] [-T] -f > /<Path>/<Name of Output File>

fw ctl kdebug [-p <List of Fields>] [-T] -f -o /<Path>/<Name of Output File>

-m <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>]

• To start the collection of the kernel debug into an output file:

fw ctl kdebug -T -f > /<Path>/<Name of Output File>

Performance Tuning Administration Guide R80.20 | 263

 Kernel Debug on Security Gateway

• To start collecting the kernel debug into cyclic output files:

fw ctl kdebug -T -f -o /<Path>/<Name of Output File> -m <Number of Cyclic Files>
[-s <Size of Each Cyclic File in KB>]

Parameters:
Note - Only supported parameters are listed.

Parameter Description
0 | -x Controls how to disable the debug flags:
• 0 - Resets all debug flags and enables only the default debug flags in
all kernel modules.
• -x - Disables all debug flags, including the default flags in all kernel
modules.
Note - We do not recommend this option, because it disables even
the basic default debug messages.

-d <Strings to Search> When this parameter is specified, the Security Gateway:

1. E
 xamines the applicable debug messages based on the enabled
kernel debug modules and their debug flags.
2. Collects only debug messages that contain at least one of the
specified strings into the kernel debug buffer.
3. Writes the entire kernel debug buffer into the output file.
Notes:
• These strings can be any plain text (not a regular expression) that
you see in the debug messages.
• Separate the desired strings by commas without spaces:
-d String1,String2,...,StringN
• You can specify up to 10 strings, up to 250 characters in total.
-s "<String to Stop When this parameter is specified, the Security Gateway:
Debug>" 1. C
 ollects the applicable debug messages into the kernel debug buffer
based on the enabled kernel debug modules and their debug flags.
2. Does not write any of these debug messages from the kernel debug
buffer into the output file.
3. Stops collecting all debug messages when it detects the first debug
message that contains the specified string in the kernel debug
buffer.
4. Writes the entire kernel debug buffer into the output file.
Notes:
• This one string can be any plain text (not a regular expression) that
you see in the debug messages.
• String length is up to 50 characters.
-m <Name of Debug Specifies the name of the kernel debug module, for which you print or
Module> configure the debug flags.

Performance Tuning Administration Guide R80.20 | 264

 Kernel Debug on Security Gateway

Parameter Description
{all | + <List of Specifies which debug flags to enable or disable in the specified kernel
Debug Flags> | - debug module:
<List of Debug Flags>} • all - Enables all debug flags in the specified kernel debug module.

• + <List of Debug Flags> - Enables the specified debug flags in the

specified kernel debug module.
You must press the space bar key after the plus (+) character:
+ <Flag1> [<Flag2> ... <FlagN>]
Example: + drop conn
• - <List of Debug Flags> - Disables the specified debug flags in the
specified kernel debug module.
You must press the space bar key after the minus (-) character:
- <Flag1> [<Flag2> ... <FlagN>]
Example: - conn

-v {"<List of VSIDs>" Specifies the list of Virtual Systems. A VSX Gateway automatically filters
| all} the collected kernel debug information for debug messages only for
these Virtual Systems.
• -v "<List of VSIDs>" - Monitors the messages only from the
specified Virtual Systems. To specify the Virtual Systems, enter their
VSID number separated with commas and without spaces:
"VSID1[,VSID2,VSID3,...,VSIDn]"
Example: -v "1,3,7"
• -v all - Monitors the messages from all configured Virtual
Systems.
Notes:
• This parameter is supported only in VSX mode.
• This parameter and the -k parameter are mutually exclusive.
-e <Expression> Specifies the INSPECT filter for the debug:
-i <Name of Filter • -e <Expression> - Specifies the INSPECT filter. For details and
File> syntax, see sk30583: What is FW Monitor?
http://supportcontent.checkpoint.com/solutions?id=sk30583.
-i -
-u • -i <Name of Filter File> - Specifies the file that contains the
INSPECT filter.
• -i - - Specifies that the INSPECT filter arrives from the standard
input. You are prompted to enter the INSPECT filter on the screen.
• -u - Removes the INSPECT debug filter.
Notes:
• This is a legacy parameter.
• When you use this parameter, the Security Gateway cannot apply the
specified INSPECT filter to the accelerated traffic.
• For new debug filters, see Kernel Debug Filters (on page 268).
Performance Tuning Administration Guide R80.20 | 265
 Kernel Debug on Security Gateway

Parameter Description
-z The Security Gateway processes some connections in both SecureXL
code and in the Host appliance code (for example, Passive Streaming
Library (PSL) - an IPS infrastructure, which transparently listens to TCP
traffic as network packets, and rebuilds the TCP stream out of these
packets.).
The Security Gateway processes some connections in only in the Host
appliance code.
When you use this parameter, kernel debug output contains the debug
messages only from the Host appliance code.

-k The Security Gateway processes some connections in both kernel space

code and in the user space code (for example, Web Intelligence).
The Security Gateway processes some connections only in the kernel
space code.
When you use this parameter, kernel debug output contains the debug
messages only from the kernel space.
Notes:
• This parameter is not supported in the VSX mode, in which the
Firewall works in the user space.
• This parameter and the -v parameter are mutually exclusive.
-p <List of Fields> By default, when the Security Gateway prints the debug messages, the
messages start with the applicable CPU ID and CoreXL FW instance ID.
You can print additional fields in the beginning of each debug message.
Notes:
• These fields are available:
all, proc, pid, date, mid, type, freq, topic, time, ticks,
tid, text, errno, host, vsid, cpu.
• When you specify the desired fields, separate them with commas
and without spaces:
Field1,Field2,...,FieldN
• The more fields you specify, the higher the load on the CPU and on
the hard disk.
-T Prints the time stamp in microseconds in front of each debug message.

-f Collects the debug data until you stop the kernel debug in one of these
ways:
• When you press CTRL+C.
• When you run the fw ctl debug 0 command.
• When you run the fw ctl debug -x command.
• When you kill the fw ctl kdebug process.

Performance Tuning Administration Guide R80.20 | 266

 Kernel Debug on Security Gateway

Parameter Description
/<Path>/<Name of Specifies the path and the name of the debug output file.
Output File> Important:
• Always use the largest partition on the disk - /var/log/. Security
Gateway can generate many debug messages within short time. As a
result, the debug output file can grow to large size very fast.
• When Falcon Acceleration Cards (sk116242
http://supportcontent.checkpoint.com/solutions?id=sk116242) are
installed, the Host Security Appliance creates several debug output
files - a file /var/log/ppk_<Slot_#>_debug.log for each
acceleration card and the specified /<Path>/<Name of Output File>
file. When you stop the debug, the Host Security Appliance unifies all
these files into a single file named /<Path>/<Name of Output
File>_unified.
-o /<Path>/<Name of Saves the collected debug data into cyclic debug output files.
Output File> -m When the size of the current <Name of Output File> reaches the
<Number of Cyclic specified <Size of Each Cyclic File in KB> (more or less), the Security
Files> [-s <Size of Gateway renames the current <Name of Output File> to <Name of
Each Cyclic File in Output File.0>, and creates a new <Name of Output File>.
KB>] If the <Name of Output File.0> already exists, the Security Gateway
renames the <Name of Output File.0> to <Name of Output File.1>, and
so on - until the specified limit <Number of Cyclic Files>. When the
Security Gateway reaches the <Number of Cyclic Files>, it deletes the
oldest files.
The valid values are:
• <Number of Cyclic Files> - from 1 to 999
• <Size of Each Cyclic File in KB> - from 1 to 2097150

Performance Tuning Administration Guide R80.20 | 267

 Kernel Debug on Security Gateway

Kernel Debug Filters

By default, kernel debug output contains information about all processed connections.
You can configure filters for kernel debug to collect debug messages only for the applicable
connections.
There are three types of debug filters:
• By connection tuple parameters
• By an IP address parameter
• By a VPN peer parameter
To configure these kernel debug filters, assign the desired values to the applicable kernel
parameters before you start the kernel debug. You assign the values to the applicable kernel
parameters temporarily with the "fw ctl set" command.
Notes:
• The Security Gateway supports up to five debug filters in total (from all types).
• The Security Gateway applies these debug filters to both the non-accelerated and accelerated
traffic.
• The Security Gateway applies these debug filters to Connection Life Cycle (on page 274).

To configure debug filter of the type "By connection tuple parameters":

The Security Gateway processes connections based on the 5-tuple:
• Source IP address
• Source Port (see IANA - Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-nu
mbers.xhtml)
• Destination IP address
• Destination Port (see IANA - Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-nu
mbers.xhtml)
• Protocol Number (see IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
This debug filter lets you filter by these tuple parameters:

Tuple Parameter Syntax for Kernel Parameters

Source IP fw ctl set str simple_debug_filter_saddr_<N> "<IPv4 or IPv6
address Address>"
Source Ports fw ctl set int simple_debug_filter_sport_<N> <1-65535>
Destination IP fw ctl set str simple_debug_filter_daddr_<N> "<IPv4 or IPv6
address Address>"
Destination Ports fw ctl set int simple_debug_filter_dport_<N> <1-65535>
Protocol Number fw ctl set int simple_debug_filter_proto_<N> <0-254>

Performance Tuning Administration Guide R80.20 | 268

 Kernel Debug on Security Gateway

Notes:
• <N> is an integer between 1 and 5. This number is an index for the configured kernel
parameters of this type.
• When you specify IP addresses, you must enclose them in double quotes.
• You can configure one or more (up to 5) of these kernel parameters at the same time.
Example 1:
Configure one Source IP address (simple_debug_filter_saddr_1), one Destination IP
address (simple_debug_filter_daddr_1), and one Protocol Number
(simple_debug_filter_proto_1).
Example 2:
Configure one Source IP address (simple_debug_filter_saddr_1), two Destination IP
addresses (simple_debug_filter_daddr_2 and simple_debug_filter_daddr_3),
and two Destination Ports (simple_debug_filter_dport_2 and
simple_debug_filter_dport_3).
• When you configure kernel parameters with the same index <N>, the debug filter is a logical
"AND" of these kernel parameters.
In this case, the final filter matches only one direction of the processed connection.
Example 1:
simple_debug_filter_saddr_1 <Value X>
AND
simple_debug_filter_daddr_1 <Value Y>
Example 2:
simple_debug_filter_saddr_1 <Value X>
AND
simple_debug_filter_dport_1 <Value Y>

• When you configure kernel parameters with the different indices <N>, the debug filter is a
logical "OR" of these kernel parameters.
This means that if you need the final filter to match both directions of the connection, you need
to configure the applicable debug filters for both directions.
Example 1:
simple_debug_filter_saddr_1 <Value X>
OR
simple_debug_filter_daddr_2 <Value Y>
Example 2:
simple_debug_filter_saddr_1 <Value X>
OR
simple_debug_filter_dport_2 <Value Y>

• For information about the Port Numbers, see IANA - Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbe
rs.xhtml.
• For information about the Protocol Numbers, see IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Performance Tuning Administration Guide R80.20 | 269

 Kernel Debug on Security Gateway

To configure debug filter of the type "By an IP address parameter":

This debug filter lets you filter by one IP address.
Syntax for Kernel Parameters:
fw ctl set str simple_debug_filter_addr_<N> "<IPv4 or IPv6 Address>"

Notes:
• <N> is an integer between 1 and 3. This number is an index for the configured kernel
parameters of this type.
• You can configure one, two, or three of these kernel parameters at the same time.
Example 1:
Configure one Source IP address (simple_debug_filter_addr_1).
Example 2:
Configure one Source IP address (simple_debug_filter_addr_1) and one Destination IP
address (simple_debug_filter_addr_2).
• You must enclose the IP addresses in double quotes.

To configure debug filter of the type "By a VPN peer parameter":

This debug filter lets you filter by one IP address.
Syntax for Kernel Parameters:
fw ctl set str simple_debug_filter_vpn_<N> "<IPv4 or IPv6 Address>"

Notes:
• <N> is an integer - 1 or 2. This number is an index for the configured kernel parameters of this
type.
• You can configure one or two of these kernel parameters at the same time.
Example 1:
Configure one VPN peer (simple_debug_filter_vpn_1).
Example 2:
Configure two VPN peers (simple_debug_filter_vpn_1 and
simple_debug_filter_vpn_2).
• You must enclose the IP addresses in double quotes.

To disable all debug filters:

You can disable all the configured debug filters of all types.
Syntax for Kernel Parameter:
fw ctl set int simple_debug_filter_off 1

Performance Tuning Administration Guide R80.20 | 270

 Kernel Debug on Security Gateway

Usage Example
You need the kernel debug to show the information about the connection from Source IP address
192.168.20.30 from any Source Port to Destination IP address 172.16.40.50 to Destination Port 80
(192.168.20.30:<Any> --> 172.16.40.50:80).
Run these commands before you start the kernel debug:
fw ctl set int simple_debug_filter_off 1

fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30"

fw ctl set str simple_debug_filter_daddr_2 "172.16.40.50"

fw ctl set int simple_debug_filter_dport_1 80

Important - In the above example, the indexes <N> of the kernel parameters
simple_debug_filter_saddr_<N> and simple_debug_filter_daddr_<N> are different,
because we want the debug filter to match both directions of this connection.

Performance Tuning Administration Guide R80.20 | 271

 Kernel Debug on Security Gateway

Kernel Debug Procedure

Alternatively, use the Kernel Debug Procedure with Connection Life Cycle (on page 274).
Important - In cluster, perform these steps on all the Cluster Members in the same way.

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to the Expert mode.
3 Reset the kernel debug options:
fw ctl debug 0
4 Reset the kernel debug filters:
fw ctl set int simple_debug_filter_off 1
5 Configure the applicable kernel debug filters (on page 268).
6 Allocate the kernel debug buffer for every CoreXL FW instance:
fw ctl debug -buf 8200
7 Make sure the kernel debug buffer was allocated:
fw ctl debug | grep buffer
8 Enable the applicable debug flags in the applicable kernel modules (on page 279):
fw ctl debug -m <module> {all | + <flags>}
9 Examine the list of the debug flags that are enabled in the specified kernel modules:
fw ctl debug -m <module>
10 Start the kernel debug:
fw ctl kdebug -T -f > /var/log/kernel_debug.txt
11 Replicate the issue, or wait for the issue to occur.
12 Stop the kernel debug:
Press CTRL+C
13 Reset the kernel debug options:
fw ctl debug 0
14 Reset the kernel debug filters:
fw ctl set int simple_debug_filter_off 1
15 Analyze the debug output file:
• On a Host Security Appliance without Falcon Acceleration Cards:
/var/log/kernel_debug.txt
• On a Host Security Appliance with the installed Falcon Acceleration Cards:
/var/log/kernel_debug_unified.txt

Performance Tuning Administration Guide R80.20 | 272

 Kernel Debug on Security Gateway

Example - Connection 192.168.20.30:<Any> --> 172.16.40.50:80

[Expert@GW:0]# fw ctl debug 0
Defaulting all kernel debugging options
Debug state was reset to default.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_off 1
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30"
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set str simple_debug_filter_daddr_2 "192.168.20.40"
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_dport_1 80
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -buf 8200
Initialized kernel debugging buffer to size 8192K
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug | grep buffer
Kernel debugging buffer size: 8192KB
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw + conn drop
Updated kernel's debug variable for module fw
Debug flags updated.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 8192KB
Module: fw
Enabled Kernel debugging options: error warning conn drop
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]#
[Expert@GW:0]# fw ctl kdebug -T -f > /var/log/kernel_debug.txt

... ... Replicate the issue, or wait for the issue to occur ... ...
...
... ... Press CTRL+C ... ...

[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug 0
Defaulting all kernel debugging options
Debug state was reset to default.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl set int simple_debug_filter_off 1
[Expert@GW:0]#
[Expert@GW:0]# ls -l /var/log/kernel_debug.txt
-rw-rw---- 1 admin root 1630619 Apr 12 19:49 /var/log/kernel_debug.txt
[Expert@GW:0]#

Performance Tuning Administration Guide R80.20 | 273

 Kernel Debug on Security Gateway

Kernel Debug Procedure with Connection Life Cycle

Introduction
R80.20 introduces a new debug tool called Connection Life Cycle.
This tool generates a formatted debug output file that presents the debug messages hierarchically
by connections and packets:
• The first hierarchy level shows connections.
• After you expand the connection, you see all the packets of this connection.
Important - You must use this tool together with the regular kernel debug flags.

Syntax
• To start the debug capture:
[Expert@GW]# conn_life_cycle.sh -a start -o /<Path>/<Name of Raw Debug Output
File> [-t | -T] [[-f "<Filter1>"] [-f "<Filter2>"] [-f "<Filter3>] [-f
"<Filter4>] [-f "<Filter5>"]]

• To stop the debug capture and prepare the formatted debug output:
[Expert@GW]# conn_life_cycle.sh -a stop -o /<Path>/<Name of Formatted Debug
Output File>

Parameters

Parameter Description
-a start Mandatory.
-a stop Specifies the action:
• start - Starts the debug capture based on the debug flags you enabled and
debug filters you specified.
• stop - Stops the debug capture, resets the kernel debug options, resets the
kernel debug filters.
-t | -T Optional.
Specifies the resolution of a time stamp in front of each debug message:
• -t - Prints the time stamp in milliseconds.
• -T - Prints the time stamp in microseconds (always use this option to make
the debug analysis easier).

Performance Tuning Administration Guide R80.20 | 274

 Kernel Debug on Security Gateway

Parameter Description
-f "<Filter>" Optional.
Specifies which connections and packets to capture. For additional information,
see Kernel Debug Filters (on page 268).
Important - If you do not specify filters, then the tool prints debug messages for
all traffic. This causes high load on the CPU and increases the time to format the
debug output file.
Each filter must contain these five numbers (5-tuple) separated with commas:
"<Source IP Address>,<Source Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"
Example of capturing traffic from IP 192.168.20.30 from any port to IP
172.16.40.50 to port 22 over the TCP protocol:
-f "192.168.20.30,0,172.16.40.50,22,6"
Notes:
• The tool supports up to five of such filters.
• The tool treats the value 0 (zero) as "any".
• If you specify two or more filters, the tool performs a logical "OR" of all the
filters on each packet.
If the packet matches at least one filter, the tool prints the debug messages
for this packet.
• <Source IP Address> and <Destination IP Address> - IPv4 or IPv6 address
• <Source Port> and <Destination Port> - integers from 1 to 65535 (see IANA -
Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-na
mes-port-numbers.xhtml)
• <Protocol Number> - integer from 0 to 254 (see IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xht
ml)
-o Mandatory.
/<Path>/<Na Specifies the absolute path and the name of the raw debug output file.
me of Raw
Example: -o /var/log/kernel_debug.txt
Debug Output
File>
-o Mandatory.
/<Path>/<Na Specifies the absolute path and the name of the formatted debug output file (to
me of analyze by an administrator).
Formatted
Example: -o /var/log/kernel_debug_formatted.txt
Debug Output
File>

Performance Tuning Administration Guide R80.20 | 275

 Kernel Debug on Security Gateway

Procedure
Important - In cluster, perform these steps on all the Cluster Members in the same way.

Step Description
1 Connect to the command line on the Security Gateway.
2 Log in to the Expert mode.
3 Enable the applicable debug flags in the applicable kernel modules (on page 279):
fw ctl debug -m <module> {all | + <flags>}
4 Examine the list of the debug flags that are enabled in the specified kernel modules:
fw ctl debug -m <module>
5 Start the debug capture:
conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T -f
"<Filter1>" [... [-f "<FilterN>"]]
6 Replicate the issue, or wait for the issue to occur.
7 Stop the debug capture and prepare the formatted debug output:
conn_life_cycle.sh -a stop -o /var/log/kernel_debug_formatted.txt
8 Transfer the formatted debug output file from your Security Gateway to your desktop or
laptop computer:
/var/log/kernel_debug_formatted.txt
9 Examine the formatted debug output file in an advanced text editor like Notepad++ (click
Language > R > Ruby), or any other Ruby language viewer.

Example - Collecting the kernel debug for TCP connection from IP 172.20.168.15 (any
port) to IP 192.168.3.53 and port 22
[Expert@GW:0]# fw ctl debug -m fw + conn drop
Updated kernel's debug variable for module fw
Debug flags updated.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 50KB
HOST:
Module: fw
Enabled Kernel debugging options: error warning conn drop
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]#
[Expert@GW:0]# conn_life_cycle.sh -a start -o /var/log/kernel_debug.txt -T
-f "172.20.168.15,0,192.168.3.53,22,6"
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded
Set operation succeeded

Performance Tuning Administration Guide R80.20 | 276

 Kernel Debug on Security Gateway

Initialized kernel debugging buffer to size 8192K

Set operation succeeded
Capturing started...
[Expert@GW:0]#

... ... Replicate the issue, or wait for the issue to occur ... ...

[Expert@GW:0]#
[Expert@GW:0]# conn_life_cycle.sh -a stop -o
/var/log/kernel_debug_formatted.txt
Set operation succeeded
Defaulting all kernel debugging options
Debug state was reset to default.
Set operation succeeded
doing unification...
Openning host debug file /tmp/tmp.KiWmF18217... OK
New unified debug file: /tmp/tmp.imzMZ18220... OK
prepare unification
performing unification
Done :-)
doing grouping...
wrapping connections and packets...
Some of packets lack description, probably because they were already handled
when the feature was enabled.
[Expert@GW:0]#
[Expert@GW:0]# fw ctl debug -m fw
Kernel debugging buffer size: 50KB
HOST:
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common
[Expert@GW:0]
[Expert@GW:0] ls -l /var/log/kernel_debug.*
-rw-rw---- 1 admin root 40960 Nov 26 13:02 /var/log/kernel_debug.txt
-rw-rw---- 1 admin root 24406 Nov 26 13:02
/var/log/kernel_debug_formatted.txt
[Expert@GW:0]

Performance Tuning Administration Guide R80.20 | 277

 Kernel Debug on Security Gateway

Example - Opening the kernel debug in Notepad++

Everything is collapsed:
Connection with 1st packet already in handling so no conn details
[+]{++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++

Opened the first hierarchy level to see the connection:

Connection with 1st packet already in handling so no conn details
[-]{++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++
;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is INBOUND;
[+]{---------------------------------------------------------- packet begins
------------------------------------------------------

Opened the second hierarchy level to see the packets of this connection:
Connection with 1st packet already in handling so no conn details
[-]{++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++
;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is INBOUND;
[-]{---------------------------------------------------------- packet begins
------------------------------------------------------
;26Nov2018 13:02:06.736021;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering
CHAIN_MODULES_ENTER;
;26Nov2018 13:02:06.736035;[cpu_2];[fw4_1];#fwconn_lookup_cache: conn <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6>;
;26Nov2018 13:02:06.736046;[cpu_2];[fw4_1];#<1c001,44000,2,1e2,0,UUID:
5bfbc2a2-0000-0000-c0-a8-3-35-1-0-0-c0,
1,1,ffffffff,ffffffff,40800,0,80,OPQS:[0,ffffc20033d220f0,0,0,0,0,ffffc20033958648,0,0,0,ffffc2003
25d57b0,0,0,0,0,0],0,0,0,0,0,0,0,0,0,0,0,0,0,0>
;26Nov2018 13:02:06.736048;[cpu_2];[fw4_1];CONN LIFE CYCLE: lookup: found;
;26Nov2018 13:02:06.736053;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering VM_ENTER;
;26Nov2018 13:02:06.736055;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736060;[cpu_2];[fw4_1];#Before VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22
IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 (ifn=1) (first
seen) (looked up) ;
;26Nov2018 13:02:06.736068;[cpu_2];[fw4_1];#After VM: <dir 0, 172.20.168.15:57821 -> 192.168.3.53:22
IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054 ;
;26Nov2018 13:02:06.736071;[cpu_2];[fw4_1];#VM Final action=ACCEPT;
;26Nov2018 13:02:06.736072;[cpu_2];[fw4_1];# ----- Stateful VM inbound Completed -----
;26Nov2018 13:02:06.736075;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting VM_EXIT;
;26Nov2018 13:02:06.736081;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering POST VM_ENTER;
;26Nov2018 13:02:06.736083;[cpu_2];[fw4_1];#
;26Nov2018 13:02:06.736085;[cpu_2];[fw4_1];#fw_post_vm_chain_handler: (first_seen 32, new_conn 0,
is_my_ip 0, is_first_packet 0);
;26Nov2018 13:02:06.736089;[cpu_2];[fw4_1];#Before POST VM: <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054
(ifn=1) (first seen) (looked up) ;
;26Nov2018 13:02:06.736095;[cpu_2];[fw4_1];#After POST VM: <dir 0, 172.20.168.15:57821 ->
192.168.3.53:22 IPP 6> (len=40) TCP flags=0x10 (ACK), seq=686659054, ack=4181122096, data end=686659054
;
;26Nov2018 13:02:06.736097;[cpu_2];[fw4_1];#POST VM Final action=ACCEPT;
;26Nov2018 13:02:06.736098;[cpu_2];[fw4_1];# ----- Stateful POST VM inbound Completed -----
;26Nov2018 13:02:06.736101;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting POST VM_EXIT;
;26Nov2018 13:02:06.736104;[cpu_2];[fw4_1];#fwconnoxid_msg_get_cliconn: warning - failed to get
connoxid message.;
;26Nov2018 13:02:06.736107;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering CPAS_ENTER;
;26Nov2018 13:02:06.736110;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CPAS_EXIT;
;26Nov2018 13:02:06.736113;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CHAIN_MODULES_EXIT;
;26Nov2018 13:02:06.736116;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is ACCEPTED;
}
;26Nov2018 13:02:06.770652;[cpu_2];[fw4_1];Packet 0xffff8101ea128580 is INBOUND;

Performance Tuning Administration Guide R80.20 | 278

 Kernel Debug on Security Gateway

Kernel Debug Modules and Debug Flags

To see the available kernel debug modules and their debug flags, run: fw ctl debug -m
List of kernel debug modules (in alphabetical order):
• Module 'accel_apps' (Accelerated Applications) (on page 281)
• Module 'accel_pm_mgr' (Accelerated Pattern Match Manager) (on page 282)
• Module 'APPI' (Application Control Inspection) (on page 283)
• Module 'BOA' (Boolean Analyzer for Web Intelligence) (on page 284)
• Module 'CI' (Content Inspection) (on page 285)
• Module 'cluster' (ClusterXL) (on page 286)
• Module 'cmi_loader' (Context Management Interface/Infrastructure Loader) (on page 288)
• Module 'CPAS' (Check Point Active Streaming) (on page 289)
• Module 'cpcode' (Data Loss Prevention - CPcode) (on page 290)
• Module 'dlpda' (Data Loss Prevention - Download Agent, Content Awareness module) (on
page 291)
• Module 'dlpk' (Data Loss Prevention - Kernel space module) (on page 292)
• Module 'dlpuk' (Data Loss Prevention - User space module) (on page 293)
• Module 'fg' (FloodGate-1 - QoS) (on page 294)
• Module 'FILEAPP' (File Application) (on page 295)
• Module 'fw' (Firewall) (on page 296)
• Module 'gtp' (GPRS Tunneling Protocol) (on page 300)
• Module 'h323' (VoIP H323) (on page 301)
• Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol Client) (on page 302)
• Module 'IDAPI' (Identity Awareness) (on page 303)
• Module 'kiss' (Kernel Infrastructure) (on page 304)
• Module 'kissflow' (Kernel Infrastructure Flow) (on page 306)
• Module 'MALWARE' (Threat Prevention) (on page 307)
• Module 'multik' (Multi-Kernel Inspection - CoreXL) (on page 308)
• Module 'MUX' (Multiplexer for Applications Traffic) (on page 309)
• Module 'NRB' (Next Rule Base) (on page 310)
• Module 'PSL' (Passive Streaming Library) (on page 311)
• Module 'RAD_KERNEL' (Resource Advisor - Kernel space module) (on page 312)
• Module 'RTM' (Real Time Monitoring) (on page 313)
• Module 'seqvalid' (TCP Sequence Validator and Translator) (on page 314)
• Module 'SFT' (Stream File Type) (on page 315)

Performance Tuning Administration Guide R80.20 | 279

 Kernel Debug on Security Gateway

• Module 'SGEN' (Struct Generator) (on page 316)

• Module 'synatk' (Accelerated SYN Defender) (on page 317)
• Module 'UC' (UserCheck) (on page 318)
• Module 'UP' (Unified Policy) (on page 319)
• Module 'upconv' (Unified Policy Conversion) (on page 321)
• Module 'UPIS' (Unified Policy Infrastructure) (on page 322)
• Module 'VPN' (Site-to-Site VPN and Remote Access VPN) (on page 324)
• Module 'WS' (Web Intelligence) (on page 326)
• Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) (on page 328)
• Module 'WSIS' (Web Intelligence Infrastructure) (on page 330)

Performance Tuning Administration Guide R80.20 | 280

 Kernel Debug on Security Gateway

Module 'accel_apps' (Accelerated Applications)

Syntax: fw ctl debug -m accel_apps + {all | <List of Debug Flags>}

Flag Description
av_lite Messages from the lite Content Inspection (Anti-Virus) module
cmi_lite Messages from the lite Context Management Interface/Infrastructure module
error General errors
warning General warnings

Performance Tuning Administration Guide R80.20 | 281

 Kernel Debug on Security Gateway

Module 'accel_pm_mgr' (Accelerated Pattern Match Manager)

Syntax: fw ctl debug -m accel_pm_mgr + {all | <List of Debug Flags>}

Flag Description
debug Operations in the Accelerated Pattern Match Manager module
error General errors and failures
flow Internal flow of functions
submit_erro General failures to submit the data for analysis
r
warning General warnings and failures

Performance Tuning Administration Guide R80.20 | 282

 Kernel Debug on Security Gateway

Module 'APPI' (Application Control Inspection)

Syntax: fw ctl debug -m APPI + {all | <List of Debug Flags>}

Flag Description
account Accounting information
address Information about connection's IP address
btime Browse time
connection Application Control connections
coverage Coverage times (entering, blocking, and time spent)
error General errors
global Global policy operations
info General information
limit Application Control limits
memory Memory allocation operations
module Operations in the Application Control module (initialization, module loading,
calls to the module, policy loading, and so on)
observer Classification Object (CLOB) observer (data classification)
policy Application Control policy
referrer Application Control referrer
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
urlf_ssl Application Control and URL Filtering for SSL
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 283

 Kernel Debug on Security Gateway

Module 'BOA' (Boolean Analyzer for Web Intelligence)

Syntax: fw ctl debug -m BOA + {all | <List of Debug Flags>}

Flag Description
analyzer Operations in the BOA module
disasm Disassembler information
error General errors
fatal Fatal errors
flow Operations in the BOA module
info General information
lock Information about internal locks in the FireWall kernel
memory Memory allocation operations
spider Internal hash tables
stat Statistics
stream Memory allocation when processing streamed data
warning General warnings

Performance Tuning Administration Guide R80.20 | 284

 Kernel Debug on Security Gateway

Module 'CI' (Content Inspection)

Syntax: fw ctl debug -m CI + {all | <List of Debug Flags>}

Flag Description
address Prints connection addresses (as Source_IP:Source_Port ->
Dest_IP:Dest_Port)
av Anti-Virus inspection
coverage Coverage times (entering, blocking, and time spent)
crypto Basic information about encryption and decryption
error General errors
fatal Fatal errors
filter Basic information about URL filters
info General information
ioctl Currently is not used
memory Memory allocation operations
module Operations in the Content Inspection module (initialization, module loading, calls
to the module, policy loading, and so on)
policy Content Inspection policy
profile Basic information about the Content Inspection module (initialization,
destroying, freeing)
regexp Regular Expression library
session Session layer
stat Content Inspection statistics
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
track Use only for very limited important debug prints, so it can be used in a loaded
environment -
Content-Disposition, Content-Type, extension validation, extension matching
uf URL filters and URL cache
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 285

 Kernel Debug on Security Gateway

Module 'cluster' (ClusterXL)

Syntax: fw ctl debug -m cluster + {all | <List of Debug Flags>}
Notes:
• To print all synchronization operations in Check Point cluster in the debug output, enable
these debug flags:
• The 'sync' debug flag in the debug module 'fw' (on page 296)
• The 'sync' debug flag in the debug module 'CPAS' (on page 289)
• To print the contents of the packets in HEX format in the debug output (as "FW-1:
fwha_print_packet: Buffer ..."), before you start the kernel debug, set this kernel
parameter on each Cluster Member:
# fw ctl set int fwha_dprint_io 1
• To print all network checks in the debug output, before you start the kernel debug, set this
kernel parameter on each Cluster Member:
# fw ctl set int fwha_dprint_all_net_check 1

Flag Description
arp ARP Forwarding (see sk111956
http://supportcontent.checkpoint.com/solutions?id=sk111956)
autoccp Operations of CCP in Auto mode
ccp Reception and transmission of Cluster Control Protocol (CCP) packets
cloud Replies to the probe packets in CloudGuard IaaS
conf Cluster configuration and policy installation
correction Correction Layer
cu Connectivity Upgrade (see sk107042
http://supportcontent.checkpoint.com/solutions?id=sk107042)
drop Connections dropped by the cluster Decision Function (DF) module (does not
include CCP packets)
forward Forwarding Layer messages (when Cluster Members send and receive a
forwarded packet)
if Interface tracking and validation (all the operations and checks on interfaces)
ifstate Interface state (all the operations and checks on interfaces)
io Information about sending of packets through cluster interfaces
log Creating and sending of logs by cluster
Also enable the debug flag 'log' flag in the debug module 'fw' (on page 296)
mac Current configuration of and detection of cluster interfaces
Also enable the debug flags 'conf' and 'if' in this debug module
mmagic Operations on "MAC magic" (getting, setting, updating, initializing, dropping, and
so on)

Performance Tuning Administration Guide R80.20 | 286

 Kernel Debug on Security Gateway

Flag Description
msg Handling of internal messages between Cluster Members
pivot Operation of ClusterXL in Load Sharing Unicast mode (Pivot mode)
pnote Registration and monitoring of Critical Devices (pnotes)
select Packet selection (includes the Decision Function)
stat States of cluster members (state machine)
subs Subscriber module (set of APIs, which enable user space processes to be aware
of the current state of the ClusterXL state machine and other clustering
configuration parameters)
timer Reports of cluster internal timers
trap Sending trap messages from the cluster kernel to the RouteD daemon about
Master change
.

Performance Tuning Administration Guide R80.20 | 287

 Kernel Debug on Security Gateway

Module 'cmi_loader' (Context Management

Interface/Infrastructure Loader)
Syntax: fw ctl debug -m cmi_loader + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
connection Internal messages about connection
coverage Coverage times (entering, blocking, and time spent)
cpcode DLP CPcode
Also see the Module 'cpcode' (on page 290)
error General errors
global_stat User Space global states structures
es
info General information
inspect INSPECT code
memory Memory allocation operations
module Operations in the Context Management Interface/Infrastructure Loader module
(initialization, module loading, calls to the module, contexts, and so on)
parsers_is Module parsers infrastructure
policy Policy installation
sigload Signatures, patterns, ranges
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 288

 Kernel Debug on Security Gateway

Module 'CPAS' (Check Point Active Streaming)

Syntax: fw ctl debug -m CPAS + {all | <List of Debug Flags>}

Flag Description
api Interface layer messages
conns Detailed description of connections, and connection's limit-related messages
cpconntim Information about internal timers
error General errors
events Event-related messages
ftp Messages of the FTP example server
glue Glue layer messages
http Messages of the HTTP example server
icmp Messages of the ICMP example server
notify E-mail Messaging Security application
pkts Packets handling messages (allocation, splitting, resizing, and so on)
skinny Processing of Skinny Client Control Protocol (SCCP) connections
sync Synchronization operations in cluster
Also see the debug flag 'sync' in the debug module 'fw' (on page 296)
tcp TCP processing messages
tcpinfo TCP processing messages - more detailed description
timer Reports of internal timer ticks
Warning - Prints many messages, without real content
warning General warnings

Performance Tuning Administration Guide R80.20 | 289

 Kernel Debug on Security Gateway

Module 'cpcode' (Data Loss Prevention - CPcode)

Syntax: fw ctl debug -m cpcode + {all | <List of Debug Flags>}
Also see the:
• Module 'dlpda' (on page 291)
• Module 'dlpk' (on page 292)
• Module 'dlpuk (on page 293)

Flag Description
cplog Resolving of names and IP addresses for Check Point logs
csv Creation of CSV files
echo Prints the function that called the CPcode module
error General errors
init Initializing of CPcode system
io Input / Output functionality for CPcode module
ioctl IOCTL control messages to kernel
kisspm Kernel Infrastructure Pattern Matcher
memory Memory allocation operations
persist Operations on persistence domains
policy Policy operations
run Policy operations
url Operations on URLs
vm Virtual Machine execution
warning General warnings

Performance Tuning Administration Guide R80.20 | 290

 Kernel Debug on Security Gateway

Module 'dlpda' (Data Loss Prevention - Download Agent for

Content Awareness)
Syntax: fw ctl debug -m dlpda + {all | <List of Debug Flags>}
Also see the:
• Module 'cpcode' (on page 290)
• Module 'dlpk' (on page 292)
• Module 'dlpuk (on page 293)

Flag Description
address Information about connection's IP address
cmi Context Management Interface/Infrastructure operations
coverage Coverage times (entering, blocking, and time spent)
ctx Operations on DLP context
engine Content Awareness engine module
error General errors
filecache Content Awareness file caching
info General information
memory Memory allocation operations
mngr Currently is not used
module Initiation / removal of the Content Awareness infrastructure
observer Classification Object (CLOB) observer (data classification)
policy Content Awareness policy
slowpath Currently is not used
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 291

 Kernel Debug on Security Gateway

Module 'dlpk' (Data Loss Prevention - Kernel Space)

Syntax: fw ctl debug -m dlpk + {all | <List of Debug Flags>}
Also see the:
• Module 'cpcode' (on page 290)
• Module 'dlpda' (on page 291)
• Module 'dlpuk (on page 293)

Flag Description
cmi HTTP Proxy, connection redirection, identity information, Async
drv DLP inspection
error General errors
identity User identity, connection identity, Async
rulebase DLP rulebase match
stat Counter statistics

Performance Tuning Administration Guide R80.20 | 292

 Kernel Debug on Security Gateway

Module 'dlpuk' (Data Loss Prevention - User Space)

Syntax: fw ctl debug -m dlpuk + {all | <List of Debug Flags>}
Also see the:
• Module 'cpcode' (on page 290)
• Module 'dlpda' (on page 291)
• Module 'dlpk' (on page 292)

Flag Description
address Information about connection's IP address
buffer Currently is not used
coverage Coverage times (entering, blocking, and time spent)
error General errors
info General information
memory Memory allocation operations
module Initiation / removal of the Data Loss Prevention User Space modules'
infrastructure
policy Currently is not used
serialize Data buffers and data sizes
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 293

 Kernel Debug on Security Gateway

Module 'fg' (FloodGate-1 - QoS)

Syntax: fw ctl debug -m fg + {all | <List of Debug Flags>}

Flag Description
chain Tracing each packet through FloodGate-1 stages in the cookie chain
chainq Internal Chain Queue mechanism - holding and releasing of packets during
critical actions (policy installation and uninstall)
classify Classification of connections to QoS rules
conn Processing and identification of connection
dns DNS classification mechanism
drops Dropped packets due to WFRED policy
dropsv Dropped packets due to WFRED policy - with additional debug information
(verbose)
error General errors
flow Internal flow of connections (direction, interfaces, buffers, and so on)
fwrate Rate statistics for each interface and direction
general Currently is not used
install Policy installation
llq Low latency queuing
log Everything related to calls in the log
ls Processing of connections in ClusterXL in Load Sharing Mode
memory Memory allocation operations
multik Processing of connections in CoreXL
pkt Packet recording mechanism
policy QoS policy rules matching
qosaccel Acceleration of QoS traffic
rates Rule and connection rates (IQ Engine behavior and status)
rtm Failures in information gathering in the Real Time Monitoring module
Also see the Module 'RTM' (on page 313)
sched Basic scheduling information
tcp TCP streaming (re-transmission detection) mechanism
time Currently is not used
timers Reports of internal timer ticks
Warning - Prints many messages, without real content
url URL and URI for QoS classification
verbose Prints additional information (used with other debug flags)

Performance Tuning Administration Guide R80.20 | 294

 Kernel Debug on Security Gateway

Module 'FILEAPP' (File Application)

Syntax: fw ctl debug -m FILEAPP + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
coverage Coverage times (entering, blocking, and time spent)
error General errors
filetype Information about processing a file type
global Allocation and creation of global object
info General information
memory Memory allocation operations
module Operations in the FILEAPP module (initialization, module loading, calls to the
module, and so on)
normalize File normalization operations (internal operations)
parser File parsing
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
upload File upload operations
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 295

 Kernel Debug on Security Gateway

Module 'fw' (Firewall)

Syntax: fw ctl debug -m fw + {all | <List of Debug Flags>}

Flag Description
acct Accounting data in logs for Application Control (also enable the debug of the
module 'APPI' (on page 283))
advp Advanced Patterns (signatures over port ranges) - runs under ASPII and CMI
aspii Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
balance ConnectControl - logical servers in kernel, load balancing
bridge Bridge mode
caf Mirror and Decrypt feature - only mirror operations on all traffic
cgnat Carrier Grade NAT (CGN/CGNAT)
chain Connection Chain modules, cookie chain
chainfwd Chain forwarding - related to cluster kernel parameter
fwha_perform_chain_forwarding
cifs Processing of Microsoft Common Internet File System (CIFS) protocol
citrix Processing of Citrix connections
cmi Context Management Interface/Infrastructure - IPS signature manager
conn Processing of all connections
connstats Connections statistics for Evaluation of Heavy Connections in CPView (see
sk105762 http://supportcontent.checkpoint.com/solutions?id=sk105762)
content Anti-Virus content inspection
context Operations on Memory context and CPU context in the module 'kiss' (on page
304)
cookie Virtual de-fragmentation , cookie issues (cookies in the data structure that holds
the packets)
corr Correction layer
cptls CRYPTO-PRO Transport Layer Security (HTTPS Inspection) - Russian VPN GOST
crypt Encryption and decryption of packets (algorithms and keys are printed in clear
text and cipher text)
cvpnd Processing of connections handled by the Mobile Access daemon
dfilter Operations in the debug filters (on page 268)
dlp Processing of Data Loss Prevention connections
dnstun DNS tunnels
domain DNS queries
dos DDoS attack mitigation (part of IPS)
driver Check Point kernel attachment (access to kernel is shown as log entries)

Performance Tuning Administration Guide R80.20 | 296

 Kernel Debug on Security Gateway

Flag Description
drop Reason for (almost) every dropped packet
drop_tmpl Operations in Drop Templates
dynlog Dynamic log enhancement (INSPECT logs)
epq End Point Quarantine (also AMD)
error General errors
event Event App features (DNS, HTTP, SMTP, FTP)
ex Expiration issues (time-outs) in dynamic kernel tables
filter Packet filtering performed by the Check Point kernel and all data loaded into
kernel
ftp Processing of FTP Data connections (used to call applications over FTP Data -
i.e., Anti-Virus)
handlers Operations related to the Context Management Interface/Infrastructure Loader
Also see the Module 'cmi_loader' (on page 288)
highavail Cluster configuration - changes in the configuration and information about
interfaces during
traffic processing
hold Holding mechanism and all packets being held / released
icmptun ICMP tunnels
if interface-related information (accessing the interfaces, installing a filter on an
interfaces)
install Driver installation - NIC attachment (actions performed by the fw ctl install
and fw ctl uninstall commands)
integrity Integrity Client (enforcement cooperation)
ioctl IOCTL control messages (communication between kernel and daemons, loading
and unloading of the FireWall)
ipopt Enforcement of IP Options
ips IPS logs and IPS IOCTL
ipv6 Processing of IPv6 traffic
kbuf Kernel-buffer memory pool (for example, encryption keys use these memory
allocations)
ld Kernel dynamic tables infrastructure (reads from / writes to the tables)
Warning - Security Gateway can freeze / hang!
leaks Memory leak detection mechanism
link Creation of links in Connections kernel table (ID 8158)
log Everything related to calls in the log
machine INSPECT Virtual Machine (actual assembler commands being processed)
Warning - Security Gateway can freeze / hang!

Performance Tuning Administration Guide R80.20 | 297

 Kernel Debug on Security Gateway

Flag Description
mail Issues with e-mails over POP3, IMAP
malware Matching of connections to Threat Prevention Layers (multiple rulebases)
Also see the Module 'MALWARE' (on page 307)
media Does not apply anymore
Only on Security Gateway that runs on Windows OS:
Transport Driver Interface information (interface-related information)
memory Memory allocation operations
mgcp Media Gateway Control Protocol (complementary to H.323 and SIP)
misc Miscellaneous helpful information (not shown with other debug flags)
misp ISP Redundancy
monitor Printsoutputsimilartothe "fw monitor"command
Also enable the debug flag 'misc' in this module
monitorall Printsoutputsimilartothe "fw monitor -p all"command
Also enable the debug flag 'misc' in this module
mrtsync Synchronization between cluster members of Multicast Routes that are added
when working with Dynamic Routing Multicast protocols
msnms MSN over MSMS (MSN Messenger protocol)
Also always enable the debug flag 'sip' in this module
multik CoreXL-related (enables all the debug flags in the debug module 'multik' (on
page 308), except for the debug flag 'packet')
nac Network Access Control (NAC) feature in Identity Awareness
nat NAT issues - basic information
nat64 NAT issues - 6in4 tunnels (IPv6 over IPv4) and 4in6 tunnels (IPv4 over IPv6)
netquota IPS protection "Network Quota"
ntup Non-TCP / Non-UDP traffic policy (traffic parser)
packet Actions performed on packets (like Accept, Drop, Fragment)
packval Stateless verifications (sequences, fragments, translations and other header
verifications)
portscan Prevention of port scanning
prof Connection profiler for Firewall Priority Queues (see sk105762
http://supportcontent.checkpoint.com/solutions?id=sk105762)
q Driver queue (for example, cluster synchronization operations)
This debug flag is crucial for the debug of Check Point cluster synchronization
issues
qos QoS (FloodGate-1)
rad Resource Advisor policy (for Application Control, URL Filtering, and others)

Performance Tuning Administration Guide R80.20 | 298

 Kernel Debug on Security Gateway

Flag Description
route Routing issues
This debug flag is crucial for the debug of ISP Redundancy issues
sam Suspicious Activity Monitoring
sctp Processing of Stream Control Transmission Protocol (SCTP) connections
scv SecureClient Verification
shmem Currently is not used
sip VoIP traffic - SIP and H.323
Also see the:
• Module 'h323' (on page 301)
• Module 'WS_SIP' (on page 328)
smtp Issues with e-mails over SMTP
sock Sockstress TCP DoS attack (CVE-2008-4609)
span Monitor mode (mirror / span port)
spii Stateful Protocol Inspection Infrastructure and INSPECT Streaming
Infrastructure
synatk IPS protection 'SYN Attack' (SYNDefender)
Also see the Module 'synatk' (on page 317)
sync Synchronization operations in Check Point cluster
Also see the debug flag 'sync' in the debug module 'CPAS' (on page 289)
tcpstr TCP streaming mechanism
te Prints the name of an interface for incoming connection from Threat Emulation
Machine
tlsparser Currently is not used
ua Processing of Universal Alcatel "UA" connections
ucd Processing of UserCheck connections in Check Point cluster
user User Space communication with Kernel Space (most useful for configuration
and VSX debug)
utest Currently is not used
vm Virtual Machine chain decisions on traffic going through the fw_filter_chain
wap Processing of Wireless Application Protocol (WAP) connections
warning General warnings
wire Wire-mode Virtual Machine chain module
xlate NAT issues - basic information
xltrc NAT issues - additional information - going through NAT rulebase
zeco Memory allocations in the Zero-Copy kernel module

Performance Tuning Administration Guide R80.20 | 299

 Kernel Debug on Security Gateway

Module 'gtp' (GPRS Tunneling Protocol)

Syntax: fw ctl debug -m gtp + {all | <List of Debug Flags>}

Flag Description
create GTPv0 / GTPv1 create PDP context
create2 GTPv2 create session
dbg GTP debug mechanism
delete GTPv0 / GTPv1 delete PDP context
delete2 GTPv2 delete session
error General GTP errors
ioctl GTP IOCTL commands
ld Operations with GTP kernel tables (addition, removal, modification of entries)
log GTPv0 / GTPv1 logging
log2 GTPv2 logging
modify GTPv2 modify bearer
other GTPv0 / GTPv1 other messages
other2 GTPv2 other messages
packet GTP main packet flow
parse GTPv0 / GTPv1 parsing
parse2 GTPv2 parsing
policy Policy installation
state GTPv0 / GTPv1 dispatching
state2 GTPv2 dispatching
sxl Processing of GTP connections in SecureXL
tpdu GTP T-PDU
update GTPv0 / GTPv1 update PDP context

Performance Tuning Administration Guide R80.20 | 300

 Kernel Debug on Security Gateway

Module 'h323' (VoIP H.323)

Syntax: fw ctl debug -m h323 + {all | <List of Debug Flags>}

Flag Description
align General VoIP debug messages (for example, VoIP infrastructure)
cpas Debug messages about the CPAS TCP
Important - This debug flag is not included when you use the syntax fw ctl
debug -m h323 all
decode H.323 decoder messages
error General errors
h225 H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, and so
on)
h245 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION
COMMAND, and so on)
init Internal errors
ras H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST /
RESPONSE)

Performance Tuning Administration Guide R80.20 | 301

 Kernel Debug on Security Gateway

Module 'ICAP_CLIENT' (Internet Content Adaptation Protocol

Client)
Syntax: fw ctl debug -m ICAP_CLIENT + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
blade Internal operations in the ICAP Client module
coverage Coverage times (entering, blocking, and time spent)
cpas Check Point Active Streaming (CPAS)
Also see the Module 'CPAS' (on page 289)
daf_cmi Mirror and Decrypt of HTTPS traffic - operations related to the Context
Management Interface/Infrastructure Loader
Also see the Module 'cmi_loader' (on page 288)
daf_module Mirror and Decrypt of HTTPS traffic - operations related to the ICAP Client
module
daf_policy Mirror and Decrypt of HTTPS traffic - operations related to policy installation
daf_rulebas Mirror and Decrypt of HTTPS traffic - operations related to rulebase
e
daf_tcp Mirror and Decrypt of HTTPS traffic - internal processing of TCP connections
error General errors
global Global operations in the ICAP Client module
icap Processing of ICAP connections
info General information
memory Memory allocation operations
module Operations in the ICAP Client module (initialization, module loading, calls to the
module, and so on)
policy Policy installation
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
trick Data Trickling mode
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 302

 Kernel Debug on Security Gateway

Module 'IDAPI' (Identity Awareness API)

Syntax: fw ctl debug -m IDAPI + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
async Checking for known networks
classifier Data classification
clob Classification Object (CLOB) observer (data classification)
coverage Coverage times (entering, blocking, and time spent)
data Portal, IP address matching for Terminal Servers Identity Agent, session
handling
error General errors
htab Checking for network IP address, working with kernel tables
info General information
log Various logs for internal operations
memory Memory allocation operations
module Removal of the Identity Awareness API debug module's infrastructure, failure to
convert to Base64, failure to append Source to Destination, and so on
observer Data classification observer
subject Prints the debug subject of each debug message
test IP test, Identity Awareness API synchronization
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 303

 Kernel Debug on Security Gateway

Module 'kiss' (Kernel Infrastructure)

Syntax: fw ctl debug -m kiss + {all | <List of Debug Flags>}
Also see the Module 'kissflow' (on page 306).

Flag Description
accel_pm Accelerated Pattern Matcher
bench CPU benchmark
connstats Statistics for connections
cookie Virtual de-fragmentation , cookie issues (cookies in the data structure that holds
the packets)
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
driver Loading / unloading of the FireWall driver
error General errors
flofiler FLow prOFILER
ghtab Multi-threaded safe global hash tables
ghtab_bl Internal operations on global hash tables
handles Memory pool allocation for tables
htab Multi-threaded safe hash tables
htab_bl Internal operations on hash tables
htab_bl_err Errors and failures during internal operations on hash tables
htab_bl_exp Expiration in hash tables
htab_bl_inf Errors and failures during internal operations on hash tables
ra
ioctl IOCTL control messages (communication between the kernel and daemons)
kqstats Kernel Worker thread statistics (resetting, initializing, turning off)
kw Kernel Worker state and Pattern Matcher inspection
leak Memory leak detection mechanism
memory Memory allocation operations
memprof Memory allocation operations in the Memory Profiler (when the kernel
parameter fw_conn_mem_prof_enabled=1)
misc CPU counters, Memory counters, getting/setting of global kernel parameters
mtctx Multi-threaded context - memory allocation, reference count
packet Internal parsing operations on packets
pcre Perl Compatible Regular Expressions (execution, memory allocation)
pm Pattern Matcher compilation and execution
pmdump Pattern Matcher DFA (dumping XMLs of DFAs)

Performance Tuning Administration Guide R80.20 | 304

 Kernel Debug on Security Gateway

Flag Description
pmint Pattern Matcher compilation
pools Memory pool allocation operations
queue Kernel Worker thread queues
rem Regular Expression Matcher - Pattern Matcher 2nd tier (slow path)
salloc System Memory allocation
shmem Shared Memory allocation
sm String Matcher - Pattern Matcher 1st tier (fast path)
stat Statistics for categories and maps
swblade Registration of Software Blades
thinnfa Currently is not used
thread Kernel thread that supplies low level APIs to the kernel thread
timers Internal timers
usrmem User Space platform memory usage
vbuf Virtual buffer
warning General warnings
worker Kernel Worker - queuing and dequeuing

Performance Tuning Administration Guide R80.20 | 305

 Kernel Debug on Security Gateway

Module 'kissflow' (Kernel Infrastructure Flow)

Syntax: fw ctl debug -m kissflow + {all | <List of Debug Flags>}
Also see the Module 'kiss' (on page 304).

Flag Description
compile Pattern Matcher (pattern compilation)
dfa Pattern Matcher (Deterministic Finite Automaton) compilation and execution
error General errors
memory Memory allocation operations
pm Pattern Matcher - general information
warning General warnings

Performance Tuning Administration Guide R80.20 | 306

 Kernel Debug on Security Gateway

Module 'MALWARE' (Threat Prevention)

Syntax: fw ctl debug -m MALWARE + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
av Currently is not used
coverage Coverage times (entering, blocking, and time spent)
error General errors
global Prints parameters from the $FWDIR/conf/mail_security_config file
info General information
ioc Operations on Indicators of Compromise (IoC)
memory Currently is not used
module Removal of the MALWARE module's debug infrastructure
policy Policy installation
subject Prints the debug subject of each debug message
te Currently is not used
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 307

 Kernel Debug on Security Gateway

Module 'multik' (Multi-Kernel Inspection - CoreXL)

Syntax: fw ctl debug -m multik + {all | <List of Debug Flags>}
Note - When you enable the debug flag 'multik' in the debug module 'fw' (on page 296), it
enables all the debug flags in this debug module, except for the debug flag 'packet'.

Flag Description
api Registration and unregistration of cross-instance function calls
cache_tab Cache table infrastructure
conn Creation and deletion of connections in the dispatcher table
counter Cross-instance counter infrastructure
error General errors
event Cross-instance event aggregation infrastructure
fwstats FireWall statistics
ioctl Distribution of IOCTLs to different CoreXL FW instances
lock Obtaining and releasing the fw_lock on multiple CoreXL FW instances
message Cross-instance messages (used for local sync and port scanning)
packet For each packet, shows the CoreXL SND dispatching decision (CoreXL FW
instance and reason)
packet_err Invalid packets, for CoreXL SND could not make a dispatching decision
prio Firewall Priority Queues (refer to sk105762
http://supportcontent.checkpoint.com/solutions?id=sk105762)
queue Packet queue
quota Cross-instance quota table (used by the Network Quota feature)
route Routing of packets
state Starting and stopping of CoreXL FW instances, establishment of relationship
between CoreXL FW instances
temp_conns Temporary connections
uid Cross-instance Unique IDs
vpn_multik MultiCore VPN (see sk118097
http://supportcontent.checkpoint.com/solutions?id=sk118097)

Performance Tuning Administration Guide R80.20 | 308

 Kernel Debug on Security Gateway

Module 'MUX' (Multiplexer for Applications Traffic)

R80.20 introduces a new layer between the Streaming layer and the Applications layer - MUX
(Multiplexer). Applications are registered to the Streaming layer through the MUX layer. The MUX
layer chooses to work over PSL (passive streaming) or CPAS (active streaming).
Syntax: fw ctl debug -m MUX + {all | <List of Debug Flags>}

Flag Description
active CPAS (active streaming)
Also see the Module 'CPAS' (on page 289)
advp Advanced Patterns (signatures over port ranges)
api API calls
comm Information about opening and closing of connections
error General errors
http_disp HTTP Dispatcher
misc Miscellaneous helpful information (not shown with other debug flags)
passive PSL (passive streaming)
Also see the Module 'PSL' (on page 311)
proxy_tp Proxy tunnel parser
stream General information about the data stream
test Currently is not used
tier1 Pattern Matcher 1st tier (fast path)
tls General information about the TLS
tlsp TLS parser
tol Test Object List algorithm (to determine whether an application is malicious or
not)
udp UDP parser
warning General warnings
ws Web Intelligence

Performance Tuning Administration Guide R80.20 | 309

 Kernel Debug on Security Gateway

Module 'NRB' (Next Rule Base)

Syntax: fw ctl debug -m NRB + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
appi Rules and applications
Also see the Module 'APPI' (on page 283)
coverage Coverage times (entering, blocking, and time spent)
dlp Data Loss Prevention
Also see the:
• Module 'dlpda' (on page 291)
• Module 'dlpk' (on page 292)
• Module 'dlpuk' (on page 293)
error General errors
info General information
match Rule matching
memory Memory allocation operations
module Operations in the NRB module (initialization, module loading, calls to the
module, contexts, and so on)
policy Policy installation
sec_rb Security rulebase
session Session layer
ssl_insp HTTPS Inspection
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 310

 Kernel Debug on Security Gateway

Module 'PSL' (Passive Streaming Library)

Syntax: fw ctl debug -m PSL + {all | <List of Debug Flags>}
Also see the Module 'MUX' (on page 309).

Flag Description
error General errors
pkt Processing of packets
tcpstr Processing of TCP streams
seq Processing of TCP sequence numbers
warning General warnings
s

Performance Tuning Administration Guide R80.20 | 311

 Kernel Debug on Security Gateway

Module 'RAD_KERNEL' (Resource Advisor - Kernel Space)

Syntax: fw ctl debug -m RAD_KERNEL + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
cache RAD kernel malware cache
coverage Coverage times (entering, blocking, and time spent)
error General errors
global RAD global context
info General information
memory Memory allocation operations
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 312

 Kernel Debug on Security Gateway

Module 'RTM' (Real Time Monitoring)

Syntax: fw ctl debug -m RTM + {all | <List of Debug Flags>}

Flag Description
accel Prints SecureXL information about the accelerated packets, connections, and so
on
chain Prints information about chain registration and about the E2E (Virtual Link)
chain function actions
Note - This important debug flag helps you know, whether the E2E identifies the
Virtual Link packets
con_conn Prints messages for each connection (when a new connection is handled by the
RTM module)
Thesamedebug flags as 'per_conn'
driver Check Point kernel attachment (access to kernel is shown as log entries)
err General errors
import Importing of the data from other kernel modules (FireWall, QoS)
init Initialization of the RTM module
ioctl IOCTL control messages
netmasks Information about how the RTM handles netmasks, if you are monitoring an
object of type Network
per_conn Prints messages for each connection (when a new connection is handled by the
RTM module)
Thesamedebug flags as 'con_conn'
per_pckt Prints messages for each packet (when a new packet arrives)
Warning - Prints many messages, which increases the load on the CPU
performance Currently is not used
policy Prints messages about loading and unloading on the FireWall module (indicates
that the RTM module received the FireWall callback)
rtm Real time monitoring
s_err General errors about kernel tables and other failures
sort Sorting of "Top XXX" counters
special Information about how the E2E modifies the E2ECP protocol packets
tabs Currently is not used
topo Calculation of network topography
view_add Adding or deleting of a View
view_update Updating of Views with new information
view_update Updating of Views with new information
1
wd WebDefense views
s

Performance Tuning Administration Guide R80.20 | 313

 Kernel Debug on Security Gateway

Module 'seqvalid' (TCP Sequence Validator and Translator)

Syntax: fw ctl debug -m seqvalid + {all | <List of Debug Flags>}

Flag Description
error General errors
seqval TCP sequence validation and translation
sock Currently is not used
warning General warnings

Performance Tuning Administration Guide R80.20 | 314

 Kernel Debug on Security Gateway

Module 'SFT' (Stream File Type)

Syntax: fw ctl debug -m SFT + {all | <List of Debug Flags>}

Flag Description
error General errors
fatal Fatal errors
info General information
mgr Rule match, database, connection processing, classification
warning General warnings

Performance Tuning Administration Guide R80.20 | 315

 Kernel Debug on Security Gateway

Module 'SGEN' (Struct Generator)

Syntax: fw ctl debug -m SGEN + {all | <List of Debug Flags>}

Flag Description
engine Struct Generator engine operations on objects
error General errors
fatal Fatal errors
field Operations on fields
general General types macros
info General information
load Loading of macros
serialize Serialization while loading the macros
warning General warnings

Performance Tuning Administration Guide R80.20 | 316

 Kernel Debug on Security Gateway

Module 'synatk' (Accelerated SYN Defender)

For additional information, see R80.20 Performance Tuning Administration Guide
https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Performanc
eTuning_AdminGuide/html_frameset.htm - Chapter SecureXL - Section Accelerated SYN
Defender.
Syntax: fw ctl debug -m synatk + {all | <List of Debug Flags>}
Flag Description
cookie TCP SYN Cookie
error General errors
radix_dump Dump of the radix tree
radix_match Matched items in the radix tree
radix_modif Operations in the radix tree
y
warning General warnings

Performance Tuning Administration Guide R80.20 | 317

 Kernel Debug on Security Gateway

Module 'UC' (UserCheck)

Syntax: fw ctl debug -m UC + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
coverage Coverage times (entering, blocking, and time spent)
error General errors
htab Hash table
info General information
memory Memory allocation operations
module Operations in the UserCheck module (initialization, UserCheck table hits, finding
User ID in cache, removal of UserCheck debug module's infrastructure)
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings
webapi URL patterns, UserCheck incidents, connection redirection

Performance Tuning Administration Guide R80.20 | 318

 Kernel Debug on Security Gateway

Module 'UP' (Unified Policy)

Syntax: fw ctl debug -m UP + {all | <List of Debug Flags>}
Also see the:
• Module 'upconv' (on page 321).
• Module 'UPIS' (on page 322).

Flag Description
account Currently is not used
address Information about connection's IP address
btime Currently is not used
clob Classification Object (CLOB) observer (data classification)
connection Information about connections, transactions
coverage Coverage times (entering, blocking, and time spent)
error General errors
info General information
limit Unified Policy download and upload limits
log Some logging operations
mab Mobile Access handler
manager Unified Policy manager operations
match Classification Object (CLOB) observer (data classification)
memory Memory allocation operations
module Operations in the Unified Policy module (initialization, module loading, calls to
the module, and so on)
policy Unified Policy internal operations
prob Currently is not used
prob_impl Implied matched rules
rulebase Unified Policy rulebase
sec_rb Secondary NRB rulebase operations
stats Statistics about connections, transactions
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
urlf_ssl Currently is not used
verbose Prints additional information (used with other debug flags)
vpn VPN classifier

Performance Tuning Administration Guide R80.20 | 319

 Kernel Debug on Security Gateway

Flag Description
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 320

 Kernel Debug on Security Gateway

Module 'upconv' (Unified Policy Conversion)

Syntax: fw ctl debug -m upconv + {all | <List of Debug Flags>}
Also see the:
• Module 'UP' (on page 319).
• Module 'UPIS' (on page 322).

Flag Description
error General errors
info General information
map UTF-8 and UTF-16 characters conversion
mem Prints how much memory is used for character sets
tree Lookup of characters
utf7 Conversion of UTF-7 characters to a Unicode characters
utf8 Conversion of UTF-8 characters to a Unicode characters
warning General warnings

Performance Tuning Administration Guide R80.20 | 321

 Kernel Debug on Security Gateway

Module 'UPIS' (Unified Policy Infrastructure)

Syntax: fw ctl debug -m UPIS + {all | <List of Debug Flags>}
Also see the:
• Module 'UP' (on page 319)
• Module 'upconv' (on page 321)

Flag Description
address Information about connection's IP address
clob Classification Object (CLOB) observer (data classification)
coverage Coverage times (entering, blocking, and time spent)
cpdiag CPDiag operations
crumbs Currently is not used
db SQLite Database operations
error General errors
fwapp Information about policy installation for the FireWall application
info General information
memory Memory allocation operations
mgr Policy installation manager
module Operations in the Unified Policy Infrastructure module (initialization, module
loading, calls to the module, and so on)
mutex Unified Policy internal mutex operations
policy Unified Policy Infrastructure internal operations
report Various reports about Unified Policy installations
sna Operations on SnA objects ("Services and Application")
subject Prints the debug subject of each debug message
tables Operations on kernel tables
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
topo Information about topology and Anti-Spoofing of interfaces; about Address
Range objects
upapp Information about policy installation for Unified Policy application
update Information about policy installation for CMI Update application
verbose Prints additional information (used with other debug flags)
vpn VPN classifier
vs Prints the VSID of the debugged Virtual System

Performance Tuning Administration Guide R80.20 | 322

 Kernel Debug on Security Gateway

Flag Description
warning General warnings

Performance Tuning Administration Guide R80.20 | 323

 Kernel Debug on Security Gateway

Module 'VPN' (Site-to-Site VPN and Remote Access VPN)

Syntax: fw ctl debug -m VPN + {all | <List of Debug Flags>}

Flag Description
cluster Events related to cluster
comp Compression for encrypted connections
counters Various status counters (typically for real-time Monitoring)
cphwd Traffic acceleration issues (in hardware)
driver Check Point kernel attachment (access to kernel is shown as log entries)
err Errors that should not happen, or errors that critical to the working of the VPN
module
gtp Processing of GPRS Tunneling Protocol (GTP) connections
Also see the Module 'gtp' (on page 300)
ifnotify Notifications about the changes in interface status - up or down (as received
from OS)
ike Enables all IKE kernel debug in respect to moving the IKE to the interface,
where it will eventually leave and the modification of the source IP of the IKE
packet, depending on the configuration
init Initializes the VPN kernel and kernel data structures, when kernel is up, or
when policy is installed (it will also print the values of the flags that are set using
the CPSET upon policy reload)
l2tp Processing of L2TP connections
lsv Large Scale VPN (LSV)
mem Allocation of VPN pools and VPN contexts
mspi Information related to creation and destruction of MSA / MSPI
multicast VPN multicast
multik information related to interaction between VPN and CoreXL
nat NAT issues , cluster IP manipulation (Cluster Virtual IP address <=> Member IP
address)
om_alloc Allocation of Office Mode IP addresses
osu Cluster Optimal Service Upgrade (sk107042
http://supportcontent.checkpoint.com/solutions?id=sk107042)
packet Events that can happen for every packet, unless covered by more specific debug
flags
pcktdmp Prints the encrypted packets before the encryption
Prints the decrypted packets after the decryption
policy Events that can happen only for a special packet in a connection, usually related
to policy decisions or logs / traps
queue Handling of Security Association (SA) queues

Performance Tuning Administration Guide R80.20 | 324

 Kernel Debug on Security Gateway

Flag Description
rdp Processing of Check Point RDP connections
ref Reference counting for MSA / MSPI, when storing or deleting Security
Associations (SAs)
resolver VPN Link Selection table and Certificate Revocation List (CRL), which is also part
of the peer resolving mechanism
rsl Operations on Range Skip List
sas Information about keys and Security Associations (SAs)
sr SecureClient / SecureRemote related issues
tagging Sets the VPN policy of a connection according to VPN communities, VPN Policy
related information
tcpt Information related to TCP Tunnel (Visitor mode - FireWall traversal on TCP port
443)
tnlmon VPN tunnel monitoring
topology VPN Link Selection
vin Does not apply anymore
Only on Security Gateway that runs on Windows OS:
Information related to IPSec NIC interaction
warn General warnings
xl Does not apply anymore
Interaction with Accelerator Cards (AC II / III / IV)

Performance Tuning Administration Guide R80.20 | 325

 Kernel Debug on Security Gateway

Module 'WS' (Web Intelligence)

Syntax: fw ctl debug -m WS + {all | <List of Debug Flags>}
Notes:
• Also see the Module 'WSIS' (on page 330).
• To print information for all Virtual Systems in the debug output, before you start the kernel
debug, set this kernel parameter on the VSX Gateway or each VSX Cluster Member (this is the
default behavior):
# fw ctl set int ws_debug_vs 0
• To print information for a specific Virtual System in the debug output, before you start the
kernel debug, set this kernel parameter on the VSX Gateway or each VSX Cluster Member:
# fw ctl set int ws_debug_vs <VSID>
Example: fw ctl set int ws_debug_vs 2
• To print information for all IPv4 addresses in the debug output, before you start the kernel
debug, set this kernel parameter on the VSX Gateway or each VSX Cluster Member (this is the
default behavior):
# fw ctl set int ws_debug_ip 0
• To print information for a specific IPv4 address in the debug output, before you start the kernel
debug, set this kernel parameter on the VSX Gateway or each VSX Cluster Member:
# fw ctl set int ws_debug_ip <XXX.XXX.XXX.XXX>
Example: fw ctl set int ws_debug_vs 192.168.33.44

Flag Description
address Information about connection's IP address
body HTTP body (content) layer
connection Connection layer
cookie HTTP cookie header
coverage Coverage times (entering, blocking, and time spent)
crumb Currently is not used
error General errors (the connection is probably rejected)
event Events
fatal Fatal errors
flow Currently is not used
global Handling of global structure (usually, related to policy)
info General information
ioctl IOCTL control messages (communication between the kernel and daemons,
loading and unloading of the FireWall)
mem_pool Memory pool allocation operations
memory Memory allocation operations

Performance Tuning Administration Guide R80.20 | 326

 Kernel Debug on Security Gateway

Flag Description
module Operations in the Web Intelligence module (initialization, module loading, calls
to the module, policy loading, and so on)
parser HTTP header parser layer
parser_err HTTP header parsing errors
pfinder Pattern finder
pkt_dump Packet dump
policy Policy (installation and enforcement)
regexp Regular Expression library
report_mgr Report manager (errors and logs)
session Session layer
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
ssl_insp HTTPS Inspection
sslt SSL Tunneling (SSLT)
stat Memory usage statistics
stream Stream virtualization
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
uuid Session UUID
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 327

 Kernel Debug on Security Gateway

Module 'WS_SIP' (Web Intelligence VoIP SIP Parser)

Syntax: fw ctl debug -m WS_SIP + {all | <List of Debug Flags>}

Flag Description
address Information about connection's IP address
body HTTP body (content) layer
connection Connection layer
cookie HTTP cookie header
coverage Coverage times (entering, blocking, and time spent)
crumb Currently is not used
error General errors
event Events
fatal Fatal errors
flow Currently is not used
global Handling of global structure (usually, related to policy)
info General information
ioctl IOCTL control messages (communication between the kernel and daemons,
loading and unloading of the FireWall)
mem_pool Memory pool allocation operations
memory Memory allocation operations
module Operations in the Web Intelligence VoIP SIP Parser module (initialization,
module loading, calls to the module, policy loading, and so on)
parser HTTP header parser layer
parser_err HTTP header parsing errors
pfinder Pattern finder
pkt_dump Packet dump
policy Policy (installation and enforcement)
regexp Regular Expression library
report_mgr Report manager (errors and logs)
session Session layer
spii Stateful Protocol Inspection Infrastructure (INSPECT streaming)
ssl_insp HTTPS Inspection
sslt SSL Tunneling (SSLT)
stat Memory usage statistics
stream Stream virtualization
subject Prints the debug subject of each debug message

Performance Tuning Administration Guide R80.20 | 328

 Kernel Debug on Security Gateway

Flag Description
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
uuid Session UUID
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 329

 Kernel Debug on Security Gateway

Module 'WSIS' (Web Intelligence Infrastructure)

Syntax: fw ctl debug -m WSIS + {all | <List of Debug Flags>}
Also see the Module 'WS' (on page 326).

Flag Description
address Information about connection's IP address
cipher Currently is not used
common Prints a message, when parameters are invalid
coverage Coverage times (entering, blocking, and time spent)
crumb Currently is not used
datastruct Data structure tree
decoder Decoder for the content transfer encoding (UUEncode, UTF-8, HTML encoding
&#)
dump Packet dump
error General errors
flow Currently is not used
info General information
memory Memory allocation operations
parser HTTP header parser layer
subject Prints the debug subject of each debug message
timestamp Prints the timestamp for each debug message (changes when you enable the
debug flag 'coverage')
verbose Prints additional information (used with other debug flags)
vs Prints the VSID of the debugged Virtual System
warning General warnings

Performance Tuning Administration Guide R80.20 | 330