The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Enabling QoS support for acceleration technologies (SecureXL and CoreXL)
QoS, SecureXL, CoreXL
R77.10 (EOL), R77.20, R77.30 (EOL)
Gaia, SecurePlatform 2.6, Gaia Embedded
Platform / Model
Table of Contents:
Enabling support for QoS with SecureXL and CoreXL on Security Gateway
Disabling support for QoS with SecureXL and CoreXL on Security Gateway
Click Here to Show Entire Article
By default, QoS is not supported with SecureXL and CoreXL on Security Gateway. Either QoS, or acceleration (SecureXL and/or CoreXL) can be used.
If only SecureXL is enabled on Security Gateway (i.e., CoreXL is disabled), then enabling QoS blade on Security Gateway and installing QoS policy will disable SecureXL and enable QoS.
If CoreXL is enabled on Security Gateway, then installing QoS policy will fail with the following error: QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL.
Starting in R77.10, QoS support for SecureXL and CoreXL is included, but it is disabled by default. There is one exception: QoS express policy is not supported yet with SecureXL and CoreXL (QoS policy should be set to "Traditional mode": go to 'File' menu - click on 'New...' - check the box 'QoS' - check the box 'QoS policy (Recommended)').
Note: For Small and Medium Business Appliances running on Gaia Embedded OS, QoS support for SecureXL and CoreXL is included starting from the firmware R77.20.20, and it is enabled by default.
If you wish to enable QoS along with SecureXL and CoreXL on R77.10 Security Gateway, then follow the procedure below. Refer to R77.10 Quality of Service Administration Guide - Chapter 1 'Introduction to QoS' - Check Point's QoS Solution - Enabling QoS Acceleration Support.
If you have a QoS policy created on Security Management Server / Multi-Domain Security Management Server version R77 and below, then the following features are not supported when QoS acceleration is enabled:
Security Gateways running on IPSO OS
Security Gateways below R77.10
Citrix printing rules
Multicast acceleration (multicast traffic will not be accelerated via SecureXL)
SmartView Monitor - QoS views do not correctly show traffic accelerated by SecureXL
In R80.10 and above the QoS acceleration is enabled by default, thus this solution is not needed.
If you do not add the required attribute ':FgWithAcceleration (1)' to Check Point Registry, you would receive the following error during QoS policy installation:
QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL.
Enable SecureXL in 'cpconfig' menu:
Select 'Enable Check Point SecureXL'.
Note: If you already have SecureXL enabled, then skip this step.
Enable and configure CoreXL in 'cpconfig' menu:
Select 'Check Point CoreXL' - configure the desired number of firewall instances.
Note: If you already have CoreXL enabled and configured, then skip this step.
Reboot the Security Gateway.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Open Security Gateway object - go to 'General Properties' pane - go to 'Network Security' tab - check the box 'QoS'.
Configure the QoS on the relevant interfaces (go to 'Topology' pane - select an interface - click on 'Edit...' - go to 'QoS' tab).
Install the policy (make sure that the 'QoS' policy is checked).
Check that SecureXL / CoreXL / QoS are enabled and working as expected.
Connect to command line on Security Gateway (over SSH, or console).
Log in to Expert mode.
Check the state and performance of SecureXL / CoreXL / QoS by running the following commands:
[Expert@HostName]# fwaccel stat
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : disabled by user
[Expert@HostName]# fwaccel stats
Name Value Name Value
-------------------- --------------- -------------------- ---------------
accel packets 443192 accel bytes 63122102
conns created 53 conns deleted 23
C total conns 30 C templates 2
C TCP conns 27 C delayed TCP conns 20
C non TCP conns 3 C delayed nonTCP con 5
......output is truncated for brevity......