Support Center > Search Results > SecureKnowledge Details
Enabling QoS support for acceleration technologies (SecureXL and CoreXL)
Solution

Table of Contents:

  • Introduction
  • Enabling support for QoS with SecureXL and CoreXL on Security Gateway
  • Disabling support for QoS with SecureXL and CoreXL on Security Gateway
  • Related documentation

 

Click Here to Show Entire Article

 

Introduction

  • By default, QoS is not supported with SecureXL and CoreXL on Security Gateway. Either QoS, or acceleration (SecureXL and/or CoreXL) can be used.

  • If only SecureXL is enabled on Security Gateway (i.e., CoreXL is disabled), then enabling QoS blade on Security Gateway and installing QoS policy will disable SecureXL and enable QoS.

  • If CoreXL is enabled on Security Gateway, then installing QoS policy will fail with the following error:
    QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL.

  • Starting in R77.10, QoS support for SecureXL and CoreXL is included, but it is disabled by default.
    There is one exception: QoS express policy is not supported yet with SecureXL and CoreXL (QoS policy should be set to "Traditional mode": go to 'File' menu - click on 'New...' - check the box 'QoS' - check the box 'QoS policy (Recommended)').

    Note: For Small and Medium Business Appliances running on Gaia Embedded OS, QoS support for SecureXL and CoreXL is included starting from the firmware R77.20.20, and it is enabled by default.

  • If you wish to enable QoS along with SecureXL and CoreXL on R77.10 Security Gateway, then follow the procedure below.
    Refer to R77.10 Quality of Service Administration Guide - Chapter 1 'Introduction to QoS' - Check Point's QoS Solution - Enabling QoS Acceleration Support.

  • If you have a QoS policy created on Security Management Server / Multi-Domain Security Management Server version R77 and below, then the following features are not supported when QoS acceleration is enabled:
    • Security Gateways running on IPSO OS
    • Security Gateways below R77.10
    • Citrix printing rules
    • UserAuthority Server
    • Multicast acceleration (multicast traffic will not be accelerated via SecureXL)
    • SmartView Monitor - QoS views do not correctly show traffic accelerated by SecureXL


  • In R80.10 and above the QoS acceleration is enabled by default, thus this solution is not needed.

For QoS limitations, refer to sk97619 - R77.10 Known Limitations.

 

Enabling support for QoS (FloodGate-1) with SecureXL and CoreXL on Security Gateway

Show / Hide hotfix instructions

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  1. Connect to command line on Security Gateway (over SSH, or console).

  2. Log in to Expert mode.

  3. Enable accelerated mode for FloodGate-1 (QoS) in Check Point Registry:

    [Expert@HostName]# cpprod_util CPPROD_SetValue FG1 FgWithAcceleration 1 1 1

    Notes:

    • When issuing the 'cpprod_util CPPROD_SetValue FG1 FgWithAcceleration 1 1 1' command, it returns 0 (zero) on success.

    • This command sets the value of the attribute ':FgWithAcceleration' to 1 in the Check Point Registry file ($CPDIR/registry/HKLM_registry.data):

      Note: If this attribute does not exist in the Check Point Registry file, this command will also add it.

      : (FG1
              :CurrentVersion (6.0)
              : (6.0
                      :CurrentLabel (R77)
                      :CurrentSP (4)
                      :FGDIR ("/opt/CPsuite-R77/fg1")
                      :PRODDIR ("/opt/CPsuite-R77/fg1")
                      :AutoStart (1)
                      :ProdActive (1)
                      :IsConfigured (1)
                      :FgWithAcceleration (1)
                      : (SP4
                              :CurrentMSP (0)
                              : (MSP0
                                      :SilentUninstall ("rpm -e CPsuite-R77")
                              )
                      )
              )
      )
      
    • If you do not add the required attribute ':FgWithAcceleration (1)' to Check Point Registry, you would receive the following error during QoS policy installation:
      QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL. 
  4. Enable SecureXL in 'cpconfig' menu:

    [Expert@HostName]# cpconfig

    Select 'Enable Check Point SecureXL'.

    Note: If you already have SecureXL enabled, then skip this step.

  5. Enable and configure CoreXL in 'cpconfig' menu:

    [Expert@HostName]# cpconfig

    Select 'Check Point CoreXL' - configure the desired number of firewall instances.

    Note: If you already have CoreXL enabled and configured, then skip this step.

  6. Reboot the Security Gateway.

  7. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  8. Open Security Gateway object - go to 'General Properties' pane - go to 'Network Security' tab - check the box 'QoS'.

  9. Configure the QoS on the relevant interfaces (go to 'Topology' pane - select an interface - click on 'Edit...' - go to 'QoS' tab).

  10. Install the policy (make sure that the 'QoS' policy is checked).

  11. Check that SecureXL / CoreXL / QoS are enabled and working as expected.

    1. Connect to command line on Security Gateway (over SSH, or console).

    2. Log in to Expert mode.

    3. Check the state and performance of SecureXL / CoreXL / QoS by running the following commands:

      • SecureXL

        [Expert@HostName]# fwaccel stat
        Example output:
        Accelerator Status : on
        Accept Templates   : enabled
        Drop Templates     : disabled
        NAT Templates      : disabled by user
        
        [Expert@HostName]# fwaccel stats
        Example output:
        Name                  Value              Name                  Value
        --------------------  ---------------    --------------------  ---------------
        
        Accelerated Path
        ------------------------------------------------------------------------------
        accel packets                  443192    accel bytes                  63122102
        conns created                      53    conns deleted                      23
        C total conns                      30    C templates                         2
        C TCP conns                        27    C delayed TCP conns                20
        C non TCP conns                     3    C delayed nonTCP con                5
        ......output is truncated for brevity......
        
        [Expert@HostName]# fwaccel stats -s
        Example output:
        Accelerated conns/Total conns : 40/44 (90%)
        Accelerated pkts/Total pkts   : 443192/701322 (63%)
        F2Fed pkts/Total pkts   : 258130/701322 (36%)
        PXL pkts/Total pkts   : 0/701322 (0%)
        QXL pkts/Total pkts   : 211103/701322 (30%)
        
      • CoreXL

        [Expert@HostName]# fw ctl multik stat
        Example output:
        ID | Active  | CPU    | Connections | Peak
        ----------------------------------------------
         0 | Yes     | 3      |          14 |       24
         1 | Yes     | 2      |          20 |       44
         2 | Yes     | 1      |          15 |       24
        
      • QoS

        [Expert@HostName]# fgate stat
        Example output:
        Product:        FloodGate-1
        Version:        R77.10
        Kernel Build:   66
        Policy Name:    Any_Any_Accept_noLogs
        Install time:   Tue Jan 21 18:48:12 2014
        Interfaces Num: 1
        
        
        Interface table
        ----------------------------------------------------------------
        |Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
        ----------------------------------------------------------------
        |eth0|in |  125000000|         13530|   37|        0|         0|
        |eth0|out|  125000000|            25|   31|        0|         0|
        ----------------------------------------------------------------
        

 

Disabling support for QoS (FloodGate-1) with SecureXL and CoreXL on Security Gateway

Show / Hide hotfix instructions

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  1. Connect to command line on Security Gateway (over SSH, or console).

  2. Log in to Expert mode.

  3. Disable accelerated mode for FloodGate-1 (QoS) in Check Point Registry file:

    [Expert@HostName]# cpprod_util CPPROD_SetValue FG1 FgWithAcceleration 1 0 1

    Notes:

    • When issuing the 'cpprod_util CPPROD_SetValue FG1 FgWithAcceleration 1 0 1' command, it returns 0 (zero) on success.

    • This command sets the value of the attribute ':FgWithAcceleration' to 0 in the Check Point Registry file ($CPDIR/registry/HKLM_registry.data):
      : (FG1
              :CurrentVersion (6.0)
              : (6.0
                      :CurrentLabel (R77)
                      :CurrentSP (4)
                      :FGDIR ("/opt/CPsuite-R77/fg1")
                      :PRODDIR ("/opt/CPsuite-R77/fg1")
                      :AutoStart (1)
                      :ProdActive (1)
                      :IsConfigured (1)
                      :FgWithAcceleration (0)
                      : (SP4
                              :CurrentMSP (0)
                              : (MSP0
                                      :SilentUninstall ("rpm -e CPsuite-R77")
                              )
                      )
              )
      )
      
  4. If needed, disable SecureXL in 'cpconfig' menu:

    [Expert@HostName]# cpconfig

    Select 'Disable Check Point SecureXL'.

  5. If needed, disable CoreXL in 'cpconfig' menu:

    [Expert@HostName]# cpconfig

    Select 'Check Point CoreXL' - select 'Disable Check Point CoreXL'.

  6. Reboot the Security Gateway.

  7. Open Security Gateway object - go to 'General Properties' pane - go to 'Network Security' tab - uncheck the box 'QoS'.

  8. Install the policy (make sure that the 'QoS' policy is unchecked).

  9. Check the state of SecureXL / CoreXL / QoS.

    1. Connect to command line on Security Gateway (over SSH, or console).

    2. Log in to Expert mode.

    3. Check the state of SecureXL / CoreXL / QoS by running the following commands:

      • SecureXL

        [Expert@HostName]# fwaccel stat
        Output if QoS blade was disabled in SmartDashboard:
        Accelerator Status : off
        
        Accelerator Features Mask : not available
        Cryptography Features Mask : not available
        
        Output if QoS blade is still enabled in SmartDashboard:
        SecureXL acceleration cannot be started while FloodGate-1 is running in non accelerated mode Accelerator Features Mask : not available Cryptography Features Mask : not available 
      • CoreXL

        [Expert@HostName]# fw ctl multik stat
        Output:
        fw: CoreXL is disabled 
      • QoS

        [Expert@HostName]# fgate stat
        Output if QoS blade was disabled in SmartDashboard:
        FloodGate-1 service is not started, cannot obtain status (localhost). 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment