The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Enabling QoS support for acceleration technologies (SecureXL and CoreXL)
Technical Level
Solution ID
sk98229
Technical Level
Product
QoS, SecureXL, CoreXL
Version
R77.10 (EOL), R77.20, R77.30 (EOL)
OS
Gaia, SecurePlatform 2.6, Gaia Embedded
Platform / Model
All
Date Created
10-Nov-2015
Last Modified
15-Jul-2018
Solution
Table of Contents:
Introduction
Enabling support for QoS with SecureXL and CoreXL on Security Gateway
Disabling support for QoS with SecureXL and CoreXL on Security Gateway
Related documentation
Click Here to Show Entire Article
Introduction
By default, QoS is not supported with SecureXL and CoreXL on Security Gateway. Either QoS, or acceleration (SecureXL and/or CoreXL) can be used.
If only SecureXL is enabled on Security Gateway (i.e., CoreXL is disabled), then enabling QoS blade on Security Gateway and installing QoS policy will disable SecureXL and enable QoS.
If CoreXL is enabled on Security Gateway, then installing QoS policy will fail with the following error: QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL.
Starting in R77.10, QoS support for SecureXL and CoreXL is included, but it is disabled by default. There is one exception: QoS express policy is not supported yet with SecureXL and CoreXL (QoS policy should be set to "Traditional mode": go to 'File' menu - click on 'New...' - check the box 'QoS' - check the box 'QoS policy (Recommended)').
Note: For Small and Medium Business Appliances running on Gaia Embedded OS, QoS support for SecureXL and CoreXL is included starting from the firmware R77.20.20, and it is enabled by default.
If you wish to enable QoS along with SecureXL and CoreXL on R77.10 Security Gateway, then follow the procedure below. Refer to R77.10 Quality of Service Administration Guide - Chapter 1 'Introduction to QoS' - Check Point's QoS Solution - Enabling QoS Acceleration Support.
If you have a QoS policy created on Security Management Server / Multi-Domain Security Management Server version R77 and below, then the following features are not supported when QoS acceleration is enabled:
Security Gateways running on IPSO OS
Security Gateways below R77.10
Citrix printing rules
UserAuthority Server
Multicast acceleration (multicast traffic will not be accelerated via SecureXL)
SmartView Monitor - QoS views do not correctly show traffic accelerated by SecureXL
In R80.10 and above the QoS acceleration is enabled by default, thus this solution is not needed.
If you do not add the required attribute ':FgWithAcceleration (1)' to Check Point Registry, you would receive the following error during QoS policy installation:
QoS cannot be enabled at the same time as CoreXL. Either remove QoS from the list of Software Blades, or use cpconfig to disable CoreXL.
Enable SecureXL in 'cpconfig' menu:
[Expert@HostName]# cpconfig
Select 'Enable Check Point SecureXL'.
Note: If you already have SecureXL enabled, then skip this step.
Enable and configure CoreXL in 'cpconfig' menu:
[Expert@HostName]# cpconfig
Select 'Check Point CoreXL' - configure the desired number of firewall instances.
Note: If you already have CoreXL enabled and configured, then skip this step.
Reboot the Security Gateway.
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Open Security Gateway object - go to 'General Properties' pane - go to 'Network Security' tab - check the box 'QoS'.
Configure the QoS on the relevant interfaces (go to 'Topology' pane - select an interface - click on 'Edit...' - go to 'QoS' tab).
Install the policy (make sure that the 'QoS' policy is checked).
Check that SecureXL / CoreXL / QoS are enabled and working as expected.
Connect to command line on Security Gateway (over SSH, or console).
Log in to Expert mode.
Check the state and performance of SecureXL / CoreXL / QoS by running the following commands:
SecureXL
[Expert@HostName]# fwaccel stat
Example output:
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : disabled by user
[Expert@HostName]# fwaccel stats
Example output:
Name Value Name Value
-------------------- --------------- -------------------- ---------------
Accelerated Path
------------------------------------------------------------------------------
accel packets 443192 accel bytes 63122102
conns created 53 conns deleted 23
C total conns 30 C templates 2
C TCP conns 27 C delayed TCP conns 20
C non TCP conns 3 C delayed nonTCP con 5
......output is truncated for brevity......
Select 'Check Point CoreXL' - select 'Disable Check Point CoreXL'.
Reboot the Security Gateway.
Open Security Gateway object - go to 'General Properties' pane - go to 'Network Security' tab - uncheck the box 'QoS'.
Install the policy (make sure that the 'QoS' policy is unchecked).
Check the state of SecureXL / CoreXL / QoS.
Connect to command line on Security Gateway (over SSH, or console).
Log in to Expert mode.
Check the state of SecureXL / CoreXL / QoS by running the following commands:
SecureXL
[Expert@HostName]# fwaccel stat
Output if QoS blade was disabled in SmartDashboard:
Accelerator Status : off
Accelerator Features Mask : not available
Cryptography Features Mask : not available
Output if QoS blade is still enabled in SmartDashboard:
SecureXL acceleration cannot be started while FloodGate-1 is running in non accelerated mode Accelerator Features Mask : not available Cryptography Features Mask : not available
CoreXL
[Expert@HostName]# fw ctl multik stat
Output:
fw: CoreXL is disabled
QoS
[Expert@HostName]# fgate stat
Output if QoS blade was disabled in SmartDashboard:
FloodGate-1 service is not started, cannot obtain status (localhost).