CheckPoint - SecureXL ou l'accélération CheckPoint
Alasta 19 Décembre 2014 checkpoint Checkpoint Acceleration Commandes
Description : Une présentation du SecureXL.
SecureXL ou l’accélération CheckPoint :
L’accélération que propose CheckPoint s’appelle SecureXL, pour schématiser grossièrement son fonctionnement, le packet monte jusqu’à l’analyse des règles du firewall, si la connexion est accélérable, le firewall crée un “template de connexion” sur les packet similaire, aux prochaines connexions ces templates seront vérifier avant de passer (si nécessaire) dans le jeu de règle.
L’explication par l’exemple :
Exemple :
- une connexion de 10.0.0.1:2000 à 11.0.0.1:80 — établissement de la connexion puis sera accélérée.
- une connexion de 10.0.0.1:2001 à 11.0.0.1:80 — totalement accéléré (includant l’établissement de la connexion).
- une connexion de 10.0.0.1:8000 à 11.0.0.1:80 — totalement accéléré (includant l’établissement de la connexion).
Les requêtes HTTP à destination d’un serveur seront accélérées depuis la même IP source.
Limitation et restriction de SecureXL
Syntaxe de la commande fwaccel :
L’état
$ fwaccel stat
Accelerator Status : off
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, VirtualDefrag, GenerateIcmp,
IdleDetection, Sequencing, TcpStateDetect,
AutoExpire, DelayedNotif, TcpStateDetectV2,
McastRouting, WireMode, Streaming, MultiFW
Cryptography Features Mask : not availableDans ce cas, le SecureXL est désactivé, voici un exemple ou ce dernier est activé :
$ fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #22
Drop Templates : disabled
NAT Templates : disabled by Firewall
disabled from rule #22
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, WireMode,
DropTemplates, NatTemplates, Streaming
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, NatTraversalL’accèlération s’arrête des qu’il matche une règle qu’il n’est pas possible d’accéléré.
Il faut donc optimiser son jeu de règle en conséquence.
Activation
$ fwaccel onDésactivation
$ fwaccel offStats
$ fwaccel stats
Name Value Name Value
-------------------- --------------- -------------------- ---------------
conns created 343916 conns deleted 343904
temporary conns 0 templates 0
nat conns 0 accel packets 28323057
accel bytes 1132922280 F2F packets 967733
ESP enc pkts 0 ESP enc err 0
ESP dec pkts 0 ESP dec err 0
ESP other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0
AH enc pkts 0 AH enc err 0
AH dec pkts 0 AH dec err 0
AH other err 0 memory used 0
free memory 0 acct update interval 3600
current total conns 12 TCP violations 0
conns from templates 0 TCP conns 5
delayed TCP conns 0 non TCP conns 7
delayed nonTCP conns 0 F2F conns 6
F2F bytes 111808742 crypt conns 0
enc bytes 0 dec bytes 0
partial conns 0 anticipated conns 0
dropped packets 0 dropped bytes 0
nat templates 0 port alloc templates 0
conns from nat tmpl 0 port alloc conns 0
port alloc f2f 0 PXL templates 0
PXL conns 0 PXL packets 0
PXL bytes 0 PXL async packets 0
$ fwaccel stats -h
Usage: fwaccel stats <options>
Options:
-s - print only statistics summary
-d - drop from device statistics
-h - this help message
$ fwaccel stats -s
Accelerated conns/Total conns : 6/11 (54%)
Accelerated pkts/Total pkts : 28323782/29291579 (96%)
F2Fed pkts/Total pkts : 967797/29291579 (3%)
PXL pkts/Total pkts : 0/29291579 (0%)Description des champs :
Statistic parameter |
Explanation |
|---|---|
conns created |
Number of created connections |
conns deleted |
Number of deleted connections |
temporary conns |
Number of temporary connections |
templates |
Number of templates currently handled |
nat conns |
Number of NAT connections |
accel packets |
Number of accelerated packets |
accel bytes |
Number of accelerated traffic bytes |
F2F packets |
Number of packets handled by the VPN kernel in slow-path |
ESP enc pkts |
Number of ESP encrypted packets |
ESP enc err |
Number of ESP encrypted errors |
ESP dec pkts |
Number of ESP decrypted packets |
ESP dec err |
Number of ESP decrypted errors |
ESP other err |
Number of ESP other general errors |
espudp enc pkts |
Not in use |
espudp enc err |
Not in use |
espudp dec pkts |
Not in use |
espudp dec err |
Not in use |
espudp other err |
Not in use |
AH enc pkts |
Not in use |
AH enc err |
Not in use |
AH dec pkts |
Not in use |
AH dec err |
Not in use |
AH other err |
Not in use |
memory used |
Not in use |
free memory |
Not in use |
acct update interval |
Accounting update interval in seconds |
current total conns |
Number of connections currently handled |
TCP violations |
Number of packets which are in violation of the TCP state |
conns from templates |
Number of connections created from templates |
TCP conns |
Number of TCP connections currently handled |
delayed TCP conns |
Number of delayed TCP connections currently handled |
non TCP conns |
Number of non TCP connections currently handled |
delayed nonTCP conns |
Number of delayed non TCP connections currently handled |
F2F conns |
Number of connections currently handled by the VPN kernel in slow-path |
F2F bytes |
Number of traffic bytes handled by the VPN kernel in slow-path |
crypt conns |
Number of encrypted connections currently handled |
enc bytes |
Number of encrypted traffic bytes |
dec bytes |
Number of decrypted traffic bytes |
partial conns |
Number of partial connections currently handled |
anticipated conns |
Number of anticipated connections currently handled |
dropped packets |
Number of dropped packets |
dropped bytes |
Number of dropped traffic bytes |
nat templates |
Not in use |
port alloc templates |
Not in use |
conns from nat tmpl |
Not in use |
port alloc conns |
Not in use |
port alloc f2f |
Not in use |
PXL templates |
Number of PXL templates |
PXL conns |
Number of PXL connections |
PXL packets |
Number of PXL packets |
PXL bytes |
Number of PXL traffic bytes |
PXL async packets |
Number of PXL packets handled asynchronously |
Connexions
$ fwaccel conns
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst
--------------- ----- --------------- ----- -- -------- ------- ------- ----
1.1.1.1 42774 1.1.1.2 161 17 F....... 1/1 -/- NA
2.2.2.2 514 3.3.3.3 514 17 .U...... 2/3 3/2 NA
3.3.3.5 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
1.1.1.4 257 1.1.1.2 49340 6 F....... 1/1 1/- NA
2.2.2.2 514 3.3.3.22 514 17 .U...... 2/3 3/2 NA
3.3.3.3 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
3.3.3.8 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
1.1.1.2 49340 1.1.1.4 257 6 F....... 1/1 1/- NA
1.1.1.2 18192 1.1.1.4 42368 6 F....... 1/1 -/- NA
1.1.1.4 52136 1.1.1.2 18192 6 F....... 1/1 -/- NA
1.1.1.2 18192 1.1.1.4 52136 6 F....... 1/1 -/- NA
1.1.1.1 50186 1.1.1.2 0 1 F....... 1/1 -/- NA
2.2.2.2 514 3.3.3.8 514 17 .U...... 2/3 2/3 NA
1.1.1.4 42368 1.1.1.2 18192 6 F....... 1/1 -/- NA
3.3.3.22 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
2.2.2.2 514 3.3.3.5 514 17 .U...... 2/3 3/2 NA
1.1.1.88 38677 1.1.1.2 22 6 F....... 1/1 -/- NA
1.1.1.2 161 1.1.1.1 42774 17 F....... 1/1 -/- NA
1.3.3.77 514 2.2.2.2 514 17 .U...... 1/2 2/1 NA
2.2.2.2 514 3.3.3.63 514 17 .U...... 2/3 3/2 NA
1.1.1.2 22 1.1.1.88 38677 6 F....... 1/1 -/- NA
2.2.2.2 514 3.3.3.77 514 17 .U...... 2/3 3/2 NA
1.1.1.2 0 1.1.1.1 50186 1 F....... 1/1 -/- NA
3.3.3.63 514 2.2.2.2 514 17 .U...... 3/2 2/3 NA
Idx Interface
--- ---------
0 eth2c4
1 eth2c3
2 eth2c2
3 eth2c1
4 eth1c0
Total number of connections: 24
$ fwaccel conns -h
Usage: fwaccel conns <options>
Options:
-m <max entries> - max number of entries to print
-f <filter> - print only entries matching the filter
-s - print only number of connections
-h - this help message
Filter (one or more of the above flags):
F/f - forwarded to firewall/cut-through
U/u - unidirectional/bidirectional
N/n - entries with/without NAT
A/a - accounted/not accounted
C/c - encrypted/not encrypted
P/p - partial/not partial
S/s - pxl enabled/disabled
$ fwaccel conns -s
There are 52 connections in SecureXL connections tableAutres ressources :
Plus de détails sur SecureXL
CheckPoint - Plus de détails sur SecureXL - sk98348
CheckPoint - différentes commandes et explications
CheckPoint - aide au debug - sk33781