If you have securexl enabled is it used in place of the onboard accelerator on an IP 350/380? Can anyone verify?
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Jerome Sent: Thursday, November 16, 2006 9:50 AM To: [email protected] Subject: [FW-1] RE : Re: [FW-1] VPN acceleration card on IP380 and IPSO4.1 build 19 Hi, Nokia FLOWS must be disabled with SecurXL. Do you see that Nokia FLOWS is disabled during cpstart? You can verify the FLOWS acceleration state with the ipsctl command. Also SecureXL has some limitations and rule ordering in the policy is important: "Templates : disabled by FireWall-1 starting from rule #7" rules with FTP, H323, Security Servers should be placed at the end of the rule base. In your rule base connection establishment acceleration stops at rule #7. I'm not a SecureXL specialist, but for me, if connection establishment rate is not important for you, you'd better use Nokia FLOWS. Connection throughput will still be accelerated without having the SecureXL limitations. Regards --- cisco4ng <[EMAIL PROTECTED]> a écrit : > Hi Gary/Hugo, > Thanks a lot for your help. Here is mine situation: > > 1) the box is fresh installed of IPSO 4.1 build 19 > with NGx R61 w/ HFA_01. > 2) I disable Floodgate. > 3) Both the Provider-1 and the Nokia is running on > Checkpoint provided eval > license so there is NO licensing issue. > 4) repush the policy > 5) reboot the Nokia. > 6) turn on SecureXL with "fwaccel on" > 7) here is "fwaccel stat" output: > NGxR61-1-P[admin]# fwaccel stat > Accelerator Status : on > Templates : disabled by FireWall-1 starting from > rule #7 > Accelerator Features : Accounting, NAT, > Cryptography, Routing, > HasClock, Templates, > VirtualDefrag, GenerateIcmp, > IdleDetection, Sequencing, > TcpStateDetect, > AutoExpire, DelayedNotif, > McastRouting, > WireMode > Cryptography Features : Tunnel, UDPEncapsulation, > MD5, SHA1, NULL, > 3DES, DES, ESP, > LinkSelection, DynamicVPN, > NatTraversal, EncRouting > NGxR61-1-P[admin]# > > 8) I have NO add-on VPN acceleraion card, only the > built-in on this IP380. > 9) Under Voyager "Cryptographic Hardware > Acceleration Configuration for VPN-1", I see itbeing > turned on as up, > 10) Under voyager monitoring, "I do not see it 0 > packets encrypted and decrypted". > > > > > Gary Scott <[EMAIL PROTECTED]> wrote: I ran into > the same thing with a pair of 350's that were > scratch > installed with 3.9 and R60, 1 unit showed the option > in voyager while > the other did not. This may/may not apply for > you...entering the link > below did show the accelerator option and it was > enabled there. > > -GS > > enter the following Voyager configuration page in a > web > browser and enable the accelerator if possible? > The link is > > http:///cgi-bin/ubsec_config.tcl?package=/opt/CPsuite-R60/fw > 1 > > > Question...." Could you clarify? With the 350 it > comes with an onboard > accelerator > that is non-configurable, with the 380 you can have > an additional > accelerator card installed along with the onboard > accelerator, only then > should you see any option in voyager for the > accelerator. > Am I way off base? When should we see the option for > the accelerator in > voyager?" > > Answer....You are correct about the accelerator that > is onboard the > IP350 & IP380. > However, the accelerator options will appear for > both IP350 & IP380. > As it is, there are 2 drivers for the Boardcom > accelerator card that you > have, Luna & SecureXL API. If you have activated the > Luna API for the > accelerator card, the option will appear in Voyager. > However, if you had > turned on SecureXL, SecureXL will take over the Luna > API functionality > as SecureXL is much faster than Luna. If this is the > case, the option > will disappear from Voyager. > > > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] > On Behalf Of > cisco4ng > Sent: Wednesday, November 15, 2006 2:49 PM > To: [email protected] > Subject: Re: [FW-1] VPN acceleration card on IP380 > and IPSO4.1 build 19 > > This is the Nokia so I dont' think Performance Pack > applied here. > In anyway, here is the output from "manage > packages": > > [input] On [input] Off Check Point VPN-1 > Pro/Express NGX R61 (Mon > Mar 6 10:56:42 IST 2006 Build 602000207) > /opt/CPsuite-R61 > > Applications Enable Package Name Directory > [input] On [input] > Off Check Point R55W Compatibility Package for NGX > (Tue Jan 10 08:24:05 > IST 2006 Build 602000102) /opt/CPR55WCmp-R61 > [input] On [input] Off > Check Point CPinfo (Thu Dec 22 14:03:00 IST 2005 > Build 911000031) > /opt/CPinfo-10 [input] On [input] Off R55 > Compatibility Package for > NGX (Sun Feb 19 13:55:17 IST 2006 Build 602000103) > /opt/CPngcmp-R61 > [input] On [input] Off Check Point Eventia > Reporter NGX R61 (Sun Feb > 19 02:58:02 IST 2006 Build 602000183) /opt/CPrt-R61 > [input] On > [input] Off Check Point UserAuthority Server NGX > R61 (Thu Feb 2 > 19:49:41 IST 2006 Build 602000106) /opt/CPuag-R61 > [input] On [input] > Off Check Point VSX NGX Compatibility Package for > VSX NGX (Sun Feb 5 > 16:53:17 IST 2006 Build 602000104) > /opt/CPvsxngxcmp-R61 [input] On > [input] Off IPRG Unsupported tools > > Juan Concepcion wrote: -----BEGIN PGP > SIGNED MESSAGE----- > Hash: SHA1 > > You have performance pack off correct? > > Juan > > cisco4ng wrote: > > All, > > can someone explain this to me? > > I have an IP380 running IPSO 4.1 build 019 with > NGx R61 with HFA_01. > This IP380, > > as I understand it, has a built-in VPN > acceleration card which I can > see from Voyager. > > I enable the VPN acceleration card via voyager > under "crypto > hardware acceleration", > > repush the policy and reboot the IP380. In > voyager, it tells me > that the vpn accleration > > card model is "/dev/hwa0 5802" > > > > I have a site-to-site VPN from this IP380 to > another Nokia IP710 > running NG Feature > > Pack 3 with HFA_327. The site-to-site VPN is > "3des/MD5 with DH > group 2". > > > > The VPN is working fine but when I go into > "cryptographic hardware > accleration > > statistics", I see nothing but zero. This was > NOT the case when the > IP380 is > > running IPSO 3.7.1 build 025 with NG Feature > Pack 3 HFA_327. I can > see the > > packets being processed by the vpn accleration > card. > > > > Does it it mean that ipso4.1/NGx R61 will ignore > the built in vpn > acceleration card on > > the IP380? What am I missing here? I > understand that the built-in > will NOT support > > AES-256 but I am using 3DES/MD5 but it does work > in IPSO 3.71. build > 25 with NG > > Feature Pack 3 HFA_327 so I must be missing > something here. > > > === message truncated === ___________________________________________________________________________ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
