Traffic from source 192.168.1.1 is going to www.google.com. The Application Control Blade on the gateway is inspecting the traffic. Assuming acceleration is enabled which path is handling the traffic?
B is correct.
• Firewall Path — Packets and connections that are inspected by the Firewall. These
packets and connections are not processed by SecureXL. This path is also referred to as
the Slow Path.
• Medium Path — Packets that cannot use the accelerated path because they require
deeper inspection. Although it is not necessary for the Firewall to inspect these packets,
they can be offloaded by another feature. For example, packets that are examined by
IPS cannot use the accelerated path and can be offloaded to the IPS Passive Streaming
Library (PSL), which provides stream reassembly for TCP connections. As a result,
SecureXL processes these packets quicker than packets on the slow path.
PXL pkts/Total pkts: This shows how many packets were not able to be completely
handled by the Accelerated Path, but did not need to travel the full Firewall Path. The
PXL path is known as the Medium Path, and is generally used to inspect traffic for IPS
signatures but can also involve the firewall features Application Control/URL filtering,
Anti-Virus/Anti-bot/Threat Emulation, and DLP.
B is answer
Correct Answer is B
Medium Path PSLXL & CPASXL– When SecureXL is enabled but packets cannot be accelerated, as they require further inspection by some blade such as IPS, Application Control, URL Filtering etc., a medium path is used. This path prevents a trip through all the irrelevant modules of the F2F path and directly sends packets to the Passive Streaming Layer (PSL) or the Check Point Active Streaming (CPAS) modules. The path that SecureXL uses to send packets to the PSL is called PSLXL, which is used for deeper inspection for IPS, Application Control, URL Filtering etc. In this path the gateway can do the inspection passively but cannot make changes or insert data in the stream. The path that SecureXL uses to send packets to the CPAS is called CPASXL, which is used by modules like Anti- Virus, HTTPS Inspection, VoIP, DLP etc. This module works like a transparent proxy, breaking the connection and acting as man- in- the- middle. This way it has complete control of the to connection and can make changes to the data inside the application.
B is correct.
Why?
Because I am using the exact same configuration in my home network.
Most of my traffic at home is HTTPS, and I have a sublayer for that with high and critical risk categories enabled.
These utulize both Application control and URLF.
my fwaccel stats -s command says that 99 % is passing PSLXL path.
PSLXL, the new PXL, is Medium path, so B is correct.
Meant no acceleration in slowpath/firewall path. https://community.checkpoint.com/t5/General-Topics/Security-Gateway-Packet-Flow-and-Acceleration-with-Diagrams/td-p/40244
The answer is A:
When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions:
....
All packets that match a rule with a Security Server (e.g., Authentication, Anti-Virus, URL Filtering, Anti-Spam).
....
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32578
According to this link below, the AC module is in the medium path (so B is the answer):
https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packet-Flow/td-p/41747
Any traffic that use a blade that needs a content inspection like application control : where we need the content manager infrastructer CMI (in our case CMI will use Protocol parser, Classifier, observer and Handler and other component of the CMI to control application traffic )will go to medium path.
Hence B is the correct answer.
I wanted to mark Slow path as traffic firstly needs to be matched against Firewall rule base. But I have 2 problems with it:
1st: Not sure if the name Slow Path is valid(it should be named Firewall path, shouldn't it?
2nd: juancho_ckp's explanations is very convincing
Medium Path.
Run "fwaccel conns | grep 443" (or 80) on any firewall with app control and you'll see all connections there with an S flag. Which means medium-path/inspection.
In regards to previous comments.
(C) There is no fast path on 80+ it is called accelerated path.
(D) is not valid here, because 'application control is inspecting the traffic' meaning this traffic is being inspected, thus it is in the kernel, in the fw_worker.
Which leaves us with firewall path and medium path;
from performance tuning admin guide 80.20:
Medium Path (PXL)
The CoreXL layer passes the packet to one of the CoreXL Firewall instances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL infrastructure to send the packet to the single FW instance that still functions. When the Medium Path is available, the SecureXL fully accelerates the TCP handshake. Rule Base match is achieved for the
yada yada...
Exceptions are:
yada yada...
Application Control
yada yada.....
which leaves us with slow path answer.
Discarding the least matching options (1/2):
Slow Path (Firewal path or F2F): This path is used when the packet flow cannot be accelerated.
Now, sk32578 states: "When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions"; Application Control traffic matched does not match as a condition that disables acceleration. For me, this statement implies that Application Control traffic is accelerated by default (unless any of the conditions stated in sk32578 exists in app coontrol rules).
This leaves only Accelerated Traffic (option D) as an available (and matching) correct answer. Or this is another ambigous and annoying bad constructed question from CCSE exam.
Discarding the least matching options (1/2):
Medium path (PXL) - Packet flow when the packet is handled by the SecureXL device, except for IPS (some protections) / VPN (in some configurations) / Application Control / Content Awareness / Anti-Virus / Anti-Bot / HTTPS Inspection / Proxy mode / Mobile Access / VoIP / Web Portals. So... Medium path might be discarded because packet flow is excepted for Application control blade.
Fast Path: Does not exist in SecureXL architecture, so.. Fast Path discarded.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bobby14
Highly Voted 2 years, 10 months agoDriVen
4 months, 2 weeks agolukzka
Most Recent 2 weeks, 4 days agopepso100
7 months, 1 week agoaharihara
1 year, 2 months agohenkpoa
1 year, 3 months agolordlich
1 year, 4 months agolordlich
1 year, 4 months agoATHOOS
1 year, 7 months agoEduKeter
1 year, 9 months agoEduKeter
1 year, 9 months agoAl789789
1 year, 10 months agodaem0n
1 year, 8 months agofvxtkwvylevvouexvf
1 year, 11 months agoAychi
2 years, 7 months agokyky123ko
2 years, 7 months agorr80
2 years, 7 months agojuancho_ckp
2 years, 8 months agoarvendel
2 years, 9 months agoBerzerk
2 years, 10 months agoBerzerk
2 years, 10 months ago