Exam 156-315.80 topic 1 question 138 discussion

Correct answer is B not A. trust me !

B is correct. • Firewall Path — Packets and connections that are inspected by the Firewall. These packets and connections are not processed by SecureXL. This path is also referred to as the Slow Path. • Medium Path — Packets that cannot use the accelerated path because they require deeper inspection. Although it is not necessary for the Firewall to inspect these packets, they can be offloaded by another feature. For example, packets that are examined by IPS cannot use the accelerated path and can be offloaded to the IPS Passive Streaming Library (PSL), which provides stream reassembly for TCP connections. As a result, SecureXL processes these packets quicker than packets on the slow path.

PXL pkts/Total pkts: This shows how many packets were not able to be completely handled by the Accelerated Path, but did not need to travel the full Firewall Path. The PXL path is known as the Medium Path, and is generally used to inspect traffic for IPS signatures but can also involve the firewall features Application Control/URL filtering, Anti-Virus/Anti-bot/Threat Emulation, and DLP. B is answer

Correct Answer is B Medium Path PSLXL & CPASXL– When SecureXL is enabled but packets cannot be accelerated, as they require further inspection by some blade such as IPS, Application Control, URL Filtering etc., a medium path is used. This path prevents a trip through all the irrelevant modules of the F2F path and directly sends packets to the Passive Streaming Layer (PSL) or the Check Point Active Streaming (CPAS) modules. The path that SecureXL uses to send packets to the PSL is called PSLXL, which is used for deeper inspection for IPS, Application Control, URL Filtering etc. In this path the gateway can do the inspection passively but cannot make changes or insert data in the stream. The path that SecureXL uses to send packets to the CPAS is called CPASXL, which is used by modules like Anti- Virus, HTTPS Inspection, VoIP, DLP etc. This module works like a transparent proxy, breaking the connection and acting as man- in- the- middle. This way it has complete control of the to connection and can make changes to the data inside the application.

B is correct. Why? Because I am using the exact same configuration in my home network. Most of my traffic at home is HTTPS, and I have a sublayer for that with high and critical risk categories enabled. These utulize both Application control and URLF. my fwaccel stats -s command says that 99 % is passing PSLXL path. PSLXL, the new PXL, is Medium path, so B is correct.

Slow Path

Answer should be B

This is surely medium path. There is no acceleration in Fastpath/Fw path.

The answer is A: When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions: .... All packets that match a rule with a Security Server (e.g., Authentication, Anti-Virus, URL Filtering, Anti-Spam). .... https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32578

According to this link below, the AC module is in the medium path (so B is the answer): https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packet-Flow/td-p/41747

Any traffic that use a blade that needs a content inspection like application control : where we need the content manager infrastructer CMI (in our case CMI will use Protocol parser, Classifier, observer and Handler and other component of the CMI to control application traffic )will go to medium path. Hence B is the correct answer.

if there was a picture with GW(192.168.1.1), then it is Slow Path :)

I wanted to mark Slow path as traffic firstly needs to be matched against Firewall rule base. But I have 2 problems with it: 1st: Not sure if the name Slow Path is valid(it should be named Firewall path, shouldn't it? 2nd: juancho_ckp's explanations is very convincing

Medium Path. Run "fwaccel conns | grep 443" (or 80) on any firewall with app control and you'll see all connections there with an S flag. Which means medium-path/inspection.

In regards to previous comments. (C) There is no fast path on 80+ it is called accelerated path. (D) is not valid here, because 'application control is inspecting the traffic' meaning this traffic is being inspected, thus it is in the kernel, in the fw_worker. Which leaves us with firewall path and medium path; from performance tuning admin guide 80.20: Medium Path (PXL) The CoreXL layer passes the packet to one of the CoreXL Firewall instances to process it. Even when CoreXL is disabled, the SecureXL uses the CoreXL infrastructure to send the packet to the single FW instance that still functions. When the Medium Path is available, the SecureXL fully accelerates the TCP handshake. Rule Base match is achieved for the yada yada... Exceptions are: yada yada... Application Control yada yada..... which leaves us with slow path answer.

Discarding the least matching options (1/2): Slow Path (Firewal path or F2F): This path is used when the packet flow cannot be accelerated. Now, sk32578 states: "When SecureXL is enabled, all packets should be accelerated, except packets that match the following conditions"; Application Control traffic matched does not match as a condition that disables acceleration. For me, this statement implies that Application Control traffic is accelerated by default (unless any of the conditions stated in sk32578 exists in app coontrol rules). This leaves only Accelerated Traffic (option D) as an available (and matching) correct answer. Or this is another ambigous and annoying bad constructed question from CCSE exam.

Discarding the least matching options (1/2): Medium path (PXL) - Packet flow when the packet is handled by the SecureXL device, except for IPS (some protections) / VPN (in some configurations) / Application Control / Content Awareness / Anti-Virus / Anti-Bot / HTTPS Inspection / Proxy mode / Mobile Access / VoIP / Web Portals. So... Medium path might be discarded because packet flow is excepted for Application control blade. Fast Path: Does not exist in SecureXL architecture, so.. Fast Path discarded.