eG Monitoring
 

Measures reported by NKSxlStatTest

Secure XL (SXL) is the security performance architecture of Check Point VPN-1/FireWall-1 and Nokia security appliances. When the SXL feature is enabled for the Nokia IPSO firewall, the architecture offloads multiple CPU intensive security operations to optimize Nokia IPSO code running on Intel x86 hardware or on network processor hardware. The optimized IPSO code reduces the overhead involved in performing the security operations. As a result of the reduced overhead, SXL accelerates firewall performance, throughput and connection rate by remembering certain attributes of packets and packet flows that have already been validated by the firewall. If the SXL is disabled abruptly due to any abnormal reason, the firewall may not be able to handle the traffic faster as the firewall needs to validate the connection details everytime. Therefore, it is important for administrators to continuously monitor the current status of the SXL and the traffic handled by the SXL at regular intervals. This can be easily achieved using the NKSxlStatTest!

Using this test, administrators can instantly find out whether/not the Secure XL feature is enabled for the target firewall. In the process, this test also reveals the count of connections that are added to the firewall/deleted, by the SXL.

Outputs of the test : One set of results for the target firewall that is to be monitored.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
sxlStatus Indicates whether the Secure XL is enabled or not.   The values that this measure can report and their corresponding numeric values are tabulated below:

Measure Value Numeric Value
Enabled 1
Disabled 0

Note:

By default, this measure reports the above-mentioned Measure Values listed in the table above to indicate the current state of the Secure XL. The graph of this measure however is represented using the numeric equivalents only i.e., 0 to 1.
sxlExistCon Indicates the number of connections that have already been validated by the Secure XL. Number A low value of this measure may indicate that the count of connections validated by the SXL is less. Therefore, the firewall needs to natively verify the connection details everytime. This approach may increase the processing overheads and time required to establish the connections through the target firewall.
sxlAcceptCon Indicates the number of connections that are added to the firewall by the Secure XL. Number  
sxlDeleteCon Indicates the number of connections that are deleted by the Secure XL. Number