Maximizing Network Performance
Check Point Software Acceleration Solutions
These are features that you can enable to increase the performance of the Firewall:
- CoreXL
- SecureXL (Performance Pack)
These are software based features that are included in the Check Point operating systems. It is not necessary to purchase additional hardware to use them. You cannot configure CoreXL and SecureXL with SmartDashboard, instead run the applicable commands from the CLI.
For more about configuring CoreXL and SecureXL, see the R76 Performance Tuning Administration Guide.
CoreXL
In a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated instance runs on one processing core. These instances handle traffic concurrently and each instance is a complete Firewall kernel that inspects traffic. When CoreXL is enabled, all Firewall instances in the Security Gateway process traffic through the same interfaces and apply the same gateway security policy.
The maximum number of Firewall instances is based on the total number of CPU cores.
Number of Cores
|
Number of Firewall Instances
|
1
|
1
|
2
|
2
|
4
|
3
|
8
|
6
|
12
|
10
|
More than 12
|
Open server - 10
Check Point appliance - Number of cores, minus 2. Maximum number of instances is 14
|
Configuring CoreXL
Use the cpconfig command to open the wizard to enable CoreXL and configure the number of firewall instances.
To enable/disable CoreXL:
- Log in to the Security Gateway.
- Run
cpconfig - Select
Configure Check Point CoreXL . - Enable or disable CoreXL.
- Reboot the Security Gateway.
To configure the number of instances:
- Run
cpconfig - Select
Configure Check Point CoreXL . - If CoreXL is enabled, enter the number of firewall instances.
If CoreXL is disabled, enable CoreXL and then set the number of firewall instances.
- Reboot the gateway.
Using SecureXL
SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a Security Gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
- - Packets and connections that are inspected by the Firewall and are not processed by SecureXL.
- - Packets and connections that are offloaded to SecureXL and are not processed by the Firewall.
- - Packets that require deeper inspection cannot use the accelerated path. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the IPS PSL (Passive Streaming Library). SecureXL processes these packets more quickly than packets on the slow path.
The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.
Throughput Acceleration
Connections are identified by the 5 tuple attributes: source address, destination address, source port, destination port, protocol. When the packets in a connection match all the 5 tuple attributes, the traffic flow can be processed on the accelerated path.
The first packets of a new TCP connection require more processing and they are processed on the slow path. The other packets of the connection can be processed on the accelerated path and the Firewall throughput is dramatically increased.
Connection-rate Acceleration
SecureXL also improves the rate of new connections (connections per second) and the connection setup/teardown rate (sessions per second). To accelerate the rate of new connections, connections that do not match a specified 5 tuple are still processed by SecureXL.
For example, if the source port is masked and only the other 4 tuple attributes require a match. When a connection is processed on the accelerated path, SecureXL creates a template of that connection that does not include the source port tuple. A new connection that matches the other 4 tuples is processed on the accelerated path because it matches the template. The Firewall does not inspect the new connection and the Firewall connection rates are increased.
Configuring SecureXL
SecureXL is enabled by default and you cannot use SmartDashboard to configure it.
To configure SecureXL:
- Log in to the CLI on the Security Gateway.
- Run
cpconfig
- Enter the option that enables or disables SecureXL.
For example, (9) Disable Check Point SecureXL
- Enter
y and then enter 11 .
|
Note -
- Run
fwaccel or fwaccel6 to dynamically enable or disable SecureXL acceleration for IPv4 or IPv6 traffic - This setting does not survive reboot or the Security Gateway
|
Multi-Queue
By default, the traffic for each interface is processed on one CPU core. If there are more CPU cores than interfaces, not all of the CPU cores are used to process traffic.
You can enable the Multi-queue feature to assign more than one CPU core to one interface. Run the cpmq command to configure the Multi-queue settings.
The SND (Secure Network Distributer) is part of SecureXL and CoreXL. It processes and helps to accelerate network traffic:
- SecureXL - Distributes traffic to the accelerated or slow path
- CoreXL - Processes traffic on a specified Firewall instance
Sample Multi-queue Configuration
This sample configuration shows how CoreXL, SecureXL and Multi-queue can help to use more CPU cores for SNDs to accelerate network traffic. There is a Security Gateway with two six core CPUs (total 12 CPU cores) and three interfaces:
|
CPU cores for SND
|
CPU cores for CoreXL
|
Multi-queue disabled
|
3
|
9
|
Multi-queue enabled
|
6
|
6
|
|