CoreXL for Virtual Systems

CoreXL creates multiple firewall instances that are, in reality, independent firewalls. You can use CoreXL to increase the performance of the VSX Gateway on an open server or appliance with multiple cores. You can also assign each instance to a group of CPU cores with the fw ctl affinity command.

You configure firewall instances differently for the VSX Gateway (VS0) than for other Virtual Systems.

• VSX Gateway - Use the CLI to configure the number of instances.
• Other Virtual Systems - Use SmartConsole to configure the number of instances.

You can configure multiple instances for each Virtual System. When you change the number of firewall instances on a Virtual System, there is some downtime for that Virtual System.

Important - Each firewall instance that you create uses additional system memory. A Virtual System with five instances would use approximately the same amount of memory as five separate Virtual Systems.

The number of IPv6 instances cannot exceed the number of IPv4 instances. For more about IPv6 instances and VSX, go to sk97997.

For more about configuring CoreXL, see the R80.10 Performance Tuning Administration Guide.

Configuring CoreXL on a VSX Gateway

Use the cpconfig command to configure CoreXL on the VSX Gateway (VS0). The number of instances for the VSX Gateway is limited to the physical number of cores on the server or appliance.

To configure the number of instances on the VSX Gateway:

1. From the CLI, run cpconfig.
2. Select Configure Check Point CoreXL.
3. Make sure that CoreXL is enabled.
4. Configure the number of firewall instances for the VSX Gateway.
5. Exit cpconfig.

   Note - It is not necessary to reboot the VSX Gateway after you configure CoreXL.

Configuring CoreXL on Virtual Systems

Use SmartConsole to configure the number of CoreXL Firewall instances on the Virtual Systems.

• In 32-bit VSX, you can assign up to 10 CoreXL Firewall instances on a Virtual System.
• In 64-bit VSX, you can assign up to 32 CoreXL Firewall instances on a Virtual System.

The number of CoreXL Firewall instances is not limited by the physical CPU cores on the VSX Gateway.

You can assign the number of IPv6 CoreXL Firewall instances. It must be less or equal to the number of IPv4 CoreXL Firewall instances. The number of IPv6 CoreXL Firewall instances may be zero. IPv6 CoreXL Firewall instances are only enabled, if an IPv6 address is configured for that Virtual System.

Notes:

• We recommend that you use the number of CoreXL Firewall instances for each Virtual System according to the expected network traffic on the Virtual System. Configuring unnecessary CoreXL Firewall instances can have a negative impact on performance.
• We recommend that you do not configure more CoreXL Firewall instances than the total number of physical CPU cores on the VSX Gateway.

To configure CoreXL on a Virtual System:

1. Connect with SmartConsole to the Security Management Server or Target Domain Management Server that manages the Virtual System.
2. From the Gateways & Servers view or Object Explorer, double-click the Virtual System object.

   The Virtual System General Properties window opens.

3. From the left navigation tree, select CoreXL.
4. Select the number of CoreXL Firewall instances for the Virtual System.
5. Click OK.
6. Install the Access Control Policy on the Virtual System object.