Configuring IPv4 and IPv6 CoreXL Firewall instances

IPv4 and IPv6 CoreXL Firewall Instances

After you enable Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. IPv6 support on the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. (see the R80.20SP Quantum Maestro Gaia Administration Guide), configure the CPU cores to run different combinations of IPv4 and IPv6 CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instances:

The number of IPv4 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of CPU cores on the Security Group Member:

2 <= (Number of IPv4 CoreXL Firewall instances) <= (Total Number of CPU cores)

By default, the number of IPv6 CoreXL Firewall instances is set to two.

When the SMT (Hyper-Threading) is enabled, the default number of IPv6 CoreXL Firewall instances is four.

The number of IPv6 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of IPv4 CoreXL Firewall instances.

The number of IPv6 CoreXL Firewall instances cannot be greater than the number of IPv4 CoreXL Firewall instances:

2 <= (Number of IPv6 CoreXL Firewall instances) <= (Total Number of IPv4 CoreXL Firewall instances)

The total number of IPv4 and IPv6 CoreXL Firewall instances cannot be greater than forty:

(Number of IPv4 CoreXL Firewall instances) + (Number of IPv6 CoreXL Firewall instances) <= 40

Configuring the Number of IPv4 CoreXL Firewall Instances

Step

Instructions

Connect to the command line on the Security Group.

Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or the Expert mode

If you logged in to Gaia Clish, then go to Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:

enter gclish and press Enter.

Run:

cpconfig

Enter the number of the Check Point CoreXL option.

Enter 1 to select the (1) Change the number of firewall instances option.

Enter the total number of IPv4 CoreXL Firewall instances you wish to run.

Note - You can only select a number from the range shown.

Follow the instructions on the screen.

Exit from the cpconfig menu.

Reboot all Security Group Members:

reboot -b all

Configuring the Number of IPv6 CoreXL Firewall Instances

Step

Instructions

Connect to the command line on the Security Group.

If you logged in to Gaia Clish, then go to Gaia gClish:

enter gclish and press Enter.

Run:

cpconfig

Enter the number of the Check Point CoreXL option.

Enter 2 to select the (2) Change the number of IPv6 firewall instances option.

Enter the total number of IPv6 CoreXL Firewall instances you wish to run.

Note - You can only select a number from the range shown.

Follow the instructions on the screen.

Exit from the cpconfig menu.

Reboot all Security Group Members:

reboot -b all

Example CoreXL Configuration

Security Group Members in the Security Group have four CPU cores.

By default, there are three IPv4 CoreXL Firewall instances and two IPv6 CoreXL Firewall instances:

CPU Core	IPv4 CoreXL Firewall instances	IPv6 CoreXL Firewall instances
CPU 0	N / A	N / A
CPU 1	`fw4_2`	N / A
CPU 2	`fw4_1`	`fw6_1`
CPU 3	`fw4_0`	`fw6_0`

IPv4 CoreXL Firewall instances: The minimum allowed number is two and the maximum is four
IPv6 CoreXL Firewall instances: The minimum allowed number is two and the maximum is three

To increase the number of IPv6 CoreXL Firewall instances to four, first you must increase the number of IPv4 CoreXL Firewall instances to the maximum of four and reboot:

CoreXL is currently enabled with 3 IPv4 firewall instances and 2 IPv6 firewall instances.

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances

(3) Disable Check Point CoreXL

(4) Exit

Enter your choice (1-4) : 1

How many IPv4 firewall instances would you like to enable (2 to 4) [3] ? 4

CoreXL was enabled successfully with 4 firewall instances.

Important: This change will take effect after reboot.

After the reboot, the CoreXL configuration on the Security Group looks like this:

CPU Core	IPv4 CoreXL Firewall instances	IPv6 CoreXL Firewall instances
CPU 0	`fw4_3`	N / A
CPU 1	`fw4_2`	N / A
CPU 2	`fw4_1`	`fw6_1`
CPU 3	`fw4_0`	`fw6_0`

Increase the number of IPv6 CoreXL Firewall instances to four and reboot:

CoreXL is currently enabled with 4 IPv4 firewall instances and 2 IPv6 firewall instances.

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances

(3) Disable Check Point CoreXL

(4) Exit

Enter your choice (1-4) : 2

How many IPv6 firewall instances would you like to enable (2 to 4)[2] ? 4

CoreXL was enabled successfully with 3 IPv6 firewall instances.

Important: This change will take effect after reboot.

After the reboot, the CoreXL configuration on the Security Group looks like this:

CPU Core	IPv4 CoreXL Firewall instances	IPv6 CoreXL Firewall instances
CPU 0	`fw4_3`	`fw6_3`
CPU 1	`fw4_2`	`fw6_2`
CPU 2	`fw4_1`	`fw6_1`
CPU 3	`fw4_0`	`fw6_0`