CoreXL for Virtual Systems

CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. creates multiple firewall instances that are, in reality, independent firewalls. You can use CoreXL to increase the performance of the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. on an open server or appliance with multiple cores. You can also assign each instance to a group of CPU cores with the fw ctl affinity command.

You configure firewall instances differently for the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway (VS0) than for other Virtual Systems.

• VSX Gateway - Use the CLI to configure the number of instances.

• Other Virtual Systems - Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to configure the number of instances.

You can configure multiple instances for each Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.. When you change the number of firewall instances on a Virtual System, there is some downtime for that Virtual System.

Important - Each firewall instance that you create uses additional system memory. A Virtual System with five instances would use approximately the same amount of memory as five separate Virtual Systems.

The number of IPv6 instances cannot exceed the number of IPv4 instances. For more about IPv6 instances and VSX, go to sk97997.

For more about configuring CoreXL, see the R80.20SP Quantum Maestro Performance Tuning Administration Guide > Chapter CoreXL.

Configuring CoreXL on a VSX Gateway

Use the Expert mode command "g_all cp_conf corexl" to configure the CoreXL on Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members. The number of CoreXL Firewall instances for the VSX Gateway is limited to the physical number of CPU cores on the Security Group Members.

Note - If you run this command in a Virtual System, the output applies to VS0.

Configuring CoreXL on Virtual Systems

Use SmartConsole to configure the number of CoreXL Firewall instances on the Virtual Systems.

• In 32-bit VSX, you can assign up to 10 CoreXL Firewall instances on a Virtual System.

• In 64-bit VSX, you can assign up to 32 CoreXL Firewall instances on a Virtual System.

The number of CoreXL Firewall instances is not limited by the physical CPU cores on the VSX Gateway.

You can assign the number of IPv6 CoreXL Firewall instances. It must be less or equal to the number of IPv4 CoreXL Firewall instances. The number of IPv6 CoreXL Firewall instances may be zero. IPv6 CoreXL Firewall instances are only enabled, if an IPv6 address is configured for that Virtual System.

Notes:

• We recommend that you use the number of CoreXL Firewall instances for each Virtual System according to the expected network traffic on the Virtual System. Configuring unnecessary CoreXL Firewall instances can have a negative impact on performance.

• We recommend that you do not configure more CoreXL Firewall instances than the total number of physical CPU cores on the VSX Gateway.

To configure CoreXL on a Virtual System:

1. Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Target Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Virtual System.

2. From the Gateways & Servers view or Object Explorer, double-click the Virtual System object.

   The Virtual System General Properties window opens.

3. From the left navigation tree, select CoreXL.

4. Select the number of CoreXL Firewall instances for the Virtual System.

5. Click OK.

6. Install the Access Control Policy on the Virtual System object.