Print Download PDF Send Feedback

Previous

Next

Maximizing Network Performance and Redundancy

In This Section:

Solutions for Enhancing Network Performance and Redundancy

CoreXL

About SecureXL

Multi-Queue

ClusterXL

VRRP Cluster

To Learn More About Maximizing Network Performance

Solutions for Enhancing Network Performance and Redundancy

These are features that you can enable to increase the performance of the Firewall:

These Gateway clustering solutions enable you to enhance network redundancy:

These are software based features that are included in the Check Point operating systems. It is not necessary to purchase additional hardware to use them.

CoreXL

In a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated instance runs on one processing core. These instances handle traffic concurrently and each instance is a complete Firewall kernel that inspects traffic. When CoreXL is enabled, all Firewall instances in the Security Gateway process traffic through the same interfaces and apply the same gateway security policy.

When you enable CoreXL, the number of kernel instances is based on the total number of CPU cores.

Number of CPU Cores

Number of CoreXL FW Instances

1

1

2

2

4

3

6-20

Number of CPU cores, minus 2

More than 20

Number of CPU cores, minus 4.
Up to a total of 40 CoreXL FW instances.
CoreXL FW instances can be IPv4 or IPv6.

Configuring CoreXL

Note - In cluster, you must perform these steps on each cluster member.

To enable/disable CoreXL:

  1. Connect to the command line on Security Gateway.
  2. Log in.
  3. Run: cpconfig
  4. Select Configure Check Point CoreXL.
  5. Enable or disable CoreXL.
  6. Reboot the Security Gateway.

To configure the number of CoreXL FW instances:

  1. Connect to the command line on Security Gateway.
  2. Log in.
  3. Run: cpconfig
  4. Select Configure Check Point CoreXL.
  5. If CoreXL is enabled, enter the number of CoreXL FW instances.

    If CoreXL is disabled, enable CoreXL and then set the number of CoreXL FW instances.

  6. Reboot the Security Gateway.

To Learn More About CoreXL

To learn more about CoreXL, see the R80.20 Performance Tuning Administration Guide.

About SecureXL

SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:

The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.

Throughput Acceleration

Connections are identified by the 5 tuple attributes: source address, destination address, source port, destination port, protocol. When the packets in a connection match all the 5 tuple attributes, the traffic flow can be processed on the accelerated path.

The first packets of a new TCP connection require more processing and they are processed on the slow path. The other packets of the connection can be processed on the accelerated path and the Firewall throughput is dramatically increased.

Connection-rate Acceleration

SecureXL also improves the rate of new connections (connections per second) and the connection setup/teardown rate (sessions per second). To accelerate the rate of new connections, connections that do not match a specified 5 tuple are still processed by SecureXL.

For example, if the source port is masked and only the other 4 tuple attributes require a match. When a connection is processed on the accelerated path, SecureXL creates a template of that connection that does not include the source port tuple. A new connection that matches the other 4 tuples is processed on the accelerated path because it matches the template. The Firewall does not inspect the new connection and the Firewall connection rates are increased.