In This Section: |
These are features that you can enable to increase the performance of the Firewall:
These Gateway clustering solutions enable you to enhance network redundancy:
These are software based features that are included in the Check Point operating systems. It is not necessary to purchase additional hardware to use them.
In a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated instance runs on one processing core. These instances handle traffic concurrently and each instance is a complete Firewall kernel that inspects traffic. When CoreXL is enabled, all Firewall instances in the Security Gateway process traffic through the same interfaces and apply the same gateway security policy.
When you enable CoreXL, the number of kernel instances is based on the total number of CPU cores.
Number of CPU Cores |
Number of CoreXL FW Instances |
---|---|
1 |
1 |
2 |
2 |
4 |
3 |
6-20 |
Number of CPU cores, minus 2 |
More than 20 |
Number of CPU cores, minus 4. |
Note - In cluster, you must perform these steps on each cluster member.
To enable/disable CoreXL:
cpconfig
To configure the number of CoreXL FW instances:
cpconfig
If CoreXL is disabled, enable CoreXL and then set the number of CoreXL FW instances.
To learn more about CoreXL, see the R80.20 Performance Tuning Administration Guide.
SecureXL is an acceleration solution that maximizes performance of the Firewall and does not compromise security. When SecureXL is enabled on a gateway, some CPU intensive operations are processed by virtualized software instead of the Firewall kernel. The Firewall can inspect and process connections more efficiently and accelerate throughput and connection rates. These are the SecureXL traffic flows:
The goal of a SecureXL configuration is to minimize the connections that are processed on the slow path.
Throughput Acceleration
Connections are identified by the 5 tuple attributes: source address, destination address, source port, destination port, protocol. When the packets in a connection match all the 5 tuple attributes, the traffic flow can be processed on the accelerated path.
The first packets of a new TCP connection require more processing and they are processed on the slow path. The other packets of the connection can be processed on the accelerated path and the Firewall throughput is dramatically increased.
Connection-rate Acceleration
SecureXL also improves the rate of new connections (connections per second) and the connection setup/teardown rate (sessions per second). To accelerate the rate of new connections, connections that do not match a specified 5 tuple are still processed by SecureXL.
For example, if the source port is masked and only the other 4 tuple attributes require a match. When a connection is processed on the accelerated path, SecureXL creates a template of that connection that does not include the source port tuple. A new connection that matches the other 4 tuples is processed on the accelerated path because it matches the template. The Firewall does not inspect the new connection and the Firewall connection rates are increased.