Default Configuration of CoreXL

Important - This default configuration applies only to Security Gateways that do not support Dynamic Balancing of CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Instances. See Dynamic Balancing of CoreXL Instances.

When you enable CoreXL, the default number of CoreXL Firewall instances is based on the total number of CPU cores.

The default affinityClosed The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. setting for all interfaces is automatic when SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. is enabled. See Allocation of Processing CPU Cores.

Traffic from all interfaces is directed to the CPU cores that run the CoreXL Secure Network Distributor (SND).

Default number of IPv4 CoreXL Firewall instances:

Number of
CPU cores

Default number of
CoreXL IPv4
FW instances

Default number of
Secure Network
Distributors (SNDs)

1

1 (CoreXL is disabled)

1 (CoreXL is disabled)

2

2

2

4

3

1

6-20

Number of CPU cores, minus 2

2

More than 20

Number of CPU cores, minus 4.
However, no more than 40.

Note - This limit applies only to the Kernel Mode Firewall (KMFW).

4

The numbers of CoreXL Firewall instances start from zero.

The numbers of CPU cores start from the highest CPU ID allowed by the current Check Point license on your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

Refer to the ID and CPU columns in this example:

> fw ctl multik stat
 
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 7      |           5 |       21
 1 | Yes     | 6      |           3 |       23
 2 | Yes     | 5      |           5 |       25
 3 | Yes     | 4      |           4 |       21
 4 | Yes     | 3      |           5 |       21
 5 | Yes     | 2      |           5 |       20
 
>
> fw6 ctl multik stat
 
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 7      |           0 |        4
 1 | Yes     | 6      |           0 |        4
>

Maximal number of IPv4 CoreXL Firewall instances

Gaia kernel edition

Check Point Appliance

Open Server

64-bit

40

40

Notes: