CoreXL for Virtual Systems

Note - In Security Groups in Maestro and Scalable Chassis:

The term VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. means a Security Group in the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. mode.
Some VSX features have a limited or no support.

Introduction

CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. creates multiple Firewall instances that are, in reality, independent firewalls. You can use CoreXL to increase the performance of the VSX Gateway with multiple CPU cores. You can also assign each CoreXL Firewall instance to a group of CPU cores with the "fw ctl affinity" command.

You configure CoreXL Firewall instances differently for the VSX Gateway (VS0) than for other Virtual Systems.

VSX Gateway - Use the CLI to configure the number of CoreXL Firewall instances.
Other Virtual Systems - Use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to configure the number of CoreXL Firewall instances.

You can configure several CoreXL Firewall instances for each Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.. When you change the number of CoreXL Firewall instances on a Virtual System, there is some downtime for that Virtual System.

Important:

Each CoreXL Firewall instance you create uses additional system memory.

A Virtual System with five CoreXL Firewall instances would use approximately the same amount of memory as five separate Virtual Systems.
The number of IPv6 instances cannot exceed the number of IPv4 CoreXL Firewall instances.

For more about configuring CoreXL, see the R81.10 Performance Tuning Administration Guide > Chapter "CoreXL".

Configuring CoreXL on a VSX Gateway

Important - Enabling CoreXL on VS0 is not recommended because of increased memory overhead and potential performance degradation. Most VSX deployments do not require more than a single Firewall instance for VS0 as its main purpose is managing the VSX Gateway.

Use the "cpconfig" command to configure CoreXL on the VSX Gateway (VS0).

The number of instances for the VSX Gateway is limited to the physical number of cores on the server or appliance.

To configure the number of instances on the VSX Gateway:

Connect to the command line on the VSX Gateway / each VSX Cluster Member Security Gateway that is part of a cluster..

Run:

cpconfig

Select Configure Check Point CoreXL.
Make sure that CoreXL is enabled.
Configure the number of CoreXL Firewall instances.
Exit the cpconfig menu.

Note - It is not necessary to reboot the VSX Gateway after you configure CoreXL.

Configuring CoreXL on a Scalable Platform Security Group

To configure CoreXL on the Security Group (VS0):

In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish, use the "cpconfig" command.
In the Expert mode, use the "g_all cp_conf corexl" command. See the R81.10 CLI Reference Guide > Chapter "CoreXL Commands" > Section "cp_conf corexl".

To configure the number of instances on the Security Group:

Connect to the command line on the Security Group.
Log in to Gaia gClish.

If your default shell is the Expert mode, then run: gclish

Run:

cpconfig

Select Configure Check Point CoreXL.
Make sure that CoreXL is enabled.
Configure the number of CoreXL Firewall instances.
Exit the cpconfig menu.

Note - It is not necessary to reboot the Security Group after you configure CoreXL.

Configuring CoreXL on Virtual Systems

Use SmartConsole to configure the number of CoreXL Firewall instances on the Virtual Systems.

In 64-bit Gaia, you can assign up to 32 CoreXL Firewall instances on a Virtual System.

The number of CoreXL Firewall instances is not limited by the physical CPU cores on the VSX Gateway.

You can assign the number of IPv6 CoreXL Firewall instances. It must be less or equal to the number of IPv4 CoreXL Firewall instances. The number of IPv6 CoreXL Firewall instances may be zero. IPv6 CoreXL Firewall instances are only enabled, if an IPv6 address is configured for that Virtual System.

Notes:

We recommend that you use the number of CoreXL Firewall instances for each Virtual System according to the expected network traffic on the Virtual System. Configuring unnecessary CoreXL Firewall instances can have a negative impact on performance.
We recommend that you do not configure more CoreXL Firewall instances than the total number of physical CPU cores on the VSX Gateway.

To configure CoreXL on a Virtual System:

Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Target Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the Virtual System.
From the Gateways & Servers view or Object Explorer, double-click the Virtual System object.

The Virtual System General Properties window opens.
From the left navigation tree, select CoreXL.
Select the number of CoreXL Firewall instances for the Virtual System.
Click OK.
Install the Access Control Policy on the Virtual System object.