Configuring IPv4 and IPv6 CoreXL Firewall instances
|
Important Notes for Cluster:
|
IPv4 and IPv6 CoreXL Firewall Instances
After you enable Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. IPv6 support on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. (see R81.20 Gaia Administration Guide), configure the CPU cores to run different combinations of IPv4 and IPv6 CoreXL Firewall instances:
-
The number of IPv4 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of CPU cores on the Security Gateway / Scalable Platform Security Group:
2 <= (Number of IPv4 CoreXL Firewall instances) <= (Total Number of CPU cores)
-
By default, the number of IPv6 CoreXL Firewall instances is set to two.
When the SMT (Hyper-Threading) is enabled, the default number of IPv6 CoreXL Firewall instances is four.
-
The number of IPv6 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of IPv4 CoreXL Firewall instances.
The number of IPv6 CoreXL Firewall instances cannot be greater than the number of IPv4 CoreXL Firewall instances:
2 <= (Number of IPv6 CoreXL Firewall instances) <= (Total Number of IPv4 CoreXL Firewall instances)
-
The total number of IPv4 and IPv6 CoreXL Firewall instances cannot be greater than forty:
Note - This limit applies only to the Kernel Mode Firewall (KMFW).
(Number of IPv4 CoreXL Firewall instances) + (Number of IPv6 CoreXL Firewall instances) <= 40
Configuring the Number of IPv4 CoreXL Firewall Instances
Step |
Instructions |
|||
---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Member. Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group. |
|||
2 |
Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or Expert mode. Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode. |
|||
3 |
Run:
|
|||
4 |
Enter the number of the Check Point CoreXL option. |
|||
5 |
Enter 1 to select Change the number of firewall instances. |
|||
6 |
Enter the total number of IPv4 CoreXL Firewall instances you wish the Security Gateway to run.
Follow the instructions on the screen. |
|||
7 |
Exit from the |
|||
8 |
Reboot.
|
Configuring the Number of IPv6 CoreXL Firewall Instances
Step |
Instructions |
|||
---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway / each Cluster Member. Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group. |
|||
2 |
Log in to Gaia Clish or Expert mode. Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode. |
|||
3 |
Run:
|
|||
4 |
Enter the number of the Check Point CoreXL option. |
|||
5 |
Enter 2 to select Change the number of IPv6 firewall instances. |
|||
6 |
Enter the total number of IPv6 CoreXL Firewall instances you wish the Security Gateway to run.
Follow the instructions on the screen. |
|||
7 |
Exit from the |
|||
8 |
Reboot.
|
Example CoreXL Configuration
Security Gateway has four CPU cores.
By default, there are three IPv4 CoreXL Firewall instances and two IPv6 CoreXL Firewall instances:
CPU Core |
IPv4 CoreXL Firewall instances |
IPv6 CoreXL Firewall instances |
---|---|---|
CPU 0 |
N / A |
N / A |
CPU 1 |
|
N / A |
CPU 2 |
|
|
CPU 3 |
|
|
-
IPv4 CoreXL Firewall instances: The minimum allowed number is two and the maximum is four
-
IPv6 CoreXL Firewall instances: The minimum allowed number is two and the maximum is three
To increase the number of IPv6 CoreXL Firewall instances to four, first you must increase the number of IPv4 CoreXL Firewall instances to the maximum of four and reboot:
|
After the reboot, the CoreXL configuration on the Security Gateway looks like this:
CPU Core |
IPv4 CoreXL Firewall instances |
IPv6 CoreXL Firewall instances |
---|---|---|
CPU 0 |
|
N / A |
CPU 1 |
|
N / A |
CPU 2 |
|
|
CPU 3 |
|
|
Increase the number of IPv6 CoreXL Firewall instances to four and reboot:
|
After the reboot, the CoreXL configuration on the Security Gateway looks like this:
CPU Core |
IPv4 CoreXL Firewall instances |
IPv6 CoreXL Firewall instances |
---|---|---|
CPU 0 |
|
|
CPU 1 |
|
|
CPU 2 |
|
|
CPU 3 |
|
|