Configuring IPv4 and IPv6 CoreXL Firewall instances

Important Notes for Cluster:

IPv4 and IPv6 CoreXL Firewall Instances

After you enable GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. IPv6 support on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. (see R81.20 Gaia Administration Guide), configure the CPU cores to run different combinations of IPv4 and IPv6 CoreXL Firewall instances:

  • The number of IPv4 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of CPU cores on the Security Gateway / Scalable Platform Security Group:

    2 <= (Number of IPv4 CoreXL Firewall instances) <= (Total Number of CPU cores)

  • By default, the number of IPv6 CoreXL Firewall instances is set to two.

    When the SMT (Hyper-Threading) is enabled, the default number of IPv6 CoreXL Firewall instances is four.

  • The number of IPv6 CoreXL Firewall instances you can configure is from a minimum of two to a maximum equal to the total number of IPv4 CoreXL Firewall instances.

    The number of IPv6 CoreXL Firewall instances cannot be greater than the number of IPv4 CoreXL Firewall instances:

    2 <= (Number of IPv6 CoreXL Firewall instances) <= (Total Number of IPv4 CoreXL Firewall instances)

  • The total number of IPv4 and IPv6 CoreXL Firewall instances cannot be greater than forty:

    Note - This limit applies only to the Kernel Mode Firewall (KMFW).

    (Number of IPv4 CoreXL Firewall instances) + (Number of IPv6 CoreXL Firewall instances) <= 40

Configuring the Number of IPv4 CoreXL Firewall Instances

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode.

3

Run:

cpconfig

4

Enter the number of the Check Point CoreXL option.

5

Enter 1 to select Change the number of firewall instances.

6

Enter the total number of IPv4 CoreXL Firewall instances you wish the Security Gateway to run.

Note - You can only select a number from the range shown.

Follow the instructions on the screen.

7

Exit from the cpconfig menu.

8

Reboot.

  • On the Security Gateway (each Cluster Member), run:

    reboot

  • On the Scalable Platform Security Group, run in Gaia gClish:

    reboot

  • On the Scalable Platform Security Group, run in the Expert mode:

    g_reboot -a

Configuring the Number of IPv6 CoreXL Firewall Instances

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

2

Log in to Gaia Clish or Expert mode.

Note - On Scalable Platforms (Maestro and Chassis), you must use Gaia gClish or the Expert mode.

3

Run:

cpconfig

4

Enter the number of the Check Point CoreXL option.

5

Enter 2 to select Change the number of IPv6 firewall instances.

6

Enter the total number of IPv6 CoreXL Firewall instances you wish the Security Gateway to run.

Note - You can only select a number from the range shown.

Follow the instructions on the screen.

7

Exit from the cpconfig menu.

8

Reboot.

  • On the Security Gateway (each Cluster Member), run:

    reboot

  • On the Scalable Platform Security Group, run in Gaia gClish:

    reboot

  • On the Scalable Platform Security Group, run in the Expert mode:

    g_reboot -a

Example CoreXL Configuration

Security Gateway has four CPU cores.

By default, there are three IPv4 CoreXL Firewall instances and two IPv6 CoreXL Firewall instances:

CPU Core

IPv4 CoreXL Firewall instances

IPv6 CoreXL Firewall instances

CPU 0

N / A

N / A

CPU 1

fw4_2

N / A

CPU 2

fw4_1

fw6_1

CPU 3

fw4_0

fw6_0

  • IPv4 CoreXL Firewall instances: The minimum allowed number is two and the maximum is four

  • IPv6 CoreXL Firewall instances: The minimum allowed number is two and the maximum is three

To increase the number of IPv6 CoreXL Firewall instances to four, first you must increase the number of IPv4 CoreXL Firewall instances to the maximum of four and reboot:

CoreXL is currently enabled with 3 IPv4 firewall instances and 2 IPv6 firewall instances.

 

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances

(3) Disable Check Point CoreXL

 

(4) Exit

Enter your choice (1-4) : 1

 

How many IPv4 firewall instances would you like to enable (2 to 4) [3] ? 4

 

CoreXL was enabled successfully with 4 firewall instances.

Important: This change will take effect after reboot.

After the reboot, the CoreXL configuration on the Security Gateway looks like this:

CPU Core

IPv4 CoreXL Firewall instances

IPv6 CoreXL Firewall instances

CPU 0

fw4_3

N / A

CPU 1

fw4_2

N / A

CPU 2

fw4_1

fw6_1

CPU 3

fw4_0

fw6_0

Increase the number of IPv6 CoreXL Firewall instances to four and reboot:

CoreXL is currently enabled with 4 IPv4 firewall instances and 2 IPv6 firewall instances.

 

(1) Change the number of firewall instances

(2) Change the number of IPv6 firewall instances

(3) Disable Check Point CoreXL

 

(4) Exit

Enter your choice (1-4) : 2

 

How many IPv6 firewall instances would you like to enable (2 to 4)[2] ? 4

 

CoreXL was enabled successfully with 3 IPv6 firewall instances.

Important: This change will take effect after reboot.

After the reboot, the CoreXL configuration on the Security Gateway looks like this:

CPU Core

IPv4 CoreXL Firewall instances

IPv6 CoreXL Firewall instances

CPU 0

fw4_3

fw6_3

CPU 1

fw4_2

fw6_2

CPU 2

fw4_1

fw6_1

CPU 3

fw4_0

fw6_0