SecureXL and CoreXL

book

Article ID: 167933

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Introductory information about CPSG R70 SecureXL and CoreXL technologies on Crossbeam X-seriesN/A

Resolution

Check Point R70 supports CoreXL technology, which allows more granular control over functions performed on different CPU cores. SecureXL, also known as Performance Pack (PPAK) is available on R70 and previous platforms which are currently supported.


CoreXL allows individual cores to be used in two ways:

  1. Traffic dispatcher (SND)
  2. Firewall instance

Individual cores are able to receive incoming network traffic if they are assigned to one of interrupts (sim affinity).

Affinity with an interface is set in the same way as without CoreXL, since it is directly related to kernel interface<->CPU core affinity.

Under most operating conditions, each core performs only one of above mentioned tasks, but a core can perform both tasks. See the configurations below.

The default R70 configuration is set as follows:

2 core system - 2 dispatchers and 2 instances (both CPUs act in both roles)

4 core system - 1 dispatcher and 3 instances

8 core system - 2 dispatchers and 6 instances

How to verify how individual cores are utilized

Verify core utilization:

# fw ctl multik stat

Cores not listed as instances are used by the dispatcher and SXL.

List cores assigned to particular interfaces (SDPs):

# sim affinity –l


When using the Crossbeam X-Series solution, only SDP interfaces on the APM may be modified and cores assigned.

The APM-9600 has just a single SDP device and there is no need to customize sim affinity.

The default configuration is suitable for general use, where a mix of traffic is observed, providing the best  performance in most cases.

However, in cases where high performance is required and only basic security features are used, some tuning may be required, as described in the article titled "CoreXL tuning for systems performing basic firewall and/or nat functions" (solution #000005472).
 

For any further questions, please contact Crossbeam Technical Support for assistance.

 

Workaround

N/A