CoreXL tuning for systems performing basic firewall and/or nat functions


Article ID: 168106


Updated On:




Discusses CoreXL tuning for systems performing basic firewall and/or NAT functions- CPU cores 0 and 1 highly loaded by a high volume of traffic whilst remaining cores are not heavily loaded
- CPU cores not equally loaded (average over time)


CoreXL tuning might be needed on CoreXL-enabled systems including Crossbeam X-Series.

Prime examples  are systems:
  • Which are utilizing the default configuration
  • Where high performance is required
  • On which only basic firewall and/or NAT functions are performed

Check Point R70 running on Crossbeam Systems X-Series APMs is configured in a similar way to a default R70 configuration running on a system with the same number of cores. That way, cores 0 and 1 for 8 core system (ie. APM-8650) are assigned to process incoming traffic. The traffic dispatcher processes are run on those cores whilst rest of cores are assigned to process traffic (ie. 6 cores: 2-7).
This core allocation provides better performance and full utilization of all the available system resources when SmartDefense/IPS security features or security servers are enabled.

Such a configuration may be optimal for majority of the customers. However, for those customers requiring high performance on systems providing only basic firewall functionality might observe problem symptoms as mentioned above (cores 0 and 1 loaded). The problem might be caused by a high volume of traffic as well as high number of small packets.


If the problem is known to be related to the fact that only cores 0 and 1 are effectively loaded by processed traffic, other cores might need to be assigned a) to process traffic and b) to get better average load across available CPU cores. Similar tuning might be needed if, over time, the average load between cores is not similar.

In order to enable other cores to process traffic, the sim affinity tool might need to be used. Also, the same tool might be used to release some cores from processing traffic (SXL).

Depending on the exact scenario, some or all other cores might need to be assigned and further tests with particular configurations may need to be performed. Utilization of the cores should be monitored over a longer period in a production environment in order to confirm that no anomalies are observed over time.

For performance tests where advanced security features are not utilized, static interrupt mapping to cores should be utilized and all cores should be enabled for traffic processing in order to achieve higher performance numbers.

For further information about ClusterXL configuration options, please refer to the Check Point documentation.