This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abdu_Toku
Explorer
‎2018-12-09 12:03 PM

Disable CoreXL?

I have a R80.20 installation. Is it possible to disable    CoreXL for a performance test.

3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2018-12-09 12:08 PM

Hi Abdu,

# fw ctl multik stop / start

or use

# cpconfig

Why you would disable CoreXL?

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-09 07:47 PM

I'm also curious why you want to do this.

Historically, there were a few reasons where CoreXL was effectively disabled or not supported.

Off the top of my head, the biggest reasons were:

  • QoS (fixed in R77.10)
  • Use of VTIs and/or Route-based VPN (fixed in R80.10)
  • Using only one processor core (doesn't make sense in this situation)
Timothy_Hall
Legend Legend
Legend
‎2018-12-10 05:25 AM
In response to PhoneBoy

One other situation that might be relevant in the context of performance and disabling CoreXL is a two-core firewall such as a 2200 or 4200.  2-core firewalls by default will have a split of 2/2 with overlapping SND/IRQ and Firewall Worker functions executing on the two available cores.  In some cases the overlap and additional coordination overhead involved between the 2 SND/IRQ instances and 2 Firewall Worker instances exceeds the gain provided from having CoreXL enabled at all. 

So as mentioned in my book, on a 2-core firewall with performance problems take a careful baseline of the CPU load during the firewall's typically busiest period, then try disabling CoreXL from cpconfig and rebooting.  The system will now run with just one SND/IRQ instance and one Firewall Worker instance on the 2 cores; disabling CoreXL in this specific case might improve performance, might hurt performance, or make very little difference.   Just have to try it...

Only other possibility I can think of would be an issue with the Dynamic Dispatcher when CoreXL is enabled.  I've never personally seen the Dynamic Dispatcher cause problems with applications or firewall traffic in general, but Check Point did add an officially-supported way to bypass the Dynamic Dispatcher for specific types of traffic in R80.20 (fw ctl multik add_bypass_port - in R77.30 and R80.10 this ability was undocumented).  Obviously if CoreXL is disabled there is no need for the Dynamic Dispatcher since there is only one Firewall Worker core.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top