cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Abdu_Toku
Ivory

Disable CoreXL?

I have a R80.20 installation. Is it possible to disable    CoreXL for a performance test.

3 Replies

Re: Disable CoreXL?

Hi Abdu,

# fw ctl multik stop / start

or use

# cpconfig

Why you would disable CoreXL?

Regards

Heiko

0 Kudos
Admin
Admin

Re: Disable CoreXL?

I'm also curious why you want to do this.

Historically, there were a few reasons where CoreXL was effectively disabled or not supported.

Off the top of my head, the biggest reasons were:

  • QoS (fixed in R77.10)
  • Use of VTIs and/or Route-based VPN (fixed in R80.10)
  • Using only one processor core (doesn't make sense in this situation)

Re: Disable CoreXL?

One other situation that might be relevant in the context of performance and disabling CoreXL is a two-core firewall such as a 2200 or 4200.  2-core firewalls by default will have a split of 2/2 with overlapping SND/IRQ and Firewall Worker functions executing on the two available cores.  In some cases the overlap and additional coordination overhead involved between the 2 SND/IRQ instances and 2 Firewall Worker instances exceeds the gain provided from having CoreXL enabled at all. 

So as mentioned in my book, on a 2-core firewall with performance problems take a careful baseline of the CPU load during the firewall's typically busiest period, then try disabling CoreXL from cpconfig and rebooting.  The system will now run with just one SND/IRQ instance and one Firewall Worker instance on the 2 cores; disabling CoreXL in this specific case might improve performance, might hurt performance, or make very little difference.   Just have to try it...

Only other possibility I can think of would be an issue with the Dynamic Dispatcher when CoreXL is enabled.  I've never personally seen the Dynamic Dispatcher cause problems with applications or firewall traffic in general, but Check Point did add an officially-supported way to bypass the Dynamic Dispatcher for specific types of traffic in R80.20 (fw ctl multik add_bypass_port - in R77.30 and R80.10 this ability was undocumented).  Obviously if CoreXL is disabled there is no need for the Dynamic Dispatcher since there is only one Firewall Worker core.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com