Create a Post
Showing results for 
Search instead for 
Did you mean: 

How does the Medium Path (PXL) and Content Inspection work with R80


What is the exact processing of the flow with CoreXL and SecureXL? How are the packages processed here?


Q: Why this question?
A: There are several articles in the forum that currently discuss this thema.


References to the articles:

Check Point Threat Prevention Packet Flow and Architecture - 09-04-2017 (Moti Sagey )

R80.x Security Gateway Architecture (Logical Packet Flow) - 07-28-2018 ( Heiko Ankenbrand )

Simplified Packet Flow document - 08-06-2018 ( Valeri Loukine )

Security Gateway Packet Flow and Acceleration - with Diagrams - 08-06.2018 (Valeri Loukine )


References to SK's:

SecureKnowledge: SecureXL 

SecureKnowledge: CoreXL 


To avoid confusing all users, I think we should clarify this in this article.

Thanks in advance


33 Replies

I realized it was a bit of a streatch when I mentioned it, and I completely understand that limits need to be placed or information over flow will occur.  

And yes the code base itself if for the most part not CP so it's almost a fringe component in that regard as well.

With all that being said, it is also one of the single most significant tuning point that exist under load testing.  Shifting cores between SXL and CXL along with their affinity is a majority of the tuning process on a 64k. Sans locating misconfigurations, policy optimization and undocumented features it is the tuning process for 10GbE installations.

Given its importance, I had thought that noting its place in the chart night be worthy.  As a logical diagram I would only assume some leway would be given to not require multiple cores.

I also understand the need for keeping it simple.



Sean Costello
Network Security Professional
SRC & Associates



I Agree with Costello Sean in many points. I like the 61K/64K systems and I am happy if I get a project. If we talk about 64K systems, we get one more level into the game. We would also have to discuss the connection between SSM and SGM. This happens via Distribution Mode (dxl). After this statement we could talk about 64K tunning. Let's do this in the 64K section of this checkmates forum. I think it's good! I think that would go beyond the scope of this article.


Timothy Hall has already mentioned some good points!



9)SoftIRQ run begins on SND/IRQ core

10) Process frames from ring buffer(s) and send to all registered receivers (i.e. SND, libpcap if tcpdump running)

11) Continue SoftIRQ run until all ring buffers are empty, maximum number of frames specified by net.core.netdev_budget (default 300) is reached, or two jiffies of time have elapsed

12) SoftIRQ run ends


But what happens next? We should get back to the original theme:

How does the Medium Path (PXL) and Content Inspection work?





It is possible to debug the PSL path with „fw ctl zdebug + tcpstr“. I am not sure if you see 100% from PXL path with this command.




Not 100%
One can see streaming decision and security decisions returned by the parsers