Heiko,

In your packet flow thread and diagram there is nothing to show the QXL "path" or detail its architecture or the machanics of it, is there?

This sentence might benefit from a longer explanation. It doesn't seem to clearly define what QXL does or at least any detail of how it does it.

"QXL - Technology name for combination of SecureXL and QoS (R77.10 and above).This has no direct association with PXL. It is used exclusively for QoS. But also here it is possible to use the QoS path in combination with PSL."

When you say "I think you'll get the better SecureXL acceleration features with R80.20 and above.", are you generalising or are you considering the two core system, the weaker 4200 dual-core appliance for example?

Could it be possible that a dual core, in some cases, could be better off with R80.10 and the older SXL architecture when compared to the R80.20 + user based SXL?

Don

Thanks Tim, thanks Heiko,

That pretty much confirms what I had thought. It's not optimal with two cores (and 4GB) but with a bit of monitoring and analysis there may be options for tuning. Also the use of QoS should be reviewed to determine if it is required.

Unfortunately its not easy to jump between versions (R80.10, .20 and .30) just to see/test how each one behaves in the customer solution. In this case I say that because of the significant changes between each of the three latest versions and how it could have different affects on the performance.

So ideally CP can share what they think is optimal for a two core solution considering the three versions and the differences.

That is relevant because the 4200 (and many other two core solutions) are out there with 3 years of life left in them (at least) and customers cannot always refresh the hardware quickly and easily, in the real world.

For reference, here are some of the notes I made:

SecureXL would indeed need to be turned off in cpconfig if QoS was enabled. In R77 QoS is also not compatible with CoreXL and that would explain that being turned off permanently too.

If QoS is not needed the. CoreXL and SecureXL may assist with accelerating the traffic throughput on the 4200.

Did you see the lifecycle page for that appliance? It's an older appliance now, relatively speaking.

It has three years of life left but only one where software releases are supported for it.

https://www.checkpoint.com/support-services/support-life-cycle-policy/

The CoreXL for dual core is not ideal but at least uses both cores and SecureXL can work with it two.

The default is to have two kernel instances but the two CPU cores also support the SND software instance.

That does mean more power across the interfaces for dealing with traffic coming in for rulebase matching or acceleration.

Maybe it can take R80.20 and that could help but it's a big difference for SecureXL, which has the fast path in the software from R80.20 (and not in layer 2). But maybe that would  mean R80.10 would be better to offer CoreXL with QoS.

I don't have experience with that set up and could lab test it (in a VM).

Otherwise a hardware refresh would of course allow for R80.20 or R80.30 to shine.

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_PerformanceTuning_AdminGuide...

"The SND is responsible for:

Processing incoming traffic from the network interfaces

Securely accelerating authorized packets (if Performance Pack is running)

Distributing non-accelerated packets among kernel instances."

"... However, it is necessary for the SND and an instance to share a core when using a machine with exactly two cores."

> So ideally CP can share what they think is optimal for a two core solution considering the three versions and the differences.

> That is relevant because the 4200 (and many other two core solutions) are out there with 3 years of life left in them (at least) and customers cannot always refresh the hardware quickly and easily, in the real world.

It is not really possible to create a general recommendation like this for a 2-core firewall.  There are simply too many variables including which blades are enabled, how you have them configured (particularly IPS and the rest of Threat Prevention), and purpose of the firewall (outbound Internet access, inbound DMZ connections, and/or Site-to-site/Remote Access VPN endpoint to name just a few).  So that is where the recommendation to try a 1/1 split with CoreXL disabled on a 2-core firewall came from in my book. 

If you'd like to provide the outputs from the "Super Seven" commands on your current R80.10 firewall, I can take an educated guess at trying to predict if R80.20 will substantially improve performance.

Not including embedded Gaia boxes like the 1400 series, Check Point no longer sells firewall appliances that have just 2 cores so the "rock and a hard place" that 2-core firewalls find themselves in is slowly going away.

I agree here with @Timothy_Hall 

I would test both 1/1 and 2/2.  Depending on which and how many blades you have turned on, you may get different performance  results.