I have a R80.20 installation. Is it possible to disable CoreXL for a performance test.
# fw ctl multik stop / start
Why you would disable CoreXL?
I'm also curious why you want to do this.
Historically, there were a few reasons where CoreXL was effectively disabled or not supported.
Off the top of my head, the biggest reasons were:
One other situation that might be relevant in the context of performance and disabling CoreXL is a two-core firewall such as a 2200 or 4200. 2-core firewalls by default will have a split of 2/2 with overlapping SND/IRQ and Firewall Worker functions executing on the two available cores. In some cases the overlap and additional coordination overhead involved between the 2 SND/IRQ instances and 2 Firewall Worker instances exceeds the gain provided from having CoreXL enabled at all.
So as mentioned in my book, on a 2-core firewall with performance problems take a careful baseline of the CPU load during the firewall's typically busiest period, then try disabling CoreXL from cpconfig and rebooting. The system will now run with just one SND/IRQ instance and one Firewall Worker instance on the 2 cores; disabling CoreXL in this specific case might improve performance, might hurt performance, or make very little difference. Just have to try it...
Only other possibility I can think of would be an issue with the Dynamic Dispatcher when CoreXL is enabled. I've never personally seen the Dynamic Dispatcher cause problems with applications or firewall traffic in general, but Check Point did add an officially-supported way to bypass the Dynamic Dispatcher for specific types of traffic in R80.20 (fw ctl multik add_bypass_port - in R77.30 and R80.10 this ability was undocumented). Obviously if CoreXL is disabled there is no need for the Dynamic Dispatcher since there is only one Firewall Worker core.
-- Second Edition of my "Max Power" Firewall Book Now Available at http://www.maxpowerfirewalls.com
Retrieving data ...