CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 11 of 11

Thread: SecureXL vs CoreXL

  1. #1
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    15

    Default SecureXL vs CoreXL

    When we execute cpconfig on R75.40 we have the following options.

    (7) Disable Check Point SecureXL
    (8) Configure Check Point CoreXL

    •SecureXL accelerates multiple intensive security operations
    •CoreXL multicore acceleration increases deep inspection throughput

    What exactly can we configure under CoreXL? When I select option 8, it can either enable or disable CoreXL.

    What are the recommendations?

  2. #2
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    12

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by avilT View Post
    When we execute cpconfig on R75.40 we have the following options.

    (7) Disable Check Point SecureXL
    (8) Configure Check Point CoreXL

    •SecureXL accelerates multiple intensive security operations
    •CoreXL multicore acceleration increases deep inspection throughput

    What exactly can we configure under CoreXL? When I select option 8, it can either enable or disable CoreXL.

    What are the recommendations?
    Usually under the CoreXL option you can specify how many CPU cores you want to enable for firewall processing. I can't remember but the appliances might not give you the option to configure, it may be just on/off. SecureXL I don't personally use, but there are a lot of people that need it if they have underpowered devices as their firewall

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by bmolnar View Post
    Usually under the CoreXL option you can specify how many CPU cores you want to enable for firewall processing. I can't remember but the appliances might not give you the option to configure, it may be just on/off. SecureXL I don't personally use, but there are a lot of people that need it if they have underpowered devices as their firewall
    Turning on CoreXL will break "passive" ftp traffics across your firewall for NGx R70, R71.10/.20/.30./.40./45/.50 and R75, 75.10/.20

  4. #4
    Join Date
    2010-02-09
    Location
    Tábor, Czech Republic
    Posts
    57
    Rep Power
    11

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by avilT View Post
    What exactly can we configure under CoreXL? When I select option 8, it can either enable or disable CoreXL.
    Recently I was solving this with checkpoint:
    - Our R&D strongly suggest NOT to use CoreXL when you have less than 4 cores, which means that with 2 cores you should not use CoreXL.

    I would guess that you have two core appliance - that's the reason why corexl can be only switched on or off.

    Best regards
    Ivan

  5. #5
    Join Date
    2006-03-14
    Posts
    391
    Rep Power
    15

    Default Re: SecureXL vs CoreXL

    I am currently using UTM appliances and replacing them with 2012 appliances, GAIA, R75.40.
    So to conclude, on the new appliances should I turn off both CoreXL and SecureXL?

  6. #6
    Join Date
    2010-02-09
    Location
    Tábor, Czech Republic
    Posts
    57
    Rep Power
    11

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by avilT View Post
    I am currently using UTM appliances and replacing them with 2012 appliances, GAIA, R75.40.
    So to conclude, on the new appliances should I turn off both CoreXL and SecureXL?
    I can repeat what I got from Checkpoint:
    • Our R&D strongly suggest NOT to use CoreXL when you have less than 4 cores, which means that with 2 cores you should not use CoreXL - so in my opinion you should use CoreXL only from 4800 up
    • again according to checkpoint - in order for SecureXL to work properly at least 80% of the traffic needs to be accelerated, if less then 80% of the traffic is accelerated the SecureXL will cause more damage than good


    Best Regards
    Ivan

  7. #7
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    12

    Default Re: SecureXL vs CoreXL

    I'm surprised that R&D would say to disable CoreXL on a 2-core appliance. CoreXL would allow one CPU to handle IRQ processing from the NIC and the other CPU to do the 'firewalling'

  8. #8
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by bmolnar View Post
    I'm surprised that R&D would say to disable CoreXL on a 2-core appliance. CoreXL would allow one CPU to handle IRQ processing from the NIC and the other CPU to do the 'firewalling'
    Is the advice that I have recived in the past as well

    2 Core Device = SecureXL
    4 or more Cores = CoreXL

    SecureXL will apparently do just as good a job of using the 2 cores as CoreXL and you don't have the configuration work.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: SecureXL vs CoreXL

    Quote Originally Posted by mcnallym View Post
    Is the advice that I have recived in the past as well

    2 Core Device = SecureXL
    4 or more Cores = CoreXL

    SecureXL will apparently do just as good a job of using the 2 cores as CoreXL and you don't have the configuration work.
    I wonder how many of those Checkpoint TAC engineers actually have been in a daily operational role to advise folks to turn ON SecureXL.

    More often than not, SecureXL will create more headaches than the benefits it provides. Really stupid advice.

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: SecureXL vs CoreXL

    As far as I know from the discussions I've had with R&D, enabling CoreXL has some overhead. On a two core box, this overhead basically nullifies any benefit of enabling CoreXL, thus why it is off by default on two-core boxes. There's probably an edge case or two where it will help on two core boxes, thus why we allow it to be enabled.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2008-09-30
    Posts
    31
    Rep Power
    0

    Default Re: SecureXL vs CoreXL

    Our experience so far from Fishnet and CP support is to turn on SecureXL. We use open servers and have used CoreXL for some time. We ran this way for several months at one location without any issues so far. However, recently we had issues at another location with an ftp transfer. It was running twice as slow as normal. Lots of retransmits. Sniffer captures on both sides of the firewall showed that packets were not making it all the way through the firewall. Support had us turn on SecureXL queuing (sk75100). We still need to work with support to investigate further as to why. The cause for this sk is listed as "The interfaces are busy and cannot accept packets coming from the SecureXL module". The box having issues is 8 core (5/3) split, 8G ram, HP quad Gig cards, with SecureXL running. CP version is Gaia 64-bit R75.45. What is interesting is during our off peak hours the issue would occur. The box by all means did not appear 'busy' at all. Interface utilization was very low. SoftIRQ's low, CPU's assigned to NIC's were not utilized much either.

    Overall the consensus on all of our clusters from support has been turn on SecureXL. All open servers though.

Similar Threads

  1. Observations on CoreXL
    By lammbo in forum Check Point SecurePlatform (SPLAT)
    Replies: 44
    Last Post: 2010-11-08, 16:33
  2. CoreXL PDF
    By Maybedave in forum CCSA R70 Exam 156-215.70 (No Longer Offered)
    Replies: 2
    Last Post: 2010-05-20, 21:21
  3. CoreXL Shakedown
    By alienbaby in forum Licensing
    Replies: 24
    Last Post: 2010-01-21, 17:49
  4. CoreXL and 2.6
    By belvdr in forum Installing And Upgrading
    Replies: 6
    Last Post: 2009-12-04, 08:22
  5. Checkpoint CoreXL
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 14
    Last Post: 2008-10-28, 06:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •