Table of Contents:
Introduced in R77.20, SSL MultiCore feature improves SSL performance of Security Gateway / VSX Gateway.
SSL MultiCore feature is based on Check Point CoreXL technology, which enhances Security Gateway / VSX Gateway performance by enabling the CPU processing cores to concurrently perform multiple tasks.
Note: For more information about CoreXL, refer to:
Up to R77.20, termination of SSL tunnel in general, and SNX tunnels in particular, was limited to be handled by a single CPU core - by CoreXL Firewall Instance 0.
With SSL MultiCore feature, SSL traffic is distributed among all available CoreXL FW instances, hence, fully utilizing MultiCore capabilities allowing to significantly increase SSL throughput for Multi Portals, Mobile Access Portal, SNX tunnels, VPN Mobile, etc.
As reference, Mobile Access Portal throughput is increased with SSL MultiCore feature:
- By a factor of 2.8 on a 4800 appliance (configured with 3 CoreXL FW instances)
- By a factor of 8.8 on a 12600 appliance (configured with 10 CoreXL FW instances)
HTTPS Inspection, since it was introduced, utilizes CoreXL.
No performance change is expected in HTTPS Inspection when enabling SSL MultiCore feature.
SSL MultiCore feature is controlled on Security Gateway / VSX Gateway by the kernel parameter
||Value of kernel parameter
||Security Gateway behavior
|R80.10 / R80.20
|This is the default.
SSL MultiCore feature is enabled.
|SSL MultiCore feature is disabled.
|R77.20 / R77.30
|This is the default.
SSL MultiCore feature is disabled.
|SSL MultiCore feature is enabled.
- SSL MultiCore feature requires that CoreXL license is installed on Security Gateway / VSX Gateway and CoreXL is enabled and configured.
R80.10 and higher:
MultiCore support for SSL and IPSec is already the default setting from R80.10 and higher.
Procedure for Security Gateway R77.20 / R77.30:
Note: In cluster environment, this procedure must be performed on all members of the cluster.
To check the current value of a kernel parameter:
[Expert@HostName]# fw ctl get int enable_ssl_multi_core
To set the desired value for a kernel parameter on-the-fly:
[Expert@HostName]# fw ctl set int enable_ssl_multi_core VALUE
To set the desired value for a kernel parameter permanently:
Note: Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).
For Gaia / SecurePlatform OS:
$FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
[Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
$FWDIR/boot/modules/fwkern.conf file in Vi editor:
[Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
Add the following line (spaces are not allowed):
- Save the changes and exit from Vi editor.
Check the contents of the
[Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
- Reboot the Security Gateway / VSX Gateway.
The following SSL MultiCore limitations exist in versions R77.20 and R77.30. These limitations are not relevant to versions R80.10 and higher.
SNX client to SNX client connectivity.
SNX client to SNX client connectivity is not supported.
- SNX application mode.
If VoIP traffic is transferred over SNX tunnel, then VoIP inspection has to be disabled:
- Set the value of kernel parameter
voip_multik_enable_forwarding to 0 (zero).
Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).
- In case specific VoIP ports have to be used, open these specific ports (create the relevant services and create the relevant security rules that allow such traffic).
Otherwise, open all UDP high ports.
Refer to sk95369 (ATRG: VoIP).
SNX Roaming allows users to change their IP addresses during an active session (e.g., when changing Wi-Fi network).
- Old connections limitation
After SNX roaming, new connections inside the SNX tunnel will work, while old connections will be inactive.
- Back connections are not supported after roaming.