Table of Contents:

• Introduction
• Configuration
• Limitations
• Related Solutions

 

Introduction

Introduced in R77.20, SSL MultiCore feature improves SSL performance of Security Gateway / VSX Gateway.

SSL MultiCore feature is based on Check Point CoreXL technology, which enhances Security Gateway / VSX Gateway performance by enabling the CPU processing cores to concurrently perform multiple tasks.
Note: For more information about CoreXL, refer to:

• Performance Tuning Administration Guide (R76, R77.X, R80.10) - Chapter 'CoreXL Administration'
• sk98348 (Best Practices - Security Gateway Performance)

Up to R77.20, termination of SSL tunnel in general, and SNX tunnels in particular, was limited to be handled by a single CPU core - by CoreXL Firewall Instance 0.
With SSL MultiCore feature, SSL traffic is distributed among all available CoreXL FW instances, hence, fully utilizing MultiCore capabilities allowing to significantly increase SSL throughput for Multi Portals, Mobile Access Portal, SNX tunnels, VPN Mobile, etc.

As reference, Mobile Access Portal throughput is increased with SSL MultiCore feature:

• By a factor of 2.8 on a 4800 appliance (configured with 3 CoreXL FW instances)
• By a factor of 8.8 on a 12600 appliance (configured with 10 CoreXL FW instances)

Important Note:

HTTPS Inspection, since it was introduced, utilizes CoreXL.
No performance change is expected in HTTPS Inspection when enabling SSL MultiCore feature.

 

Configuration

SSL MultiCore feature is controlled on Security Gateway / VSX Gateway by the kernel parameter enable_ssl_multi_core:

Version	Value of kernel parameter	Security Gateway behavior
R80.10 / R80.20	enable_ssl_multi_core=1	This is the default. SSL MultiCore feature is enabled.
	enable_ssl_multi_core=0	SSL MultiCore feature is disabled.
R77.20 / R77.30	enable_ssl_multi_core=0	This is the default. SSL MultiCore feature is disabled.
	enable_ssl_multi_core=1	SSL MultiCore feature is enabled.

 

Important Note:

• SSL MultiCore feature requires that CoreXL license is installed on Security Gateway / VSX Gateway and CoreXL is enabled and configured.

 

R80.10 and higher:
MultiCore support for SSL and IPSec is already the default setting from R80.10 and higher.

Procedure for Security Gateway R77.20 / R77.30:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

• To check the current value of a kernel parameter:

  [Expert@HostName]# fw ctl get int enable_ssl_multi_core
  
  

• To set the desired value for a kernel parameter on-the-fly:

  [Expert@HostName]# fw ctl set int enable_ssl_multi_core VALUE
  
  

• To set the desired value for a kernel parameter permanently:

  Note: Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

  For Gaia / SecurePlatform OS:

  1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

     [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
     
     

  2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

     [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
     
     

  3. Add the following line (spaces are not allowed):

     enable_ssl_multi_core=VALUE
     
     
  4. Save the changes and exit from Vi editor.
     
     

  5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

     [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
     
     
  6. Reboot the Security Gateway / VSX Gateway.

 

Limitations

The following SSL MultiCore limitations exist in versions R77.20 and R77.30. These limitations are not relevant to versions R80.10 and higher.

1. SNX client to SNX client connectivity.

   SNX client to SNX client connectivity is not supported.
   
   
2. SNX application mode. 

3. VoIP Inspection

   If VoIP traffic is transferred over SNX tunnel, then VoIP inspection has to be disabled:

   1. Set the value of kernel parameter voip_multik_enable_forwarding to 0 (zero).
      Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).
      
      
   2. In case specific VoIP ports have to be used, open these specific ports (create the relevant services and create the relevant security rules that allow such traffic).
      Otherwise, open all UDP high ports.
      Refer to sk95369 (ATRG: VoIP).
   
   
   

4. SNX Roaming

   SNX Roaming allows users to change their IP addresses during an active session (e.g., when changing Wi-Fi network).

   • Old connections limitation
     After SNX roaming, new connections inside the SNX tunnel will work, while old connections will be inactive.
     
     
   • Back connections are not supported after roaming.

 

Related Solutions

• sk118097 - MultiCore Support for IPsec VPN