The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
CoreXL Known Limitations
R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20
Gaia, SecurePlatform, SecurePlatform 2.6, IPSO 6.2, Crossbeam COS, Crossbeam XOS
Platform / Model
Show more details
Show less details
There is no upgrade path for "NGX R65 CoreXL LA". Perform a clean installation of any version R70 and above.
It is not possible to upgrade Power-1 appliances that run with "R65 CoreXL" image. It is necessary to "Restore to Factory Defaults" and choose the non-CoreXL R65 image. Only then, the upgrade can be performed. After upgrade, CoreXL can be enabled via "cpconfig" menu.
3rd party clusters are not supported. Note: IPSO OS with Check Point R70 version and above fully supports CoreXL.
Connections will be dropped during any ClusterXL upgrade method (including "Full Connectivity Upgrade"; refer to sk107042) if the number of CoreXL FW instances is different on cluster members. Before starting any upgrade, configure the same number of CoreXL FW instances on all cluster members. In addition, refer to sk42096 - Cluster member is stuck in 'Ready' state.
CoreXL is supported on StandAlone machine only from R70 and above.
It is strongly recommended to disable Hyper-Threading in BIOS when CoreXL is enabled (on Check Point appliances this is disabled, by default). Applies to Intel processors prior to "Intel Nehalem (Core i7)", where this technology was improved (called Simultaneous Multi-Threading, or Intel® Hyper-Threading)
The following features/settings are not supported in CoreXL:
Check Point QoS (Quality of Service) (1)
'Traffic View' in SmartView Monitor (2) (all other views are available)
If any of the above features/settings is enabled/configured in SmartDashboard, then CoreXL acceleration will be automatically disabled on the Gateway (while CoreXL is still enabled). In order to preserve consistent configuration, before enabling one of the unsupported features, deactivate CoreXL via "cpconfig" menu and reboot the Gateway (in cluster setup, CoreXL should be deactivated on all members).
Supported in R77.20 with Take_169 of R77.20 Jumbo Hotfix and with MultiCore VPN Hotfix (contact Check Point Solution Center) Supported in R80.10 by default (due to integrated MultiCore VPN - sk118097) Important Note: MultiCore VPN Hotfix is not available for R77.30
6in4 traffic is always processed by the global CoreXL FW instance #0 (fw_worker_0)
Supported by default in R80.10 (due to integrated MultiCore VPN)
In Security Gateways R77.30 and lower, when CoreXL is enabled, VPN traffic inspection occurs only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).
Note: Starting in R80.10, VPN Multi-Core feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances. Refer to sk118097.
In Security Gateways R77.30 and lower, when CoreXL is enabled, VoIP control connections are processed only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).