Important - This article applies only to Security Gateway versions R80.30 and lower.
ID
Symptoms
-
There is no upgrade path for "NGX R65 CoreXL LA". Perform a clean installation of any version R70 and higher.
00426948
It is not possible to upgrade Power-1 appliances that run with "R65 CoreXL" image. It is necessary to "Restore to Factory Defaults" and choose the non-CoreXL R65 image. Only then, the upgrade can be performed. After upgrade, CoreXL can be enabled via "cpconfig" menu.
-
3rd party clusters are not supported. Note: IPSO OS with Check Point R70 version and higher fully supports CoreXL.
00417896
Connections will be dropped during any ClusterXL upgrade method (including "Full Connectivity Upgrade"; refer to sk107042) if the number of CoreXL FW instances is different on cluster members. Before starting any upgrade, configure the same number of CoreXL FW instances on all cluster members. In addition, refer to sk42096 - Cluster member is stuck in 'Ready' state.
-
CoreXL is supported on StandAlone machine starting from R70.
00417888
These features/settings are not supported in CoreXL:
Limitation
Comments
Check Point QoS (Quality of Service)
Supported by default in R77.10 and higher (refer to sk98229)
'Traffic View' in SmartView Monitor
All other views are available.
Supported by default in R80.10 and higher (because the MultiCore VPN is integrated - sk118097)
Supported in R77.20 with Take_169 of R77.20 Jumbo Hotfix and with MultiCore VPN Hotfix (contact Check Point Solution Center). Important Note: MultiCore VPN Hotfix is not available for the R77.30 version.
Route-based VPN
Supported by default in R75.40 and higher (refer to sk76800 and to sk105886)
IP Pool NAT
Supported by default in R75.40 and higher - only on Gaia / SecurePlatform / XOS
6in4 traffic is always processed by the global CoreXL FW instance #0 (fw_worker_0)
VoIP SIP traffic
VoIP SIP traffic is always processed by the global CoreXL FW instance #0 (fw_worker_0)
If any of the above features/settings is enabled/configured in SmartDashboard, then CoreXL acceleration will be automatically disabled on the Security Gateway (while CoreXL is still enabled). To preserve consistent configuration, before enabling one of the unsupported features, deactivate CoreXL via "cpconfig" menu and reboot the Security Gateway (in cluster setup, CoreXL should be deactivated on all members).
-
In Security Gateways R77.30 and lower, when CoreXL is enabled, VPN traffic inspection occurs only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).
Note: Starting in R80.10, VPN Multi-Core feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances. Refer to sk118097.
-
In Security Gateways R77.30 and lower, when CoreXL is enabled, VoIP control connections are processed only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).
-
Maxumal number of CoreXL FW instances is limited. Refer to sk98737 - ATRG: CoreXL - section "Architecture". Still relevant for R80.40.
