Support Center > Search Results > SecureKnowledge Details
CoreXL Known Limitations
Solution
ID Symptoms
- There is no upgrade path for "NGX R65 CoreXL LA". Perform a clean installation of any version R70 and above.
00426948 It is not possible to upgrade Power-1 appliances that run with "R65 CoreXL" image. It is necessary to "Restore to Factory Defaults" and choose the non-CoreXL R65 image. Only then, the upgrade can be performed. After upgrade, CoreXL can be enabled via "cpconfig" menu.
- 3rd party clusters are not supported.
Note: IPSO OS with Check Point R70 version and above fully supports CoreXL.
00417896

Connections will be dropped during any ClusterXL upgrade method (including "Full Connectivity Upgrade"; refer to sk107042) if the number of CoreXL FW instances is different on cluster members. Before starting any upgrade, configure the same number of CoreXL FW instances on all cluster members. In addition, refer to sk42096 - Cluster member is stuck in 'Ready' state.

-

CoreXL is supported on StandAlone machine only from R70 and above.

00421176 It is strongly recommended to disable Hyper-Threading in BIOS when CoreXL is enabled (on Check Point appliances this is disabled, by default). Applies to Intel processors prior to "Intel Nehalem (Core i7)", where this technology was improved (called Simultaneous Multi-Threading, or IntelĀ® Hyper-Threading)
00417888 The following features/settings are not supported in CoreXL:
  1. Check Point QoS (Quality of Service) (1)
  2. 'Traffic View' in SmartView Monitor (2) (all other views are available)
  3. Route-based VPN (3)
  4. IP Pool NAT (4)
  5. IPv6 (5)
  6. Firewall-1 GX (6)
  7. Overlapping NAT
  8. SMTP Resource (3)
  9. VPN Traditional Mode
  10. Virtual Tunnel Interface (VTI) (8)
  11. 6in4 traffic (7)

If any of the above features/settings is enabled/configured in SmartDashboard, then CoreXL acceleration will be automatically disabled on the Gateway (while CoreXL is still enabled). In order to preserve consistent configuration, before enabling one of the unsupported features, deactivate CoreXL via "cpconfig" menu and reboot the Gateway (in cluster setup, CoreXL should be deactivated on all members).

Notes:
  1. Supported in R77.10 and above (refer to sk98229)
  2. Supported in R75.30 and above
  3. Supported in R77.20 with Take_169 of R77.20 Jumbo Hotfix and with MultiCore VPN Hotfix (contact Check Point Solution Center)
    Supported in R80.10 by default (due to integrated MultiCore VPN - sk118097)
    Important Note: MultiCore VPN Hotfix is not available for R77.30
  4. Supported in R75.40 and above (refer to sk76800 and to sk105886)
  5. Supported in R75.40 and above on Gaia/SecurePlatform/XOS only
  6. Requires LTE Hotfix (R75.40VS - sk91621, sk92808; R76 - sk95768, R77.10 - sk100446)
  7. 6in4 traffic is always processed by the global CoreXL FW instance #0 (fw_worker_0)
  8. Supported by default in R80.10 (due to integrated MultiCore VPN)
-

In Security Gateways R77.30 and lower, when CoreXL is enabled, VPN traffic inspection occurs only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).

Note: Starting in R80.10, VPN Multi-Core feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances. Refer to sk118097.

- In Security Gateways R77.30 and lower, when CoreXL is enabled, VoIP control connections are processed only in global CoreXL FW instance #0 (fw_worker_0). By design, global CoreXL FW instance #0 (fw_worker_0) always runs on the CPU core with highest ID (as allowed by the current CoreXL license).
- Maxumal number of CoreXL FW instances is limited.
Refer to sk98737 - ATRG: CoreXL - section "Architecture".

 

Related documentation:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment