Checkpoint CoreXL: Part-1

  • CoreXL is a performance-enhancing technology for Security Gateways on platforms with multiple CPU cores.
  •  CoreXL enhances Security Gateway performance by enabling the processing CPU cores to concurrently perform multiple tasks.
  • CoreXL is introduced first in for the version R65 and Linux kernel 2.6.
  • Packet process steps before coreXL:
  • checkpoint-cpu
  • When a packet is coming into the CPU1 , it will run FW code.
  • The first step is to lock the firewall code
  • Once firewall code is locked it process the packet through fwchain_do
  • Once the packet is processed by a firewall it will unlock the CPU and forward the packet
  • the whole cycle is repeated all over again when another packet comes in.
  • The concern here is we have only one firewall code and only one packet can be processed by a firewall CPU and to process another packet existing FW code process should complete.
  • To better understand let’s consider we have two CPU’s as mentioned below.core-xl
  • When the first packet reaches CPU1  FW code gets locked and then firewall process the packet and now if the second packet comes to the CPU0, it will not be able to process it until FW code process complete for CPU1.
  • To overcome this issue Checkpoint introduced two components.
  • 1. Firewall Kernal instances
  • 2. Dispatcher
  • corexl-3
  • As you can see in the above diagram both firewall kernel instances will have the same policy (FW code).
  • Now two packets can process at the same time by firewall instances.
  • Checkpoint introduced dispatcher which will take a decision where the packet needs to send whether CPU-1 or CPU-0. A dispatcher will run on a separate CPU instance.
  • The advantage of CoreXL is parallel cores executing code simultaneously at the same time. An example is mentioned below.corexl-4
  • Dispatcher acts as a load balancer to distribute the traffic across multiple firewall instances.
  • Global dispatch table forwards the traffic to right core instance. If the packet is received by the wrong FW instance then you will see out of state errors.