Check Point CoreXL & SecureXL

CoreXL enables the distribution of traffic inspection across multiple CPU cores, improving scalability and efficiency. SecureXL, on the other hand, accelerates packet handling by offloading connections from the firewall kernel to a fast path, significantly boosting throughput. Together, they ensure the firewall can handle high volumes of traffic without compromising security or performance.

CoreXL

CoreXL works by assigning multiple firewall instances (fw instances) across different CPU cores, allowing traffic inspection tasks to be processed in parallel. Instead of all traffic going through a single core, each instance handles its share of connections.

Here we have a VSX Gateway with 1 VS with CoreXL disabled

To stress test the firewall, we run an iperf tool to initiate 120 parallel UDP connections with 5G bandwidth for 60 seconds

iperf3 -c 10.31.100.10 -u -b 5G -t 60 -P 120

While the tool is runnning, ‘top -H’ shows that the CPU utilization is mainly heavy only on Core 0 whereas the other 3 cores are idling, and we only have 1 Firewall Worker (fwk 0) running on that single core

Runnning ‘cpview’ also shows that only one core is currently working and its being overloaded

To alleviate this stress on the single CPU core, lets enable CoreXL on ‘cpconfig’ on VS0

And then increase the core number for the VS on Smart Console

Now we can see that CoreXL is enabled with 3 CPU cores

If we run another performance test using iperf3, ‘top -H’ shows that the CPU load are evenly distributed to all 3 cores and we have total of 3 Firewall Workers (fwk 0, 1 & 2)

Running cpview also shows that the load are now shared across multiple CPU, confirming that CoreXL is running its job to parallelize the traffic load across multiple cores

SecureXL

SecureXL is a performance optimization technology that accelerates traffic handling by offloading connections from the firewall kernel to the acceleration layer. Once a connection is fully inspected and deemed safe, SecureXL creates a fast path for subsequent packets, bypassing deep inspection while still enforcing security rules. This reduces latency, lowers CPU usage, and significantly improves throughput, especially for high-volume or repetitive traffic.

First lets try running a lot of traffic while SecureXL is disabled, we can see that 100% traffic is going via slow path F2F (Forwarding to Firewall) with fwaccel connection table being empty, meaning no fast path acceleration is taking place

Now lets reset the stats and enable SecureXL

If we run the traffic again, we can see that now the fwaccel connection table is filled with accelerated traffic

And running ‘fwaccel stats -s’ shows that 100% conns are offloaded to SecureXL, while 93% of those packets is accelerated via fastpath and leaving only around 6% packets is going via slow path, thus significantly lowering CPU load and increasing performance