topic Re: Checkpoint Gateway Physical cores and fw workers in Firewall and Security Management

Check Point Gateway Cores and FW Workers

Neil_ARZ — Sat, 27 Jul 2019 00:38:02 GMT

Hi Checkpoint experts,

I got a question regarding Checkpoint license cores,, we have this license to allow to use 8 cores in a gateway , I understand that is for CoreXL allocation.

1.) Would this also means that we are allowed to use 8 physical cores in Checkpoint VM? Does the license had an effect on physical or hardware cpu core limitations?

2.) And if we only have 3 firewall workers activated , does that mean we are not utilizing the other 5 cores? or those cores were used in some processes?

[Expert]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 192 | 1473
1 | Yes | 3 | 211 | 1369
2 | Yes | 6 | 215 | 1387

[Expert]# fw ctl affinity -l
Kernel fw_0: CPU 7
Kernel fw_1: CPU 3
Kernel fw_2: CPU 6

[Expert]# fw ctl get int fwlic_num_of_allowed_cores
fwlic_num_of_allowed_cores = 8

> Total VM hardware Cores = 8

Re: Checkpoint Gateway Physical cores and fw workers

PhoneBoy — Tue, 23 Jul 2019 23:15:09 GMT

In a VM, the license applies to the number of virtual cores allocated to the VM.
The cores on the physical hardware is not relevant.

The cores are split between SND and Worker.
If you allocate 3 workers, then that means 5 cores are being used for SND.
In R80.30+, you can also allocate a core for management traffic if you have 8 or more cores licensed, but this is not the default.

Re: Checkpoint Gateway Physical cores and fw workers

Neil_ARZ — Wed, 24 Jul 2019 13:37:27 GMT

Hi Phoneboy ,

yeah , sorry I was really referring to Virtual cores of the VM...

The cores are split between SND and Worker.

> Thanks . I will research more on SND.

If you allocate 3 workers, then that means 5 cores are being used for SND.

> Is there a command to view how many cores were assigned to SND?

In R80.30+, you can also allocate a core for management traffic if you have 8 or more cores licensed, but this is not the default.

> Is there a default core assignment between the Firewall worker and SND? For example like in our environment with 8 core gateway .

Re: Checkpoint Gateway Physical cores and fw workers

PhoneBoy — Wed, 24 Jul 2019 17:42:07 GMT

You can only directly control the number of workers, SNDs are allocated from the remaining (licensed) cores.
The default allocation for 8 cores is 6/2 (6 workers, 2 SND).
You can see the list of defaults here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98737

Re: Checkpoint Gateway Physical cores and fw workers

Neil_ARZ — Wed, 24 Jul 2019 19:45:41 GMT

Hi Phoneboy ,

Thanks for the info . i am learning from it ...

so I would say that we have no SND active for interfaces... only firewall workers running on CPU 3 and CPU 7 that are helping to process traffics..

I far as i can see with those details , we are not utilizing all CPU cores right ?

Or these unallocated CPU's could be running other processes?

[Expert]# cpmq get -a

Active virtio_net interfaces:
eth0 [Off]
eth1 [Off]

[Expert]# fw ctl affinity -l -r
CPU 0:
CPU 1:
CPU 2:
CPU 3: fw_1
cp_file_convertd fwd usrchkd rad pepd in.geod in.msd mpdaemon lpd vpnd pdpd in.acapd in.asessiond gcpd wsdnsd cpd cprid
CPU 4:
CPU 5:
CPU 6:
CPU 7: fw_0
cp_file_convertd fwd usrchkd rad pepd in.geod in.msd mpdaemon lpd vpnd pdpd in.acapd in.asessiond gcpd wsdnsd cpd cprid
All:

[Expert]# fw ctl affinity -l
Kernel fw_0: CPU 7
Kernel fw_1: CPU 3

Tasks: 163 total, 2 running, 161 sleeping, 0 stopped, 0 zombie
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 3.0%si, 0.0%st
Cpu1 : 0.0%us, 0.0%sy, 0.0%ni, 98.3%id, 0.0%wa, 0.3%hi, 1.3%si, 0.0%st
Cpu2 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu3 : 9.3%us, 3.3%sy, 0.0%ni, 84.7%id, 0.0%wa, 0.0%hi, 2.7%si, 0.0%st
Cpu4 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu5 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu6 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu7 : 9.3%us, 3.7%sy, 0.0%ni, 83.7%id, 0.0%wa, 0.0%hi, 3.3%si, 0.0%st

Re: Checkpoint Gateway Physical cores and fw workers

PhoneBoy — Wed, 24 Jul 2019 22:06:24 GMT

That looks like you only have two workers (also referred to as firewall instances) and no SNDs, which does not seem right.
If you check via cpconfig and choose the CoreXL option, what does it say you have allocated?
On my VM with 4 cores, it says: CoreXL is currently enabled with 3 IPv4 firewall instances and 2 IPv6 firewall instances.

[Expert@gateway:0]# fw ctl affinity -l -r
CPU 0: eth0 eth2
CPU 1: fw_2
mpdaemon lpd rad in.acapd fwd cp_file_convertd pepd vpnd in.asessiond pdpd usrchkd cpd cprid
CPU 2: fw_1
mpdaemon lpd rad in.acapd fwd cp_file_convertd pepd vpnd in.asessiond pdpd usrchkd cpd cprid
CPU 3: fw_0
mpdaemon lpd rad in.acapd fwd cp_file_convertd pepd vpnd in.asessiond pdpd usrchkd cpd cprid
All:

Unless you know for absolute certain you need a different setting for optimal performance, I recommend starting with the default setting (6 firewall instances).

Re: Checkpoint Gateway Physical cores and fw workers

Neil_ARZ — Thu, 25 Jul 2019 13:33:09 GMT

Thanks , Thats what i thought we are not utilizing all cores and I am looking to go down to 4 cores thats why I am studying this process. ... So the default or recommended will be 3 firewall workers?

I noticed that all of our VM does have a configured SND , its running for more than a year .. is it recommended to assign SNDs in a core?

What if we dont assign a processing core in a worker or SND? Does it means that will be use in other process?

Re: Checkpoint Gateway Physical cores and fw workers

PhoneBoy — Sat, 27 Jul 2019 00:36:44 GMT

The default is 3 Workers / 1 SND for a 4 core system.

As for assignment, the only thing you can directly control is the number of workers assigned.
If you have more than 8 cores in R80.30, you can optionally assign one core for management-related functions.
All other cores should be assigned to SND automatically.