topic Affinity and Bridge Mode in General Topics https://community.checkpoint.com/t5/General-Topics/Affinity-and-Bridge-Mode/m-p/17712#M3021 <HTML><HEAD></HEAD><BODY><P>I have a situation were we implemented a checkpoint with IPS in a bridged interface scenario, on 10Gbps interfaces. The the default Checkpoint affinity for the cpu's were to assign the mgmt and 1 of the bridged interfaces to 1 CPU and the Sync and the other bridged interface to a second CPU. We then hit a problem of traffic throughput that caused both CPU's to run between 90 and 100%. This effectively locked us out of the device and caused major latency problems. The device is currently bypassed.</P><P></P><P>I have changed the affinity to combine the mgmt and sync on 1 cpu and am looking to assign 2 cpu's to each of the bridged interfaces. Leaving 11 cpu's for firewall workers.&nbsp;</P><P></P><P>So noting the above is there any experience out there that can comment on whether the 2 x cpu per bridged interface "should be" sufficient or whether it would be advisable to increase them.</P><P></P><P>I am running r77.30 with dynamic dispatching enable and only 6 firewall rules. Because we were locked out of the device I could not gather any meaningful stats.</P></BODY></HTML> Mon, 19 Nov 2018 11:20:52 GMT Petrus_Rossouw 2018-11-19T11:20:52Z Affinity and Bridge Mode https://community.checkpoint.com/t5/General-Topics/Affinity-and-Bridge-Mode/m-p/17712#M3021 <HTML><HEAD></HEAD><BODY><P>I have a situation were we implemented a checkpoint with IPS in a bridged interface scenario, on 10Gbps interfaces. The the default Checkpoint affinity for the cpu's were to assign the mgmt and 1 of the bridged interfaces to 1 CPU and the Sync and the other bridged interface to a second CPU. We then hit a problem of traffic throughput that caused both CPU's to run between 90 and 100%. This effectively locked us out of the device and caused major latency problems. The device is currently bypassed.</P><P></P><P>I have changed the affinity to combine the mgmt and sync on 1 cpu and am looking to assign 2 cpu's to each of the bridged interfaces. Leaving 11 cpu's for firewall workers.&nbsp;</P><P></P><P>So noting the above is there any experience out there that can comment on whether the 2 x cpu per bridged interface "should be" sufficient or whether it would be advisable to increase them.</P><P></P><P>I am running r77.30 with dynamic dispatching enable and only 6 firewall rules. Because we were locked out of the device I could not gather any meaningful stats.</P></BODY></HTML> Mon, 19 Nov 2018 11:20:52 GMT https://community.checkpoint.com/t5/General-Topics/Affinity-and-Bridge-Mode/m-p/17712#M3021 Petrus_Rossouw 2018-11-19T11:20:52Z Re: Affinity and Bridge Mode https://community.checkpoint.com/t5/General-Topics/Affinity-and-Bridge-Mode/m-p/17713#M3022 <HTML><HEAD></HEAD><BODY><P>With the right traffic flows and utilization, a single CPU would have been enough <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>Two CPUs will certainly be better, but you will need to monitor to see if it will be enough and adjust accordingly.</P></BODY></HTML> Thu, 22 Nov 2018 06:34:58 GMT https://community.checkpoint.com/t5/General-Topics/Affinity-and-Bridge-Mode/m-p/17713#M3022 PhoneBoy 2018-11-22T06:34:58Z