This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PS2023
Explorer
Friday

Confused in VSX CoreXL instance configuration

Hi all,

 

I am quite confused on CoreXL configuration on VSX virtual system, and hope someone would share their experience on this.

Everything start from a warning in HCP report, it said the FWK instance on VS0&VS1 were too low with only 1 instance configured. 

I read SKs and raised a SR to TAC, but still have some questions on the mechanism of FWK instance, CoreXL instance and Dynamic Balancing.

In my understanding, Dynamic balancing  controls the resource pool for running SND and CoreXL isntance, which split the cpu cores to each pool by monitoring the cpu loading. So it will not increase the CoreXL instance in any VS context.

Does it mean that I need manually assign more CoreXL instance per VS to avoid poor performance and resource utilization?

My environment:

2x 9000 appliance, running R82+JHF Take91

Configured as VSX VSLS cluster, with Two VS (VS0 &1)

0 Kudos
4 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
Friday

With VSX, you must specify how many cores each VS is allowed to use. This is done in the VS object's CoreXL section. There's one number for IPv4 instances and a separate number for IPv6 instances. Changing them takes a hard outage, and you can't change them for VS0.

I personally wouldn't assign more CoreXL instances across all VSs than you have physical cores. For example, a 9700 has 16 physical cores, 32 virtual cores. If you had four VSs, I would give each no more than four cores. More can work, but can allow the firewall to be oversubscribed (if you give all four VSs eight cores, and they all try to do eight cores' worth of work, you could be in trouble).

PS2023
Explorer
yesterday
In response to Bob_Zimmerman

Hi Bob

May I know if Dynamic Balancing applies on the Virtual system itself?

When I execute "fw ctl multik stat" on the VS, the one CoreXL instance have affinity with nearly all CPU cores.

Does it mean this instance will pick the first available a  CPU core from the list?

After adding additional CoreXL instance per VS, do I need to configure the affinity between each CPU core and CoreXL instance?

Preview file
13 KB
0 Kudos
Lesley
MVP Gold
MVP Gold
Friday

Important - Enabling CoreXL on VS0 is not recommended because of increased memory overhead and potential performance degradation. Most VSX deployments do not require more than a single Firewall instance for VS0 as its main purpose is managing the VSX Gateway.

 

Best practices:

  1. We recommend that you use the number of CoreXLFirewall instances for each Virtual System according to the expected network traffic on the Virtual System. Configuring unnecessary CoreXLFirewall instances can have a negative impact on performance.

  2. We recommend that you do not configure more CoreXLFirewall instances than the total number of physical CPU cores on the VSX Gateway.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
PhoneBoy
Admin
Admin
Friday

You need to assign the appropriate number of cores to a VS, yes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events