Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Petrus_Rossouw
Participant

Affinity and Bridge Mode

I have a situation were we implemented a checkpoint with IPS in a bridged interface scenario, on 10Gbps interfaces. The the default Checkpoint affinity for the cpu's were to assign the mgmt and 1 of the bridged interfaces to 1 CPU and the Sync and the other bridged interface to a second CPU. We then hit a problem of traffic throughput that caused both CPU's to run between 90 and 100%. This effectively locked us out of the device and caused major latency problems. The device is currently bypassed.

I have changed the affinity to combine the mgmt and sync on 1 cpu and am looking to assign 2 cpu's to each of the bridged interfaces. Leaving 11 cpu's for firewall workers. 

So noting the above is there any experience out there that can comment on whether the 2 x cpu per bridged interface "should be" sufficient or whether it would be advisable to increase them.

I am running r77.30 with dynamic dispatching enable and only 6 firewall rules. Because we were locked out of the device I could not gather any meaningful stats.

1 Reply
PhoneBoy
Admin
Admin

With the right traffic flows and utilization, a single CPU would have been enough Smiley Happy

Two CPUs will certainly be better, but you will need to monitor to see if it will be enough and adjust accordingly.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events