[Expert@sg1:0]# clish -c "show version all"
Product version Check Point Gaia R80.40
OS build 294
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

[Expert@sg1:0]# U=`cpprod_util FwIsUsermode`; [ $U == 0 ] && { U="Kernel Mode"; } || { U="User Mode"; }; echo; echo "Firewall: $U";echo;

Firewall: Kernel Mode

Correct, R80.40 is 3.10 kernel based. The platform is using new affinity mechanism provided by the 3.10 OS kernel, which makes automatic sim affinity obsolete.

Since you are using open server and just 4 cores, with only 2 cores as FWKs, I would suggest manual affinity settings, as support advises you to do.

Ok. Is there any documentation describing such change?
I found only sk170012 saying only: "sim affinity" has been deprecated in R80.40.

ATRG: CoreXL is not updated currently and stated:
===
Default affinity settings for interfaces:

- If SecureXL is enabled - the default affinities of all interfaces are 'Automatic' - the affinity for each interface is automatically reset every 60 seconds, and balanced between available CPU cores based on the current load.
===

By new affinity mechanism do you mean Dynamic Split?

1. "sim affinity" is a command, and it is changed to "fw affinity" because of the kernel change.
2. As your TAC engineer already communicated, ATRG is being changed, please give a chance SecureKnowledge team to do that. There is a process which takes some days. Frankly, this is an oversight on our end, apologies for that.
3. "Dynamic Split" is now called "Dynamic Workflows" (DW). DW leverages new affinity capability of RH 3.10 kernel, but it is not the point. You cannot use DW for two reasons: open server, not enough cores. You need at least 8 licensed cores for that. Open server support is still on the road map. 
   
   By "new capabilities" I mean what DW is actually leveraging: OS level support for queuing all CPUs to all HW and SW interrupts, with ability to enable and disable some of those queues on the fly. 

1. Ok. I was aware changing sim affinity to fw affinity but not aware that maunual affinity is needed starting with R80.40 3.10 as automatic affinity stopped working / is deprecated.
2. Understood
3. Correct, based on sk164155 - Dynamic Balancing is supported only on Check Point Appliances

Anyway, thanks Val.

Performance Tuning R80.40 Administration Guide is also not updated and saying:

Note - When the SecureXL is enabled (this is the default), only the SecureXL SIM Affinity configuration defines the interfaces affinities (see sim affinity). Security Gateway ignores the interface affinity settings in the $FWDIR/conf/fwaffinity.conf file.

Automatic interface affinity actually went away in version R80.20 when SecureXL was substantially reworked, as mentioned in the third edition of my book.  Allocating enough SND/IRQ cores in your CoreXL split and manually enabling Multi-Queue on the interfaces that need it (kernel 2.6.18) is what replaced this functionality.  On firewalls utilizing the 3.10 kernel, Multi-Queue is enabled on all interfaces that support it by default (except for the management interface in some early Jumbo HFAs).  Multi-Queue attempts to keep the SND/IRQ cores balanced as automatic interface affinity once did and frankly does a much better job of it, but MQ's balancing mechanism is not perfect under all traffic conditions.

If your NICs do not support Multi-Queue (please post output of  expert mode command mq_mng  -vv  --show to confirm) then TAC is correct and you are stuck doing manual interface affinity to spread out the interface processing duties across your SND/IRQ cores.  Having your cores limited to 4 by license will certainly not help this situation, and you'll need to do some traffic analysis with cpview to try to keep your busiest interfaces off of the same SND/IRQ core.

Timothy_Hall, it's clear and suitable in case where device is supporting MQ.

These open servers using tg3 drivers for on-board network interface card so it's not supported with MQ:

[Expert@sg1:0]# ethtool -i eth0
driver: tg3
version: 3.137
firmware-version: 5719-v1.46 NCSI v1.4.16.0
expansion-rom-version:
bus-info: 0000:02:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

and any MQ commands produce empty results.

In this case we will follow manual re-configuration of interface affinity.

I hope CheckPoint is going to update ATRG: CoreXL and Performance Tunning Guide.

SecureXL changed very little between versions R70 and R80.10 which was a relatively long period of time, so there is still quite a bit of documentation/SKs/courseware that reflects how SecureXL operated pre-R80.20.  I flag it whenever I run into one of these, but clearly some still need to be updated.

Thx. It's really easy to miss such information in case main documents (sk98737 - ATRG: CoreXL or Performance Tuning Administration Guides for R80.30, R80.40 and even R81) are still describing pre-R80.20 behavior in this particular case.

Just to close this thread:

To perform manual interface affnity we should use:
fw ctl affinity -s -i <Interface Name> <CPU ID>
- it will survive reboot
- it makes automatically changes in $FWDIR/conf/fwaffinity.conf like:

So forget about official Performance Tuning R80.40 Administration Guide saying: