Re: CPU Cores on Clustered Firewall

Olusegun_Adekun · ‎2024-05-02

Hi All,

I have a clustered Firewall running at the moment. It is uCPE (VMWare I presume) from Colt our SDWAN Provider.

From Checkpoint perspective,

The number of assigned cores must be the same between clustered VMs.

We ask the provider to rebuild the VM with R81.20 as am upgrading. They have presented me with the exact similar below.

[Expert@MyGW:0]# fw ctl multik stat
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 7      |           5 |       21
 1 | Yes     | 6      |           3 |       23
 2 | Yes     | 5      |           5 |       25
 3 | Yes     | 4      |           4 |       21
 4 | Yes     | 3      |           5 |       21
 5 | Yes     | 2      |           5 |       20
[Expert@MyGW:0]#

Then the current Active member is like below.

[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 7      |           0 |        4
 1 | Yes     | 6      |           0 |        4
[Expert@MyGW:0]#

The Cores on both firewalls are different.

I ask the provider to rebuilt with only Cores similar to what the Active Firewall member has, they said I should contact Checkpoint TAC because the R81.20 software assigned the Cores.

From my point of view, i don't think this is what checkpoint TAC can do reallocating or reassigning of the Cores.

Any suggestion? And can TAC help with this kind of issue or has to be done at the VMWare Level.

Thanks Always,

Olu

Chris_Atkinson · ‎2024-05-02

Note the command outputs you are comparing are not the same IPv4 vs IPv6.

The VMware admin assigns the resources to the machines otherwise, for uCPE it may differ however.

Check Point TAC can assist with resolving CPU affinity issues there after should they exist

CCSM R77/R80/ELITE

Olusegun_Adekun · ‎2024-05-02

Hi Chris,

Thanks for the prompt reply. Much Appreciated.

Yes, the command output is same anyway, have checked.

I will go back to the provider then. Will update you what they will comeback with.

Regards,

Olu

Chris_Atkinson · ‎2024-05-02

To confirm you see the same in cpconfig > corexl on both machines?

CCSM R77/R80/ELITE

Olusegun_Adekun · ‎2024-05-02

Hi Chris,

The firewall instances are also different as below but can be resolve with CPCONFIG --> CoreXL

CoreXL is currently enabled with 2 IPv4 firewall instances.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Standby FW - Though Down at the moment because of the CoreXL differences.

Configuring Check Point CoreXL...
=================================
CoreXL is currently enabled with 3 IPv4 firewall instances.

Regards,

Olu

emmap · ‎2024-05-02

The CoreXL config must be identical on gateways in a cluster.

Olusegun_Adekun · ‎2024-05-03

Hi

Yes, that is correct. I will correct that with CPCONFIG once am able to resolve the Core Issue.

Thanks

Chris_Atkinson · ‎2024-05-03

To confirm if you run 'top' and press 1 do you see a different number of cpu cores here?

I e. Does the machine actually not have the correct resources allocated or just not the correct corexl config / license.

CCSM R77/R80/ELITE

the_rock · ‎2024-05-03

As @emmap had indicated, corexl config must match on both cluster members, otherwise, its an issue.

Andy

Are you a member of CheckMates?

CPU Cores on Clustered Firewall