Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EVSolovyev
Contributor

Can CoreXL mechanizm works on 1 core?

Hi community! Smiley Happy

Please help me with simple question.

In CoreXL admin guide we can see, that CoreXL is enabled from 1 CPU (as I can understand this doc):

Performance Tuning R80.10 (Part of Check Point Infinity) 

But.

If I create a VM with 1 CPU, in cpconfig there is no CoreXL options:

If I create a VM with 2 CPUs, cpconfig has CoreXL options:

Tell me, please, what is the least amount of CPUs required to enable CoreXL and if CoreXLrequired at least 2 CPUs, why we see one CPU in admin guide? And if CoreXL is enabled with 1 CPU, why there is no options in cpconfig?

9 Replies
Wolfgang
Leader
Leader

If you have only one CPU CoreXL makes no sense. There is no CPU available to distribute anything to another CPU.

With CoreXL you can distribute the overall load to all or maybe only some CPUs. You need at least two, but better more CPUs to really benefit from CoreXL.

And yes, the documentation is a little bit confusing.

Wolfgang

Kaspars_Zibarts
Authority
Authority

On the same page where you found the table Smiley Happy

CoreXL does not make sense on one core - you cannot multiply one Smiley Happy

EVSolovyev
Contributor

Thank you. I missed this moment.

EVSolovyev
Contributor

Then I do not understand the table line with 1 CPU.

0 Kudos
Kaspars_Zibarts
Authority
Authority

That is a good point! Me neither

0 Kudos
HeikoAnkenbrand
Champion
Champion

At R80.20 there's a new hack to turn the CoreXL instances on the fly on and off. Here is an example with 3 FW wokers!

Now start the command:

# fw ctl multik stop     -> stop CoreXL instance 1

# fw ctl multik stop    -> stop CoreXL instance 2

# fw ctl multik stop   -> The last instance cannot be disabled:-)

You can activate it again per:

# fw ctl multik start

Conclusion:
CoreXL 0 cannot really be deactivated under R80.10+:-)

More see here:

ATRG: CoreXL 

(1)
genisis__
Advisor

Silly question - if I have a openserver license for 2 cores is there anypoint in turning on COREXL?  If I disable this will it still use the two cores, or simple use one of them?

0 Kudos
Timothy_Hall
Champion
Champion

This was mentioned in my book, whether disabling CoreXL on a 2-core system is desirable will depend on a lot of factors.

With CoreXL enabled, the split is 2/2 with the two cores each acting as both an SND and Firewall Worker (kernel instance).  While both cores are having to pull double duty and constantly switch context/roles, it does allow more than just one core to process traffic should a large majority of it get concentrated in either the Accelerated Path (handled by SND) or the Medium/Firewall Paths (handed by Firewall Workers).  It also allows both cores to empty NIC ring buffers in a timely fashion and help avoid RX-DRP frame loss.

However if CoreXL is disabled, core 0 becomes just a SND and core 1 is just a Firewall Worker.  The coordination overhead of CoreXL between multiple Firewall Workers, and the coordination overhead of SecureXL between multiple SNDs is no longer present, thus freeing up a fair amount of CPU time to potentially move more traffic.  The downside is that if one core or the other gets fully saturated doing whatever it is doing, the other core cannot help at all thus creating a bottleneck while all possible CPU resources are not being fully utilized.

As mentioned in my book, the only way to determine if disabling CoreXL will help (which is essentially going to a 1/1 split) is to carefully baseline CPU utilization and network error counters with CoreXL enabled, then disable it and see what happens to CPU utilization and network error counters.  Disabling CoreXL on a 2-core system may help overall performance or it may not.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
genisis__
Advisor

As ever Tim, thanks. 

0 Kudos