This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JeromeB
Explorer
‎2025-04-02 07:59 AM
Jump to solution

CoreXL is turned off by default on a brand new 9800

Hello,

I'm surprized to see that on a couple of brand new 9800 appliances, CoreXL is disable by default (see attached a snapshot of the SysInfo from cpview) ... I wonder whether this could be a consequence / side effect of the new UPPAK mode that is enable by default (maybe some incompatibility?).

We have R81.20 with JHF89 and VSX mode enable.

Any clue?
I suspect i should just enable CoreXL to take advantage of the 40 CPUs of the device ... or would this bring new limitations ?

Thanks in advance for your hint(s)

JB

 

Preview file
18 KB
0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2025-04-04 04:49 PM
Jump to solution

For VS0 this is OK / recommend per: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/CoreXL-...

How many virtual systems are configured and in SmartConsole how many CoreXL instances were provisioned for each?

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
emmap
Employee
Employee
‎2025-04-09 08:41 PM
In response to JeromeB
Jump to solution

Dynamic Balancing on VSX does not change CoreXL per VS configuration or otherwise affect VS FWK counts, it only changes the CPU allocation between SND and fwk worker pool. 

View solution in original post

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2025-04-04 03:10 PM
Jump to solution

I believe CoreXL being off with VSX is normal and expected.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-04-04 04:49 PM
Jump to solution

For VS0 this is OK / recommend per: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/CoreXL-...

How many virtual systems are configured and in SmartConsole how many CoreXL instances were provisioned for each?

CCSM R77/R80/ELITE
0 Kudos
JeromeB
Explorer
‎2025-04-07 01:37 AM
In response to Chris_Atkinson
Jump to solution

Hello Chris,
thanks for your feedback.

I have 2 Vsys configured + 1 Virtual switch.
The 2 Vsys are configured with the default settings for CoreXL, so 1 instance only.
I suppose this is why cpinfo report CoreXL being off for the Vsys others than VS0 (see attached snapshot of SysInfo from VSID 3)

Is there any documentation that could help in sizing the amount of CoreXL instances to configure for a given Vsys?
I guess on the basis on my estimated traffic going to the slow path, I could deduct the number of CoreXL to configure ... but maybe there are more parameters to consider.

Also how could I detect that I am running low on the amount of CoreXL instances ?

Before the users start to shout, I suppose there are some warning signals that my CoreXL instances are high on utilisation.

With VSX off, there are no worries to have with CoreXL instances, from my experience, the number is set / adjusted automatically.

Regards,

JB

Preview file
54 KB
0 Kudos
Wolfgang
Authority
Authority
‎2025-04-07 12:26 PM
In response to JeromeB
Jump to solution

@JeromeB it depends of the traffic. I would start with 8 cores for every VS.

But I prefer to use the dynamic balancing feature with R81.20. The system automatically creates SND and fw-worker cores depending on the utilizatíon. See CoreXL Dynamic Balancing part How does it work with VSX?

0 Kudos
JeromeB
Explorer
‎2025-04-09 07:29 AM
In response to Wolfgang
Jump to solution

@Wolfgang , is dynamic balancing really creating and removing FW instances on the fly? I thought his role was "limited" to re-assigning instances between SND and FWK...

In my case, VS1 is now set with 2 CoreXL and I can see the relavant processes (fwk1_0 & fwk1_1) running from the start even no traffic is going through the VS.

[Expert@XXXXX:1]# fw ctl affinity -l -x -flags tn | grep fwk1

---------------------------------------------------------------------
|PID   |VSID | CPU  |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 29889 | 1 | 0x000000FFFFCFFFFC | V | | | | fwk1_dev_0
| 29896 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_kissd
| 29911 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_0
| 29912 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_1
| 29913 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_hp
| 29920 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_service
| 29921 | 1 | 0x000000FFFFCFFFFC | V | | | | |---fwk1_dev_1

 

Also, the SND are assigned to VS0 apparently and they seem to be pretty static (in numbers). No incrementing / decrementing with the amount of VS and CoreXL configured.

[Expert@XXXXX:1]# fw ctl affinity -l -x -flags tn | grep snd

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------

| 1724  | 0 | 39 | V | | | E | |---fwk_snd_main
| 1729  | 0 | 39 | V | | | E | |---fwk_snd_dev
| 7978  | 0 | 39 | V | | | E | |---fwk_snd_dev
| 23194 | 0 | 39 | V | | | E | |---fwk_snd_dev
| 23250 | 0 | 39 | V | | | E | |---fwk_snd_dev
| 29891 | 0 | 39 | V | | | E | |---fwk_snd_dev
0 Kudos
emmap
Employee
Employee
‎2025-04-09 08:41 PM
In response to JeromeB
Jump to solution

Dynamic Balancing on VSX does not change CoreXL per VS configuration or otherwise affect VS FWK counts, it only changes the CPU allocation between SND and fwk worker pool. 

0 Kudos
Wolfgang
Authority
Authority
‎2025-04-09 11:44 PM
In response to JeromeB
Jump to solution

Like @emmap mentioned, dynamic balancing does not assign worker cores to VS. There's no special assignment of SND cores to a specific VS. You can set your worker cores for every VS, maybay 6 or 8 for both. Without any traffic a default setting is done for the count of SNDs. But if you get more traffic and CPU utilization on the system dynamic balancing will create mor SNDs on the fly if needed and will go back if possible.

JeromeB
Explorer
‎2025-04-10 02:05 AM
In response to Wolfgang
Jump to solution

Many thanks to you both for the clear explanations

0 Kudos
the_rock
Legend
Legend
‎2025-04-04 05:01 PM
Jump to solution

Good to know.

0 Kudos
Wolfgang
Authority
Authority
‎2025-04-05 03:45 AM
Jump to solution

This is normal behavior with VSX, not specific of the 9800. Without VSX CoreXL is enabled by default on a 9800 appliance. If you start cpview in one of your VS you can see CoreXL is enabled. For VS0 there is no need for more then one CPU only management traffic is going through this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events