This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-04-11 07:07 AM

CoreXL: only one SND core is busy

Dear Mates 

 

I have one of my clients that uses Check Point firewalls with 20 Cores. The cores configuration are as follow:

18 SND, and 2 CoreXL. This is a follow up thread for the discussion we are having at the end of this thread: https://community.checkpoint.com/t5/General-Topics/Eliminating-Routing-Asymmetry-between-Two-Differe...

 

 @Timothy_Hall see the output of the requested commands in the attached picture.

Thanks in advance

Preview file
165 KB
0 Kudos
8 Replies
Di_Junior
Advisor
Advisor
‎2019-04-11 07:07 AM

Hi @Timothy_Hall 

I attach some more interesting command output.

Thanks

Preview file
113 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-04-11 07:29 AM

Maybe you can again state again the issue you have ? This is a very cryptic follow-up discussion that sems to be between two people only...
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Di_Junior
Advisor
Advisor
‎2019-04-11 07:34 AM
In response to G_W_Albrecht

Hi there

 

Bellow is the issue:

 

"

Another question is about CoreXL. I have a client who has a 20 cores Check Point firewall (all licensed), but the system has only 2 CoreXL cores, the other ones are SND. Is this a good scenario? if yes, why, if not why?

"

 

Sorry about that

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-04-11 07:53 AM
In response to Di_Junior

Gah, that is one messed up configuration.  I think someone meant to assign 2 SND/IRQ cores but assigned 2 Firewall Worker instances instead.  SecureXL is off, so everything is going F2F on just the two worker cores.  Looks like there may have been some manual interface affinity adjustments as well.  Not sure why SecureXL is off, perhaps using Traditional Mode VPNs?  The performance has got to be terrible on this firewall.  What does netstat -ni show?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Di_Junior
Advisor
Advisor
‎2019-04-11 09:51 AM
In response to Timothy_Hall

Hi Tim

 

As far as I can tell one of the reason why SecureXL is off is because they are using Load-sharing.

In this situation what would you recommend?

How can automatic affinity be configured?

 

see the attached picture for the output of netstat -ni.

 

Thanks

Preview file
196 KB
0 Kudos
Daniel_Taney
Advisor
‎2019-04-11 11:35 AM
In response to Di_Junior

Do you know which method of Load-sharing they are using? As Mr. @Timothy_Hall  kindly pointed out to me in prior conversations, you can use SecureXL in Load-Sharing Unicast mode. I had definitely misunderstood that and thought any use of Load-sharing precluded you from enabling SecureXL.

I would suggest starting by going into cpconfig and changing the allocation of SND's / FWK's. If it is a 20 core box, the default configuration would have been 18 FWK Instances and 2 SND's. (So enter 18 at the prompt in cpconfig). 

If you find you are able to enable SecureXL, you may want to consider monitoring usage with SecureXL on and considering changing it to 16 FWK instances and 4 SND's. If SecureXL isn't an option for sure, you probably want as many FWK instances as possible since that's where all your traffic is being processed.

R80 CCSA / CCSE
Timothy_Hall
MVP Gold
MVP Gold
‎2019-04-11 05:50 PM
In response to Di_Junior

Given the large number of things wrong, I'd strongly recommend downloading and running the healthcheck script located here and engaging with TAC:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Trying to solve all the problems with that system in this thread will cause it to become epic in length for all the wrong reasons.  🙂

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
_Val_
Admin
Admin
‎2019-04-12 12:49 AM
In response to Di_Junior

Why on earth are you using load sharing? Go for HA mode and tune your 20 cores properly, that will give you more performance than LS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events