cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

CoreXL terminology

Hello, guys

I'm newbie in Check Point stuff and trying to figure out how CoreXL is working and how to fine tune it.

I have some mess in my mind regaring CoreXL terminology, can someone clear it out?

There is VSX cluster consisting of two Check Point 15600 firewalls. Each virtual system has 32 Cores (from 0 to 31).

How many cores can I assign to SND?

How many fw_workers can exist in this setup?

Is it possible to define the amount of fw_workers?

How can you explain the output:

[Expert@APNWFWVSX1:0]# fw ctl affinity -l -a -v
Interface Mgmt (irq 99): CPU 1
Interface eth3-01 (irq 179): CPU 17
Interface eth3-02 (irq 60): CPU 16
Interface eth1-01 (irq 108): CPU 17
Interface eth1-02 (irq 124): CPU 1
Interface eth1-03 (irq 140): CPU 16
Interface eth1-04 (irq 156): CPU 0
VS_0 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_1 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_2 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_3 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_4 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_5 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
VS_6 fwk: CPU 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31
[Expert@APNWFWVSX1:0]#

[Expert@APNWFWVSX1:1]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2-15+ | 7932 | 35290
1 | Yes | 2-15+ | 5789 | 10768
2 | Yes | 2-15+ | 6583 | 16121
3 | Yes | 2-15+ | 5475 | 17478
4 | Yes | 2-15+ | 6235 | 17508
5 | Yes | 2-15+ | 7802 | 22999
6 | Yes | 2-15+ | 5382 | 12134
7 | Yes | 2-15+ | 5583 | 14237
[Expert@APNWFWVSX1:1]#

I have assigned 8 virtual instances to each virtual system.

The term of "virtual instance" means Core or fw_worker?

Why the vritual instances using CPU from 2nd to 15+, which means all CPUs?

Thanks.

 

 

 

0 Kudos
5 Replies
Highlighted

Re: CoreXL terminology

Hello,

I think the following link will answer most if not all of your questions:

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted

Re: CoreXL terminology

I cannot understand few things:
How many fw instances can coexist on the firewall? Is it limited somehow?
Can I assign specific fw instance to specific CPU core?
How can I see what CPU cores handle traffic from specific VS in real time?
0 Kudos
Highlighted

Re: CoreXL terminology

The ATRG: CoreXl is surely the best documentation about CoreXL, but VSX / VSLS is - besides MDM / MDS - the cream on top of complicated systems ! So after your CPSA and CPSE certification, you need a Multi-Domain Security Management with VSX certification, too, to have learned at least the more basic things. Without enaough experience, CP Professional Services will be the best possible solution for putting the system into production. An example of a possible error: A customer did his best, but his topology did led to a "no more RAM available" situation, so CP had him change the topology for a not-so-memory-hungry variant - this problem is not documented clearly and surely a possible pitfall...

0 Kudos
Highlighted

Re: CoreXL terminology

Actually the system is already in production and working fine.

I'm just asking...

0 Kudos
Highlighted
Admin
Admin

Re: CoreXL terminology

In general, cores can be assigned to one of two tasks: SND or Worker (fwk processes).
It looks like you have 2 SND cores and 30 worker cores.
Changing the core distribution requires a reboot.
Of the available worker cores, a given VS can be assigned a number of cores via the VS definition in SmartConsole.
I believe they can be assigned to specific cores using the commands noted in the ATRG guide already linked on this thread.
0 Kudos