Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Performance Optimization section is not available within Gaia gui

We are not seeing the Performance Optimization option under Network Management within the Gaia gui. This is needed for an upcoming CoreXL change for core re-balancing/optimization. We see this option on several other FWs with the same and higher core counts and we have the proper licensing.

 

licensed for 8 CPUs

firewall-1 ~ # cpconfig

This program will let you re-configure

your Check Point products configuration.

 

Configuration Options:

----------------------

(1)  Licenses and contracts

(2)  SNMP Extension

(3)  PKCS#11 Token

(4)  Random Pool

(5)  Secure Internal Communication

(6)  Disable cluster membership for this gateway

(7)  Enable Check Point Per Virtual System State

(8)  Enable Check Point ClusterXL for Bridge Active/Standby

(9)  Check Point CoreXL

(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :9

 

Configuring Check Point CoreXL...

=================================

CoreXL is currently enabled with 6 IPv4 firewall instances.

0 Kudos
8 Replies
Highlighted

This was mentioned in my book, you must have at least six cores AND have at least one interface that is capable of Multi-Queue for the Performance Optimization web screen to be present.  Also not mentioned is that if SMT/Hyperthreading is enabled and the total number of cores exceeds the kernel limit for that version (32 for R77.30 and 40 for R80.10+ in kernel mode), the screen will disappear as well.  I don't think whether User-Space Firewall (USFW) is enabled will impact the availability of this screen but it is possible, use command cpprod_util FwIsUsermode to check the status of USFW.

Is cpconfig not letting you change the split?  That is not clear from your screenshot.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted
Nickel

8 cores - SMT/Hyperthreading is disabled in the BIOS (in dell idrac9 it's labeled as logical processing)

all interfaces should be supported for MQ per CP

firewall-1 ~ # ethtool -i eth0
driver: i40e
version: 2.7.12
firmware-version: 6.01 0x800035cf 1.1747.0
expansion-rom-version:
bus-info: 0000:3b:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

 

firewall-1 ~ # cpprod_util FwIsUsermode
1

0 Kudos
Highlighted

Hmm, the missing screen might be due to the presence of USFW.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Nickel

maintenance window Sunday, will find out!!

0 Kudos
Highlighted
Nickel

how to disable SMT/hyperthreading in iDrac9

Untitled.png

0 Kudos
Highlighted
Nickel

1. updated to take 196

2. Followed tip 3 from sk149973

Tip 3 - Switch to Kernel Mode Firewall, do the following

 
Note:
UMFW is not supposed to run with less than 40 cores in R80.10, R80.20 and R80.30

1) Run the following clish commands:
    # cpprod_util FwSetUsFwmachine 0
    # cpprod_util FwSetUsermode 0
2) Edit the boot.conf file (vi $FWDIR/boot/boot.conf) with the following:
    KERN_INSTANCE_NUM 4
3) Reboot.

 

Performance Optimization still isn't showing up in the GAIA interface.

 

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH /etc/fw.boot/default.bin
KERN_INSTANCE_NUM 4
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 16

0 Kudos
Highlighted

Are you using the Gaia 3.10 kernel?  Because Multi-Queue is enabled by default on all interfaces but the management interface in the kernel version, and with the introduction of Dynamic Split Adjustment in R80.40, this web screen may have been removed as it is not really applicable any more.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Nickel

k3.10 - yes
MQ - ok

Seems we got caught in the middle of this issue; where UMFW would be enabled by default on systems with less than 40 cores, but isn't supported per that sk.
0 Kudos