A new interesting function for performance tuning has been included in R80.40. Dynamic split of CoreXL changes the assignment of  CoreXL SND's and CoreXL firewall workers automatically without reboot.

• Adding and removing a CoreXL firewall worker
• Adding and removing a CoreXL SND
• Balance between CoreXL SND and CoreXL firewall worker
• Work in ClusterXL environments
• A reboot is not necessary
  

• GAIA 3.10 kernel (USFW/Kernel)
• only Check Point appliances with 8 cores or more
• currently supported on ClusterXL HA
• currently VSLS is a limitation
• In the following series all models are supported: 7000, 15000, 16000, 23000, 26000, 28000
• In the following series only the listed models are supported:
  
  • 5000: 5800 and 5900
  • 6000: 6500, 6700, 6800 and 6900
• Supported versions: Check Point R80.40 with Jumbo Hotfix Take 25 and above

• CoreXL Dynamic Split does not support:

  • Check Point Appliances that run in VSX mode (regardless of the number of CPU cores).

  • Open Servers or Virtual Machines.

  • Security Gateway (or Cluster Members) with Bridge interfaces.

Suppose we have two SND's and 6 CoreXL firewall workers. If no CoreXL SND's and CoreXL firewall workers are overloaded, nothing happens (picture 1).

Now, let's assume the CoreXL SNDs are overloaded (picture 2), a mathematical formula is used to calculate that a further CoreXL SND is added. In this case a CoreXL firewall worker 5 will not get any new connections (picture 3) and the connections are distributed to another CoreXL firewall worker for example to the CoreXL firewall worker 4. If there are no more connections running through this CoreXL firewall worker on core two, the core will be used for a new CoreXL SND instance (picture 4) . Now our appliance has three SND's and 5 CoreXL firewall workers.

It also works the other way round.

Picture 1 - nothing overloaded


Picture 2 - SND's overloaded

Picture 3 - CoreXL firewall worker stops the processing and distributes the connections.

Picture 4 - new SND is added

The Dynamic Split Daemon (dsd) has three stages in each iteration

1) Examine the current CPU utilization.
2) Decide if and what changes to make based on the current CPU utilization.
3) If needed, change the current CoreXL configuration

In ClusterXL, you must configure all the Cluster Members in the same way. The dynamic_split command controls the Dynamic Split of CoreXL Firewall and SND instances on the local Security Gateway, or ClusterXL Member.

For more information, see R80.40 Performance Tuning Administration Guide - Chapter CoreXL.

Run these commands in the Expert mode

# dynamic_split

                            -o disable                 -> Disables the CoreXL Dynamic Split. Requires a reboot.
                            -o enable                  -> Enables the CoreXL Dynamic Split. Requires a reboot
                            -o start                      -> Starts the CoreXL Dynamic Split after it was stopped.
                            -o stop                       -> Stops the CoreXL Dynamic Split. This change survive the reboot.
                            -p                                -> Show status