This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion
Champion
‎2019-09-03 08:02 AM

R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

 

An extract from the readme with information about R80.40:

CUT>>

CoreXL and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load

<<<CUT


Do you have any information on how the algorithms will work?
According to which criteria will the distribution take place?

How will this work with a ClusterXL?

 

1 Solution

Accepted Solutions
Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM
In response to HeikoAnkenbrand

Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com

View solution in original post

4 Replies
Timothy_Hall
Champion
Champion
‎2019-09-03 08:29 AM

Jump to solution

Great questions Heiko, I'm assuming this is all predicated on the new Gaia 3.10 kernel and USFW being enabled in R80.40...

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2019-09-05 12:12 PM

Jump to solution

Any news here from Check Point?

0 Kudos
Tsvika_Gilman
Contributor
‎2019-09-05 10:53 PM
In response to HeikoAnkenbrand

Jump to solution

That's an interesting question. I would prefer a manual configuration if I didn't know how it works.

 

Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM
In response to HeikoAnkenbrand

Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com