This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-03 08:02 AM
Jump to solution

R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

 

An extract from the readme with information about R80.40:

CUT>>

CoreXL and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load

<<<CUT


Do you have any information on how the algorithms will work?
According to which criteria will the distribution take place?

How will this work with a ClusterXL?

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
1 Solution

Accepted Solutions
Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM
In response to HeikoAnkenbrand
Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com

View solution in original post

4 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-09-03 08:29 AM
Jump to solution

Great questions Heiko, I'm assuming this is all predicated on the new Gaia 3.10 kernel and USFW being enabled in R80.40...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-05 12:12 PM
Jump to solution

Any news here from Check Point?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Tsvika_Gilman
Contributor
‎2019-09-05 10:53 PM
In response to HeikoAnkenbrand
Jump to solution

That's an interesting question. I would prefer a manual configuration if I didn't know how it works.

 

Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM
In response to HeikoAnkenbrand
Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events