This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Help
Highlighted
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-09-03 08:02 AM

R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

 

An extract from the readme with information about R80.40:

CUT>>

CoreXL and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load

<<<CUT


Do you have any information on how the algorithms will work?
According to which criteria will the distribution take place?

How will this work with a ClusterXL?

 

Tags (2)
Reply
1 Solution

Accepted Solutions
Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM

Re: R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com

View solution in original post

Reply
4 Replies
Timothy_Hall
Timothy_Hall
Pearl
‎2019-09-03 08:29 AM

Re: R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

Great questions Heiko, I'm assuming this is all predicated on the new Gaia 3.10 kernel and USFW being enabled in R80.40...

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-09-05 12:12 PM

Re: R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

Any news here from Check Point?

Tags (1)
0 Kudos
Reply
Tsvika_Gilman
Tsvika_Gilman
Nickel
‎2019-09-05 10:53 PM

Re: R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

That's an interesting question. I would prefer a manual configuration if I didn't know how it works.

 

Reply
Chen_Muchtar
Employee
Employee
‎2019-09-09 01:15 PM

Re: R80.40 automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue

Jump to solution

Hi Heiko,

Addressing your question per algorithm concept:

Essence:

  • Changing CoreXL split between FW workers and SND on the fly based on CPU utilization

Deciding keys:

  1. The average utilization of CoreXL SNDs and FWs are regularly sampled
  2. If either CoreXL SNDs or FWs utilization is higher than the other, perform an estimate of utilization post “migrating” a CPU to the other group
    Note: when SMT is on, change is doubled

Flows:

  1. If more SNDs are needed
    1. Find least utilized CoreXL FW instance
    2. Stop dispatching new connections to the least utilized CoreXL FW instance
    3. Move the CoreXL FW instance to the CPU of next least utilized CoreXL FW instance
    4. Turn on a new MQ queue on the “evicted” CPU
      Note: Eligible CoreXL SNDs must have a MQ queue ready
  1. If more FWs are needed
    1. Choose the last “stopped” CoreXL FW instance
    2. Turn off MQ queue from the CPU it originally occupied
    3. Move the chosen CoreXL FW instance to the original CPU it occupied
    4. Start dispatching new connections to that CoreXL FW instance
      Note: No more than the maximum number of FWs can be added

General

  • Supported on OS 3.10 (USFW/Kernel); Check Point appliances with 8 cores or more; VSX is currently a limitation
  • Supported on Cluster HA; VSLS is currently a limitation

For  further questions / feedback / suggestions for enhancements etc. – pls don’t hesitate to contact me directly - chenmu@checkpoint.com

View solution in original post

Reply