Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

R80.x Performance Tuning Tip - BIOS

An interesting point, in performance tuning are BIOS settings. Here we have to distinguish whether we are talking about open servers or applications.

With Check Point appliances the BIOS settings are set correctly and we don't have to do anything. This article (sk120915)  provides the list of Check Point appliances and the available BIOS versions. If there are problems, the TAC can make settings on the appliance.

The situation is different with Open Server. Here the BIOS settings are described in the HCL's if necessary.

In principle, various BIOS settings can be performed on Open Server for the following points. The names of the settings may be different depending on the hardware and processor generation.

Here is an overview of the most important BIOS points:

  • Intel Turbo Boost Technology (old name Turbo Mode) 
  • Intel SpeedStep settings
  • Energy/Performance Bias:
    • Memory Speed
    • CPU Speed
  • Energiy saving settings
    • Minimum Processor Idle Power C-States
    • Minimum Processor Idle Power Package C-States
  • Hyperthreading (SMT) settings (It is only supported from R80.40 on open servers)
  • X2APIC Support
  • AES-NI Support

Tip 1 - Intel Turbo Boost Technology

Turbo boost is not a stable technology, and offers clock rate increment according to how close the CPU is to its maximum TDP. At the moment, Check Point does not support this option and it is not working well in multiple core environments. More read here: sk134452

Tip 2 - HyperThreading

SMT (HyperThreading) is a feature that is supported on Check Point appliances running Gaia OS. When enabled, SMT doubles the number of logical CPUs on the Security Gateway, which enhances physical processor utilization. When SMT is disabled, the number of logical CPUs equals the number of physical cores. It is only supported for open server with R80.40 and higher. More read here: sk93000

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS. Therefore R80.20 and above Security Management, R80.20 and above Security Gateway with 3.10 kernel and next versions will have SMT on by default provided that the BIOS has it enabled.

Tip 3 – Energy- and Performance-Profile (DL360 / DL380)

What I see again in practice is that the servers are not set to maximum performance in the BIOS. This means that the processors and menory are not running at full power. This can be quickly changed with a simple BIOS setting. Here an example for a HP DL 360/380 server.

Example for HP DL 360/380 G10:

Max_Performance_HP_DL360_G10_public.png

Example for HP DL 360/380 G9:

Max_Performance_HP_DL360_G9_public.PNG

Tip 4 – Basic BIOS performance settings on open server

BIOS

Mode

Intel Turbo Boost

off                             (sk116732, sk134452)

Intel SpeedStep

off

SMT/Hyperthreading

off                             (sk93000)
on - >  (R80.40+ if necessary)

Intel Virtualization Technology

off                             (sk92374)

AES-NI Support

Enabled                   (sk110549, sk105119)

CPU Speed

maximum performance

Memory Speed

maximum performance

Energy/Performance Profile (HP server)

maximum performance

Thermal/Fan Mode

maximum performance

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:  

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related). 

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported. 

<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
HeikoAnkenbrand
Champion Champion
Champion
Symptoms:
- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are. 
- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.
 

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
14 Replies
C-3PO
Participant

Hi @HeikoAnkenbrand,

This is very interesting information. I have not yet thought about the implications of this.
Maybe our performance problems have to do with the BIOS settings. I will have a look at this. I will report back later.

Rudi
Participant

Hello @HeikoAnkenbrand ,

This is an important point. A few months ago we adjusted our BIOS settings on an Open Server. Now we have much better throughput rates. 

0 Kudos
_Val_
Admin
Admin

For SMT, you have to be sure your license allows doubled amount of cores. 

yilmac_g
Participant

Hi @HeikoAnkenbrand,

I cannot find any information in sk93000 that R80.40 supports SMT.

HeikoAnkenbrand
Champion Champion
Champion

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:  

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related). 

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported. 

<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
HeikoAnkenbrand
Champion Champion
Champion

You also need a larger core licence as described by @_Val_ 

From my point of view, HT on open servers makes no business-economic sense. Duplication of licences is expensive. In this case the processors cost much less than the licenses. I would also change the processors on the servers. Then you don't have to use lower performance of HT cores.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend

Completely agree with Heiko here as far as HT on open servers, here's what I had to say in the R80.40 addendum for my book:

p. 241: SMT/Hyperthreading is now supported on open hardware (i.e. not Check Point
firewall appliances) using the Gaia 3.10 kernel for the first time starting in R80.40 Jumbo
HFA 48+. Note however that from a licensing perspective on open hardware, each
logical core (of which there are usually two for each physical core) will be considered as

another physical core that must be separately licensed. The “container” portion of a
firewall license specifies the number of cores that a firewall is allowed to used for traffic
processing. Example: a 5900 series appliance has 8 physical cores and the included
license container for an appliance permits the use of all logical cores even if
SMT/Hyperthreading is enabled. That is NOT how it works on an open hardware
firewall. If SMT/Hyperthreading is enabled on an 8-core open hardware firewall there
will now be 16 logical cores, and the open hardware firewall must upgrade its container
license from 8 cores to 16 cores to use all of them. Considering that enabling
SMT/Hyperthreading grants a roughly 30% performance increase, with an open hardware
firewall in this scenario you would be paying for 8 more physical cores yet only really
getting about 30% of that performance. If at all possible on open hardware firewalls, add
more *physical* cores first instead of logical ones via SMT/Hyperthreading!

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
HeikoAnkenbrand
Champion Champion
Champion
Symptoms:
- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are. 
- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.
 

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
onur
Participant

Hi @HeikoAnkenbrand 

As always a very interesting information from you.

0 Kudos
nils_alfer
Contributor

Are there any other BIOS settings to consider?

mats
Participant

Hi @HeikoAnkenbrand 

As always a good performance tuning article.

eitan_tanami
Participant

👍

Magnus-Holmberg
Advisor

On the HP DL360G10 servers i gotten the last months, then the BIOS is updated so the options do not look the same.
Have you have time to check the new bios?

Now its instead workload profiles, am not sure if you have checked these.
But more or less it looks like you need to run custom to be able to turn off intel turbo speed.
And there is alot more options then before, no longer just changing to max perf.

https://www.youtube.com/c/MagnusHolmberg-NetSec
president
Participant

Yes this is true that the new BIOS has changed some settings significantly.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events