This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-02 10:39 PM
Jump to solution

R80.x Performance Tuning Tip - BIOS

An interesting point, in performance tuning are BIOS settings. Here we have to distinguish whether we are talking about open servers or applications.

With Check Point appliances the BIOS settings are set correctly and we don't have to do anything. This article (sk120915)  provides the list of Check Point appliances and the available BIOS versions. If there are problems, the TAC can make settings on the appliance.

The situation is different with Open Server. Here the BIOS settings are described in the HCL's if necessary.

In principle, various BIOS settings can be performed on Open Server for the following points. The names of the settings may be different depending on the hardware and processor generation.

Here is an overview of the most important BIOS points:

  • Intel Turbo Boost Technology (old name Turbo Mode) 
  • Intel SpeedStep settings
  • Energy/Performance Bias:
    • Memory Speed
    • CPU Speed
  • Energiy saving settings
    • Minimum Processor Idle Power C-States
    • Minimum Processor Idle Power Package C-States
  • Hyperthreading (SMT) settings (It is only supported from R80.40 on open servers)
  • X2APIC Support
  • AES-NI Support

Tip 1 - Intel Turbo Boost Technology

Turbo boost is not a stable technology, and offers clock rate increment according to how close the CPU is to its maximum TDP. At the moment, Check Point does not support this option and it is not working well in multiple core environments. More read here: sk134452

Tip 2 - HyperThreading

SMT (HyperThreading) is a feature that is supported on Check Point appliances running Gaia OS. When enabled, SMT doubles the number of logical CPUs on the Security Gateway, which enhances physical processor utilization. When SMT is disabled, the number of logical CPUs equals the number of physical cores. It is only supported for open server with R80.40 and higher. More read here: sk93000

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS. Therefore R80.20 and above Security Management, R80.20 and above Security Gateway with 3.10 kernel and next versions will have SMT on by default provided that the BIOS has it enabled.

Tip 3 – Energy- and Performance-Profile (DL360 / DL380)

What I see again in practice is that the servers are not set to maximum performance in the BIOS. This means that the processors and menory are not running at full power. This can be quickly changed with a simple BIOS setting. Here an example for a HP DL 360/380 server.

Example for HP DL 360/380 G10:

Max_Performance_HP_DL360_G10_public.png

Example for HP DL 360/380 G9:

Max_Performance_HP_DL360_G9_public.PNG

Tip 4 – Basic BIOS performance settings on open server

BIOS

Mode

Intel Turbo Boost

off                             (sk116732, sk134452)

Intel SpeedStep

off

SMT/Hyperthreading

off                             (sk93000)
on - >  (R80.40+ if necessary)

Intel Virtualization Technology

off                             (sk92374)

AES-NI Support

Enabled                   (sk110549, sk105119)

CPU Speed

maximum performance

Memory Speed

maximum performance

Energy/Performance Profile (HP server)

maximum performance

Thermal/Fan Mode

maximum performance

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-03 10:15 PM
In response to yilmac_g
Jump to solution

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:  

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related). 

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported. 

<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-04 10:55 PM
In response to Timothy_Hall
Jump to solution

Symptoms:
- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are. 
- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.
 

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

14 Replies
C-3PO
Participant
‎2020-09-02 11:07 PM
Jump to solution

Hi @HeikoAnkenbrand,

This is very interesting information. I have not yet thought about the implications of this.
Maybe our performance problems have to do with the BIOS settings. I will have a look at this. I will report back later.

Rudi
Participant
‎2020-09-02 11:18 PM
Jump to solution

Hello @HeikoAnkenbrand ,

This is an important point. A few months ago we adjusted our BIOS settings on an Open Server. Now we have much better throughput rates. 

0 Kudos
_Val_
Admin
Admin
‎2020-09-02 11:38 PM
Jump to solution

For SMT, you have to be sure your license allows doubled amount of cores. 

yilmac_g
Participant
‎2020-09-03 04:59 AM
Jump to solution

Hi @HeikoAnkenbrand,

I cannot find any information in sk93000 that R80.40 supports SMT.

HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-03 10:15 PM
In response to yilmac_g
Jump to solution

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:  

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related). 

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported. 

<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-03 10:24 PM
In response to HeikoAnkenbrand
Jump to solution

You also need a larger core licence as described by @_Val_ 

From my point of view, HT on open servers makes no business-economic sense. Duplication of licences is expensive. In this case the processors cost much less than the licenses. I would also change the processors on the servers. Then you don't have to use lower performance of HT cores.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend
‎2020-09-04 05:40 AM
In response to HeikoAnkenbrand
Jump to solution

Completely agree with Heiko here as far as HT on open servers, here's what I had to say in the R80.40 addendum for my book:

p. 241: SMT/Hyperthreading is now supported on open hardware (i.e. not Check Point
firewall appliances) using the Gaia 3.10 kernel for the first time starting in R80.40 Jumbo
HFA 48+. Note however that from a licensing perspective on open hardware, each
logical core (of which there are usually two for each physical core) will be considered as

another physical core that must be separately licensed. The “container” portion of a
firewall license specifies the number of cores that a firewall is allowed to used for traffic
processing. Example: a 5900 series appliance has 8 physical cores and the included
license container for an appliance permits the use of all logical cores even if
SMT/Hyperthreading is enabled. That is NOT how it works on an open hardware
firewall. If SMT/Hyperthreading is enabled on an 8-core open hardware firewall there
will now be 16 logical cores, and the open hardware firewall must upgrade its container
license from 8 cores to 16 cores to use all of them. Considering that enabling
SMT/Hyperthreading grants a roughly 30% performance increase, with an open hardware
firewall in this scenario you would be paying for 8 more physical cores yet only really
getting about 30% of that performance. If at all possible on open hardware firewalls, add
more *physical* cores first instead of logical ones via SMT/Hyperthreading!

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
HeikoAnkenbrand
Champion Champion
Champion
‎2020-09-04 10:55 PM
In response to Timothy_Hall
Jump to solution

Symptoms:
- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are. 
- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.
 

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
onur
Participant
‎2020-09-09 08:38 AM
Jump to solution

Hi @HeikoAnkenbrand 

As always a very interesting information from you.

0 Kudos
nils_alfer
Contributor
‎2020-09-10 06:54 AM
Jump to solution

Are there any other BIOS settings to consider?

mats
Participant
‎2020-09-19 01:08 AM
In response to nils_alfer
Jump to solution

Hi @HeikoAnkenbrand 

As always a good performance tuning article.

Magnus-Holmberg
Advisor
Advisor
‎2020-09-19 09:21 AM
Jump to solution

On the HP DL360G10 servers i gotten the last months, then the BIOS is updated so the options do not look the same.
Have you have time to check the new bios?

Now its instead workload profiles, am not sure if you have checked these.
But more or less it looks like you need to run custom to be able to turn off intel turbo speed.
And there is alot more options then before, no longer just changing to max perf.

https://www.youtube.com/c/MagnusHolmberg-NetSec
president
Participant
‎2020-09-24 07:35 AM
In response to Magnus-Holmberg
Jump to solution

Yes this is true that the new BIOS has changed some settings significantly.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top