Solved: Re: R80.x Performance Tuning Tip - BIOS

HeikoAnkenbrand · ‎2020-09-02

An interesting point, in performance tuning are BIOS settings. Here we have to distinguish whether we are talking about open servers or applications.

With Check Point appliances the BIOS settings are set correctly and we don't have to do anything. This article (sk120915) provides the list of Check Point appliances and the available BIOS versions. If there are problems, the TAC can make settings on the appliance.

The situation is different with Open Server. Here the BIOS settings are described in the HCL's if necessary.

In principle, various BIOS settings can be performed on Open Server for the following points. The names of the settings may be different depending on the hardware and processor generation.

Here is an overview of the most important BIOS points:

Intel Turbo Boost Technology (old name Turbo Mode)
Intel SpeedStep settings
Energy/Performance Bias:
- Memory Speed
- CPU Speed
Energiy saving settings
- Minimum Processor Idle Power C-States
- Minimum Processor Idle Power Package C-States

Hyperthreading (SMT) settings (It is only supported from R80.40 on open servers)
X2APIC Support
AES-NI Support

Tip 1 - Intel Turbo Boost Technology

Turbo boost is not a stable technology, and offers clock rate increment according to how close the CPU is to its maximum TDP. At the moment, Check Point does not support this option and it is not working well in multiple core environments. More read here: sk134452

Tip 2 - HyperThreading

SMT (HyperThreading) is a feature that is supported on Check Point appliances running Gaia OS. When enabled, SMT doubles the number of logical CPUs on the Security Gateway, which enhances physical processor utilization. When SMT is disabled, the number of logical CPUs equals the number of physical cores. It is only supported for open server with R80.40 and higher. More read here: sk93000

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS. Therefore R80.20 and above Security Management, R80.20 and above Security Gateway with 3.10 kernel and next versions will have SMT on by default provided that the BIOS has it enabled.

Tip 3 – Energy- and Performance-Profile (DL360 / DL380)

What I see again in practice is that the servers are not set to maximum performance in the BIOS. This means that the processors and menory are not running at full power. This can be quickly changed with a simple BIOS setting. Here an example for a HP DL 360/380 server.

Example for HP DL 360/380 G10:

Example for HP DL 360/380 G9:

Tip 4 – Basic BIOS performance settings on open server

BIOS	Mode
Intel Turbo Boost	off (sk116732, sk134452)
Intel SpeedStep	off
SMT/Hyperthreading	off (sk93000) on - > (R80.40+ if necessary)
Intel Virtualization Technology	off (sk92374)
AES-NI Support	Enabled (sk110549, sk105119)
CPU Speed	maximum performance
Memory Speed	maximum performance
Energy/Performance Profile (HP server)	maximum performance
Thermal/Fan Mode	maximum performance

HeikoAnkenbrand · ‎2020-09-03

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related).

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported.

<<<CUT

View solution in original post

HeikoAnkenbrand · ‎2020-09-04

Symptoms:

- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are.

- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match

View solution in original post

C-3PO · ‎2020-09-02

Hi @HeikoAnkenbrand,

This is very interesting information. I have not yet thought about the implications of this.
Maybe our performance problems have to do with the BIOS settings. I will have a look at this. I will report back later.

Rudi · ‎2020-09-02

Hello @HeikoAnkenbrand ,

This is an important point. A few months ago we adjusted our BIOS settings on an Open Server. Now we have much better throughput rates.

_Val_ · ‎2020-09-02

For SMT, you have to be sure your license allows doubled amount of cores.

yilmac_g · ‎2020-09-03

Hi @HeikoAnkenbrand,

I cannot find any information in sk93000 that R80.40 supports SMT.

HeikoAnkenbrand · ‎2020-09-03

Hi @yilmac_g,

Reference : Does R80.40 support HP DL380 G10)

Dorit_Dor has written the following in this article:

CUT>>>

for full transparency

r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related).

being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.

bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported.

<<<CUT

View solution in original post

HeikoAnkenbrand · ‎2020-09-03

You also need a larger core licence as described by @_Val_

From my point of view, HT on open servers makes no business-economic sense. Duplication of licences is expensive. In this case the processors cost much less than the licenses. I would also change the processors on the servers. Then you don't have to use lower performance of HT cores.

Timothy_Hall · ‎2020-09-04

Completely agree with Heiko here as far as HT on open servers, here's what I had to say in the R80.40 addendum for my book:

p. 241: SMT/Hyperthreading is now supported on open hardware (i.e. not Check Point
firewall appliances) using the Gaia 3.10 kernel for the first time starting in R80.40 Jumbo
HFA 48+. Note however that from a licensing perspective on open hardware, each
logical core (of which there are usually two for each physical core) will be considered as

another physical core that must be separately licensed. The “container” portion of a
firewall license specifies the number of cores that a firewall is allowed to used for traffic
processing. Example: a 5900 series appliance has 8 physical cores and the included
license container for an appliance permits the use of all logical cores even if
SMT/Hyperthreading is enabled. That is NOT how it works on an open hardware
firewall. If SMT/Hyperthreading is enabled on an 8-core open hardware firewall there
will now be 16 logical cores, and the open hardware firewall must upgrade its container
license from 8 cores to 16 cores to use all of them. Considering that enabling
SMT/Hyperthreading grants a roughly 30% performance increase, with an open hardware
firewall in this scenario you would be paying for 8 more physical cores yet only really
getting about 30% of that performance. If at all possible on open hardware firewalls, add
more *physical* cores first instead of logical ones via SMT/Hyperthreading!

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

HeikoAnkenbrand · ‎2020-09-04

Symptoms:

- An Open Server Dell 740/640/ HP ProLiant DL380p how more cores than there actually are.

- Number of CPU cores in CoreXL license and in output of 'cplic print' do not match.

With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.

With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).

Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).

Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match

View solution in original post

onur · ‎2020-09-09

Hi @HeikoAnkenbrand

As always a very interesting information from you.

nils_alfer · ‎2020-09-10

Are there any other BIOS settings to consider?

mats · ‎2020-09-19

Hi @HeikoAnkenbrand

As always a good performance tuning article.

eitan_tanami · ‎2020-09-13

👍

Magnus-Holmberg · ‎2020-09-19

On the HP DL360G10 servers i gotten the last months, then the BIOS is updated so the options do not look the same.
Have you have time to check the new bios?

Now its instead workload profiles, am not sure if you have checked these.
But more or less it looks like you need to run custom to be able to turn off intel turbo speed.
And there is alot more options then before, no longer just changing to max perf.

https://www.youtube.com/c/MagnusHolmberg-NetSec

president · ‎2020-09-24

Yes this is true that the new BIOS has changed some settings significantly.

R80.x Performance Tuning Tip - BIOS

User realname, load configuration and other joys o...

Search unused rules

PPPOE connection in Clusterxl

Logs with Blank Action

What is the purpose of these licenses