- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
An interesting point, in performance tuning are BIOS settings. Here we have to distinguish whether we are talking about open servers or applications.
With Check Point appliances the BIOS settings are set correctly and we don't have to do anything. This article (sk120915) provides the list of Check Point appliances and the available BIOS versions. If there are problems, the TAC can make settings on the appliance.
The situation is different with Open Server. Here the BIOS settings are described in the HCL's if necessary.
In principle, various BIOS settings can be performed on Open Server for the following points. The names of the settings may be different depending on the hardware and processor generation.
Here is an overview of the most important BIOS points:
Tip 1 - Intel Turbo Boost Technology
Turbo boost is not a stable technology, and offers clock rate increment according to how close the CPU is to its maximum TDP. At the moment, Check Point does not support this option and it is not working well in multiple core environments. More read here: sk134452
Tip 2 - HyperThreading
SMT (HyperThreading) is a feature that is supported on Check Point appliances running Gaia OS. When enabled, SMT doubles the number of logical CPUs on the Security Gateway, which enhances physical processor utilization. When SMT is disabled, the number of logical CPUs equals the number of physical cores. It is only supported for open server with R80.40 and higher. More read here: sk93000
With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS. Therefore R80.20 and above Security Management, R80.20 and above Security Gateway with 3.10 kernel and next versions will have SMT on by default provided that the BIOS has it enabled.
Tip 3 – Energy- and Performance-Profile (DL360 / DL380)
What I see again in practice is that the servers are not set to maximum performance in the BIOS. This means that the processors and menory are not running at full power. This can be quickly changed with a simple BIOS setting. Here an example for a HP DL 360/380 server.
Example for HP DL 360/380 G10:
Example for HP DL 360/380 G9:
Tip 4 – Basic BIOS performance settings on open server
BIOS |
Mode |
Intel Turbo Boost |
|
Intel SpeedStep |
off |
SMT/Hyperthreading |
off (sk93000) |
Intel Virtualization Technology |
off (sk92374) |
AES-NI Support |
|
CPU Speed |
maximum performance |
Memory Speed |
maximum performance |
Energy/Performance Profile (HP server) |
maximum performance |
Thermal/Fan Mode |
maximum performance |
Hi @yilmac_g,
Reference : Does R80.40 support HP DL380 G10)
Dorit_Dor has written the following in this article:
for full transparency
r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related).
being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.
bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported.
<<<CUT
With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.
With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).
Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).
Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match
Hi @HeikoAnkenbrand,
This is very interesting information. I have not yet thought about the implications of this.
Maybe our performance problems have to do with the BIOS settings. I will have a look at this. I will report back later.
Hello @HeikoAnkenbrand ,
This is an important point. A few months ago we adjusted our BIOS settings on an Open Server. Now we have much better throughput rates.
For SMT, you have to be sure your license allows doubled amount of cores.
Hi @HeikoAnkenbrand,
I cannot find any information in sk93000 that R80.40 supports SMT.
Hi @yilmac_g,
Reference : Does R80.40 support HP DL380 G10)
Dorit_Dor has written the following in this article:
for full transparency
r80.40 is kernel 3.10 and is good for open server except that while enabling hyper threading on open server for first time, we noticed few bugs (mainly licensing related).
being VERY careful on quality we chose to list it as known limitation till one of the jumbo that fixes all bugs.
bottom line: the base works and if urgent, we can deal w issues as one off. Otherwise in very first jumbo’s will fix the few bugs and list it as supported.
<<<CUT
You also need a larger core licence as described by @_Val_
From my point of view, HT on open servers makes no business-economic sense. Duplication of licences is expensive. In this case the processors cost much less than the licenses. I would also change the processors on the servers. Then you don't have to use lower performance of HT cores.
Completely agree with Heiko here as far as HT on open servers, here's what I had to say in the R80.40 addendum for my book:
p. 241: SMT/Hyperthreading is now supported on open hardware (i.e. not Check Point
firewall appliances) using the Gaia 3.10 kernel for the first time starting in R80.40 Jumbo
HFA 48+. Note however that from a licensing perspective on open hardware, each
logical core (of which there are usually two for each physical core) will be considered as
another physical core that must be separately licensed. The “container” portion of a
firewall license specifies the number of cores that a firewall is allowed to used for traffic
processing. Example: a 5900 series appliance has 8 physical cores and the included
license container for an appliance permits the use of all logical cores even if
SMT/Hyperthreading is enabled. That is NOT how it works on an open hardware
firewall. If SMT/Hyperthreading is enabled on an 8-core open hardware firewall there
will now be 16 logical cores, and the open hardware firewall must upgrade its container
license from 8 cores to 16 cores to use all of them. Considering that enabling
SMT/Hyperthreading grants a roughly 30% performance increase, with an open hardware
firewall in this scenario you would be paying for 8 more physical cores yet only really
getting about 30% of that performance. If at all possible on open hardware firewalls, add
more *physical* cores first instead of logical ones via SMT/Hyperthreading!
With the legacy kernel (2.6), the HyperThreading (HT) was disable by default for almost all deployment, except for high-end appliances.
With new kernel 3.10 for R80.20 ,R80.30 and R80.40 Check Point aligned with the industry and now HT is set and controlled by the BIOS (on or off).
Therefore R80.20/R80.30/r80.40 Security Management, R80.20 Security Gateway 3.10, R80.30 and next versions will have HT on by default (provided that the BIOS has it enabled).
Reference:
Number of CPU cores in CoreXL license and in output of 'cplic print' do not match
As always a very interesting information from you.
Are there any other BIOS settings to consider?
As always a good performance tuning article.
👍
On the HP DL360G10 servers i gotten the last months, then the BIOS is updated so the options do not look the same.
Have you have time to check the new bios?
Now its instead workload profiles, am not sure if you have checked these.
But more or less it looks like you need to run custom to be able to turn off intel turbo speed.
And there is alot more options then before, no longer just changing to max perf.
Yes this is true that the new BIOS has changed some settings significantly.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY