Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dario1
Participant
Jump to solution

VSX Cluster - ClusterXL and Dynamic balancing advice please.

Hi, any expert help on this topic would be much appreciated.

Historically we run VSX with ClusterXL and Dynamic balancing disabled. Distribution of VSX VS's is equally loaded as well as manually set for some environments. This was rolled out before my time so not sure if this is the recommended config or the reason for those historic choices.

I have read the SK's on ClusterXL and Dynamic balancing VSX section but still don’t fully understand what the recommended ClusterXL and Dynamic balancing configuration would be for a load sharing VSX Cluster.

I am looking to build a new VSX cluster with 3 x 16200 running R81.10 latest JHF for a new project. My thoughts are we should enable ClusterXL as well as Dynamic balancing and enable VS load sharing just in case we get hit with Elephant Flows on the public VS's which did cause us significant performance issues in the past.

 

Expert advice on the above scenario and clarification on recommended CP config would be much appreciated.

I have checked VSX R81 Admin guide "Optimising VSX" section and there is very little in there.

 

Thanks for your help.

 

Our existing Historic VSX config          

ClusterXL and Dynamic balancing is disabled.

Distribution of VSX VS's is equally loaded.

 

VS Load Sharing - Menu

________________________________

1. Display current VS Load sharing configuration

2. Distribute all Virtual Systems so that each cluster member is equally loaded

 

 

I read the SK below but I still dont know if those are recommended options.

Dynamic Balancing for CoreXL- sk164155  

How does it work with VSX?

Dynamic Balancing in VSX is similar to Security Gateways in that it aims to balance the SNDs and FWs cores. As opposed to Security Gateways, FW instances do not have static core affinity, and their amount does not determine the amount of SNDs. As a result, Dynamic Balancing does not require a certain amount of FW instances to be configured, and only adjusts their core affinity.

When adding an SND, the feature sets the affinity of FWK processes in all VSs to the list of new cores (rather than move a FW instance from one core to a different core, as done in Security Gateways). The maximum quantity of SND cores will be according to the NIC driver, with the highest number of queues in all VSs.

When you add a VS, the feature sets the new VS’s FWK to the current FWKs cores affinity.

 If Dynamic Balancing is enabled, is CoreXL setting in cpconfig disabled ? Meaning I am not able to change CoreXL numbers?

No, but changes made in the CoreXL cpconfig only take effect after reboot. Note that rebooting with a non-default instance number (i.e. manual changes done by the user) will prevent Dynamic Balancing from starting in order not to overwrite users' actions (a proper alert to the user is to be sent in such cases).

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

1) In VSX environments, you only set the number of CoreXL instances for VS0 with cpconfig. Therefore, you can leave it set to disable.

2) Dynamic Balancing (Dynamic Split) is a performance-enhancing daemon that balances the load between CoreXL SNDs and CoreXL Firewalls. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage.

Dynamic Balancing for CoreXL is supported in VSX for all models in these serie 16000 with R81 with Jumbo Hotfix Take 58 or R81.10 and higher version.  Starting in R81.20, VSX support is on by default.

Dynamic Balancing manages network card ports that have Multi-Queue enabled. The "mq_mng --show" command shows such ports as "Dynamic". While Dynamic Balancing is active, it assumes control over several resources (listed below). Manual changes may not work, or cause Dynamic Balancing to stop its work (refer to sk163815 for more details).

To enable Dynamic Balancing use the following command in Expert mode:
# dynamic_balancing -o enable

3) Personally, I prefer to use a customised SND and CoreXL allocation and adjust it according to performance requirements but both options are possible.

4) PS: I would distribute the VS instances in VSX load sharing mode across all three gateways depending on the performance requirements.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

More tuning tips can you find here:
R81.x Architecture and Performance Tuning - Link Collection  

                                             Section -> Performance tuning TIP'sPerformancePerformance tuning TIP'sPerformance tuning TIP's

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
6 Replies
HeikoAnkenbrand
Champion Champion
Champion

1) In VSX environments, you only set the number of CoreXL instances for VS0 with cpconfig. Therefore, you can leave it set to disable.

2) Dynamic Balancing (Dynamic Split) is a performance-enhancing daemon that balances the load between CoreXL SNDs and CoreXL Firewalls. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage.

Dynamic Balancing for CoreXL is supported in VSX for all models in these serie 16000 with R81 with Jumbo Hotfix Take 58 or R81.10 and higher version.  Starting in R81.20, VSX support is on by default.

Dynamic Balancing manages network card ports that have Multi-Queue enabled. The "mq_mng --show" command shows such ports as "Dynamic". While Dynamic Balancing is active, it assumes control over several resources (listed below). Manual changes may not work, or cause Dynamic Balancing to stop its work (refer to sk163815 for more details).

To enable Dynamic Balancing use the following command in Expert mode:
# dynamic_balancing -o enable

3) Personally, I prefer to use a customised SND and CoreXL allocation and adjust it according to performance requirements but both options are possible.

4) PS: I would distribute the VS instances in VSX load sharing mode across all three gateways depending on the performance requirements.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

More tuning tips can you find here:
R81.x Architecture and Performance Tuning - Link Collection  

                                             Section -> Performance tuning TIP'sPerformancePerformance tuning TIP'sPerformance tuning TIP's

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Dario1
Participant

Thank you so much for the clarification above as well as the performance tuning link collection.

That collection of tips and tricks will keep me busy for a while.

Regards

D

AmitShmuel
Employee
Employee

Regarding this FAQ:
If Dynamic Balancing is enabled, is CoreXL setting in cpconfig disabled ? Meaning I am not able to change CoreXL numbers?

I've requested to clarify in the SK that it is only applicable to Security Gateways, since as stated, in VSX, Dynamic Balancing does not require a certain amount of FW instances to be configured, and only adjusts their core affinity, that means that it is the user's responsibility to define the number of instances per VS, Dynamic Balancing will take care of the number of CPUs these instances will use at any given time.

0 Kudos
Wolfgang
Authority
Authority

@Dario1  why not building your new environment based on Maestro with VSX Check Point Maestro Hyperscale Network Security ?

Dario1
Participant

Amit many thanks for looking into further clarification. Thanks for the suggestion Wolfgang, Maestro is currently in the lab being trialed and will require the lead architect approval before that goes into the data centre and of course there is the support engineers training that needs considering as Maestro is a different type of a beast. However it is a new step in the technology evolution and for sure it will be exciting to run VSX on Maestro and see how the scalability factor plays out in the data centre, fingers crossed there aren't too many software bugs in the code.Thanks again. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events