This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
Thursday
Jump to solution

SND and firewall cores

Hi,

I have a new 9400 gateway with a 20-core CPU.
When checking in cpview, I notice that some cores are constantly switching between SND, CoreXL_FW, N/A, Other or even both.

Check CPU 4 and 5

Is this normal and expected behavior?

cpview-1.jpgcpview-2.jpgcpview-3.jpgcpview-4.jpg

0 Kudos
1 Solution

Accepted Solutions
Don_Paterson
MVP Gold
MVP Gold
Thursday
Jump to solution

That will be Dynamic Balancing (appliance only feature) automatically changing the core assignment based on load detection.

cpview > SysInfo > Dynamic Balancing Status (on/off)

You can also go to > Advanced > CoreXL to see more details.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide... 

It should be beneficial for performance auto-tuning.

View solution in original post

6 Replies
Don_Paterson
MVP Gold
MVP Gold
Thursday
Jump to solution

That will be Dynamic Balancing (appliance only feature) automatically changing the core assignment based on load detection.

cpview > SysInfo > Dynamic Balancing Status (on/off)

You can also go to > Advanced > CoreXL to see more details.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_PerformanceTuning_AdminGuide... 

It should be beneficial for performance auto-tuning.

Moudar
MVP Silver
MVP Silver
Thursday
In response to Don_Paterson
Jump to solution

Dynamic balancing is enabled, so that is an expected behavior.
thank you Don.

Don_Paterson
MVP Gold
MVP Gold
Thursday
Jump to solution

When a core is temporarily doing SND IRQ handling AND fwk firewall worker tasks then it may be because Dynamic Balancing sees that an SND is overloaded, but no fully idle FW core exists, so it temporarily merges roles to avoid packet loss as a result.

Seems valid, and a sign that the balancer is aggressively optimizing.

Cores get some load but never seem to get overloaded so it looks good.

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
Thursday
In response to Don_Paterson
Jump to solution

I would possibly disable dynamic distribution on the 9400 and assign the SNDs and CoreXL cores statically, since these systems have both performance cores and energy-saving cores. With a high packet rate and a 10G+ interface, you may need more SNDs.

More read here:
R8x - Performance Tuning Tip - P-Cores / E-Cores (9300/9400 Force Appliance)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Thursday
In response to HeikoAnkenbrand
Jump to solution

Thanks Heiko, great post.

In the SK they say:

"Note - Customers do not need to configure anything. Quantum Security Gateway automatically adjusts the traffic distribution between these CPU cores."

https://support.checkpoint.com/results/sk/sk182000

Aren't Check Point making Dynamic Balancing make an intelligent choice (may be improved with JHFAs and major versions..(?)), so that customers should avoid static assignment?

In other words, by default, the gateway’s software is aware of the hybrid P/E core layout and is designed to steer packet-path workloads accordingly, without manual tuning.

I am no expert in this area but I was wondering why the new SND cores were 4 and 5 and not 2 and 3 and wondered if it was an intelligent decision based on P cores or physical core location (?).

 

 

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Thursday
In response to Don_Paterson
Jump to solution

In the screenshots the busiest cores (30–43%).

FW cores with the highest utilisation were:

CPU 19
CPU 13
CPU 12
CPU 18
CPU 16
CPU 14

All of these are E-Cores. Which explains why these cores were:

  • More stressed, hotter at some times, and cooler at others
  • Often imbalanced
  • Handling fewer connections (E-Core design)
  • Hitting higher CPU percentages (slower, fewer execution units)

This matches the SK:

“CPU load may be imbalanced between CoreXL Firewall instances that run on P-Cores and on E-Cores. This is an expected behavior.”

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events