This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SallesThiago
Participant
‎2024-03-19 07:46 AM

Affinity CPU

We have SMB Appliance 1800 and the customer use a lot of connections SIP, using UDP, so we need make fastaccel to that connections don't make CPU overload. So now I need to balance the CPU, using more CPU to type "others". is that possible?

The CPU is around 50% because we don't put all the traffic into the firewall yet.

cpuSMB.png

ctl affinity.png

 

Preview file
80 KB
Preview file
116 KB
0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-03-19 08:05 AM

I would say of course - all fw cores are mostly idle. so i would set more to others. A lot from sk98737: ATRG: CoreXL does apply. There had been a discussion here https://community.checkpoint.com/t5/SMB-Gateways-Spark/SecureXL-amp-CoreXL-on-SMB-devices/m-p/39531 that mentions how to assign an interface to its own core, maybe that can help here.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
SallesThiago
Participant
‎2024-03-19 09:38 AM
In response to G_W_Albrecht

Thanks for reply.

I want to "convert" the CPU 8 and 9 to "Other" but i can't find clear how to. Could you explain the step by step or has some material show how to do that? I trying in sk98737 but I couldn't.

0 Kudos
SallesThiago
Participant
‎2024-03-19 11:27 AM
In response to G_W_Albrecht

Thanks for reply.

 

That's confuse to me yet how to configure for example CPU 8 and 9 to "other". could you show step by step how to do that?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-19 06:26 PM
In response to SallesThiago

There are two types of cores:

  • FWKs (the CoreXL_FW in your screenshot) -- Used for Layer 7 inspection
  • SNDs (the "Other" in your screenshot) -- Used for I/O and Accelerated Layer 3/4 inspection

You cannot change what CPUs do what, only the number of cores allocated to CoreXL FW.
Remaining cores will be allocated as SNDs.
Note you cannot allocate more SNDs than FWKs 

The 1800 by default uses a 2/10 mix (2 SNDs, 10 FWK)
To add two additional cores to SND (i.e. Other in your picture), you need to allocate only 8 cores to FWK.
This SK shows you how to change the number of CoreXL Firewall instances: https://support.checkpoint.com/results/sk/sk174423 

SallesThiago
Participant
‎2024-03-20 04:29 AM
In response to PhoneBoy

Thanks! in my lab it worked, I will make the change in maintenance windows of production appliance and back here to do feedback.

0 Kudos
Lesley
Leader Leader
Leader
‎2024-03-19 08:13 AM

Related to SIP you could check this massive SK, maybe it helps with the issue you have. Not sure what the issue is but maybe it will give you a start:

https://support.checkpoint.com/results/sk/sk95369

Also check all the way down for related SK's URLS

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-03-19 08:33 AM

I can not see that this is relevant here - we see both SNDs overloaded and all fw workers idle, so the solution is clear...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Lesley
Leader Leader
Leader
‎2024-03-19 08:43 AM
In response to G_W_Albrecht

New SND is also not relevant:

  • It is recommended to allocate an additional CPU core to the SND only if all of the following conditions are met:

    • Your platform has at least 8 CPU cores.
    • The 'idle' value (run 'top' command and press 1 to display all CPU cores) for the CPU core currently running the SND is in the 0%-5% range.
    • The sum of the 'idle' values (run the 'top' command and press 1 to display all CPU cores) for the CPU cores running CoreXL FW instances is significantly higher than 100%.

    If any of the above conditions are not met, the default configuration of one processing core allocated to the SND is sufficient, and no further configuration is necessary.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-19 08:54 AM

While CoreXL/SecureXL exist on SMB appliances, I don't believe you can tune the split of SND/FWK the way you can on regular Gaia.
Perhaps TAC can confirm this. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-03-19 12:29 PM
In response to PhoneBoy

CoreXL tuning is actually possible on SMB/Spark but the procedure is a bit different (and there isn't nearly as much CPU power to go around); this SK was mentioned briefly in my R81.20 Gateway Performance Optimization Course:

sk174423: Configuring CoreXL Firewall instances on Quantum Spark Appliances 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events