Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jesus_Cano
Collaborator

Add new cores to gateway

Hi,

We currently have a cluster of gateways (2 nodes) in R77.20 where we are licensed only to use 2 cores (although the machines have 4 cores). We have proceeded to acquire this license to be able to use 4 cores. Now i would like to know if we need do to any config in Checkpoint to refresh the number of cores. What is the procedure to add 2 more cores in gateways (cpconfig). Is it necessary finetuning or core will be assign by default? any usefull commands to check cores and use?

Thanks

12 Replies
PhoneBoy
Admin
Admin

Once you apply the new license, you will need to reboot.

That should be enough initially, though if you want to change the worker/SND mix, there are other commands.

Those will also require a reboot, but I would start with the defaults.

See also: ATRG: CoreXL 

0 Kudos
Jesus_Cano
Collaborator

OK, we will add the license and reboot the devices. In order to avoid the outage we will do in the passive member first, and then in the active node.

how can we check by cli that 4 cores are being used by gateway??? any command?

0 Kudos
PhoneBoy
Admin
Admin

Re: Command to show the number of permitted cores‌ will tell you that you are licensed for the correct number of cores.

How you are using them, cpconfig.
Note that it's possible that CoreXL was not previously enabled, so you will choose to enable it and accept the default number of workers.

This will require a reboot.

Also note that all members of the cluster must be licensed for the same number of cores or you will have issues with your cluster.

0 Kudos
Jesus_Cano
Collaborator

I only wnat that gateways use 4 cores. So i think i only have to config to use 4 instances FW in cpconfig. right?

any command to know if these 4 cores are being used?

0 Kudos
PhoneBoy
Admin
Admin

What you configure in cpconfig is the number of firewall workers, which will be less than the total number of cores.

The remaining cores will be used for SND (Secure Network Distribution).

I believe the default distribution for 4 cores is 3/1 (3 workers, 1 SND). 

You can see how they are allocated with fw ctl affinity -l.

See also: Best Practices - Security Gateway Performance 

0 Kudos
Jesus_Cano
Collaborator

Hi Dameon,

So currently we have 2 cores, and we have the license string for 4 CORES. What step should we do to activate these 4 CORE and how to check it.

When you install the licence "cplic put KEY_STRING"  and reboot it, ¿the 4 cores will be used automatically?

0 Kudos
PhoneBoy
Admin
Admin

I already answered this: via cpconfig (a CLI command).

There is a menu option called Check Point CoreXL.

Select it and follow the menu prompts to ensure it is enabled and with the correct number of firewall (worker) instances, which should be 3 to start with.

Now you may be able to do this BEFORE you reboot the gateway AFTER applying the license--not 100% sure about that.

And you may need to do additional tuning later, which is covered in the SKs I pointed to 

In either case, it all starts with cpconfig.

The SKs I pointed at can be used to further tune/troubleshoot later, but given you only have 4 cores, your options for tuning are fairly limited. 

0 Kudos
Jesus_Cano
Collaborator

Thanks a lot Dameon. You are right. We have to add the lic with "cplic put xx" in the gateways. After that go to cpconfgi->coreXL and configure 3 instances. Then reboot it. WE only want to use more CPU, not to customize these CPU.

Just one thing, what would it be the correct procedure to do this in a cluster A/P in order to not outage?. First do it in the standby node. Then, CPstop in the active node. Do this task in the another node in order to up the cluster. right? 

0 Kudos
PhoneBoy
Admin
Admin

Any time you change the worker/SND mix, that requires a reboot (not just a cprestart).

Other than that, you're correct: do the standby node first.

0 Kudos
Hugo_vd_Kooij
Advisor

Also keep in mind that cluster nodes have to have identical number of cores. So it will cause a minor outage during the scheduled work.

At least a stateless failover will occur.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Jesus_Cano
Collaborator

Yes, so we will chenge cpconfig instance to 3, and then reboot this node. 

After that, we will run cpstop in the node active in order that the standby takes active role with new cores. thats right? 

Thanks

0 Kudos
PhoneBoy
Admin
Admin

Correct

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events