Create a Post
Showing results for 
Search instead for 
Did you mean: 

Checkpoint VSX and corexl

We have checkpoint firewall with 2 VSs configured in VSX-setup device R80.10, hfa is 249

Each VS has 10 each virtual system instances as per dashboard and fw ctl multik stat output

Overall the firewall has 36 cores as per top and cpstat os -f multi_cpu


I have two queries here as given below


1) I have logged into each VS and checked cpstat os -f multi_cpu output and found that it has 36 cores and all of them some cpu usage. If we have only 10 instances in each VS, why is it showing usage for rest of the cores ?

2) Out of 36 cores, are we using 10 each to each VS or the total number of virtual system instances in each VS’s should not be more than 36 in this case? (for example, if we have 4 VS and still we can have 10 each in each VS ?)



Rajesh CRM

0 Kudos
2 Replies

cpstat is a system-level command not a vs-level command.
Meaning it shows stats for the entire platform.

I believe you can allocate more cores in aggregate to your VSes than you have physically but some CPUs will obviously be allocated more instances then others.
That could lead to a performance issue down the road, so it's not recommended.
0 Kudos

In VSX just like any regular CP firewall first you need to devide cores between SND and FWK. SNDs will be common for all VSes. But FWKs you can share in many different ways. Below are two examples from my CPX presentation:

when all VSes FWKs share the same CPU cores (2-9), it's the default approach in VSX



or when you do manual split, for example (VS0-CPU2, VS1-CPU3-4, VS2&VS3-CPU5-9)



 To see your setup, use fw ctl affinity -l command

0 Kudos