Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AaronCP
Advisor

CloudGuard CPU 0 "Type Other"

Good evening,

 

I am experiencing an issue on our CloudGuard gateways (R80.40 T120). We have backups that run every evening that transfer data from Azure to our On-Prem servers. The throughput is approx 500mbps at the time of the transfer and the CPUs were running around 60-70% on average.

 

I have enabled fast_accel to help with this and I've seen a significant performance improvement this evening......however when monitoring the CPU usage, I noticed that CPU 0 had a higher load that the other 3 cores. When I check the CPU tab in CPView, CPU 0 is listed as Type = Other. The other 3 cores are listed as CoreXL_FW.

 

When I check the output of fw ctl affinity -l, I can see that CPU 0 looks to be allocated to two separate virtual interfaces. The other CPUs are all assigned to the kernel and other daemons. Also, when I check the output of fwaccel stats -s, it says that Accelerated Pkts/Total Pkts is 98%, and PSLXL Pkts/Total Pkts is 98%.

 

I was wondering what a likely cause of the CPU 0 "Other" handling traffic instead of the other CoreXL cores could be?

 

Still pretty new to all of this, so if I've missed anything obvious, please tell me 😊.

 

Thanks in advance,

 

Aaron.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

It's expected behavior.
When there are four cores or more, they are split between two functions:

  • SNDs (Secure Network Distributors) which handle traffic from the NICs
  • FWK (Worker, CoreXL) which handle higher-level inspection (e.g. App Control, Threat Prevention)

A four core system will have a 1/3 split (1 SND, 3 Workers), which is what you are observing.

In practical terms, fully accelerated traffic will hit only the SND cores (or core in your case).
Partially accelerated traffic will hit both the SND core and a Worker core.

AaronCP
Advisor

Hey @PhoneBoy,

 

Thanks for the speedy reply!

 

What would the possible impact be of assigning SND to a second CPU, and having one less FWK instance? I know Check Point don't support this configuration on less than 8 cores, but we do very little higher level inspection on these firewalls (and unlikely to in the forseeable future). The majority of that traffic is handled by our on-prem firewalls.

 

Any advice would be appreciated.

0 Kudos
PhoneBoy
Admin
Admin

Never heard that we don't support it.
That said, the only other option you have is a 2/2 split.
You can configure this via cpconfig (requires a reboot). 

AaronCP
Advisor

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_PerformanceTuning_AdminGuide...

 

My fault, the article states 'do not recommend' not 'do not support'!

 

Thanks for the advice.

0 Kudos
PhoneBoy
Admin
Admin

If you're doing any App Control or Threat Prevention, then yes, not recommended.
In a situation where almost all your traffic is going to be SecureXL accelerated anyway, then this change makes sense.

Chen_Muchtar
Employee
Employee

As suggested, you can indeed statically configure 2 SND cores via config (requires reboot).
On upcoming versions, Dynamic Balancing feature will be able to support Cloudguard environments, allowing dynamic CoreXL cores allocation, without requiring a reboot or user intervention (we'll have it also back ported once released) 
Contacting you offline to discuss potential early availability support w.t.r

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events