Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor
Jump to solution

CoreXL Configuration : OTHER CPU and FWD (Recommended Configuration)

Hi Checkmates,

 

We are planning to replaced our existing device (12000 SG) with new 26000 Security Gateway.

The existing CoreXL configuration of 26000SG is below

Total CORE with SMT enable: 72 Core

CoreXL_SND: 2

OTHER:8

CoreXL_FW: 61

FWD:1

corexl1.png

corexl1.1.png

corexl2.png

What is the role of "OTHER" which currently occupied 8 CORE  and why its dynamically allocated ?

Our current running appliance 12000 series will going to replaced with 26000 and currently having below configuration :

Total Core: 4

SND Core: 1

CoreXL_FW: 3

BLADE Enabled: IPSec,IPS,AV,ABOT,App and URL(No Https Inspection) (will also enable TE blade after replaced)

Concurrent connection :25000 (In future it will be increase)

Interface: 5 x 1G including sync and Mgmt (It will replace with 3 x10G) 

corexl3.png

 

 

 

 

 

 

 

Kindly suggested  as a best practice how much CPU core need to assign to SND core and CoreXL_FW on new 26000.

 

Regards

@Chinmaya_Naik 

1 Solution

Accepted Solutions
_Val_
Admin
Admin

Several comments:

1. With Kernel Space FW, you can only assign up to 40 cores to FWKs
2. Any manual assignment will disable Dynamic Split. If you want to use DS, do not change the cores assignments
3. DS is helping with dynamic change of SND and FWK assignments, to cope with changing traffic patterns. The only performance impact is improved overall performance of the machine 
4. Mind with Hyper-Threading you have 36 real + 36 virtual cores. When assigning cores manually (if you ever go this road), you will need to make sure that each pair of "real + virtual" cores should assume the same role. 

Considering all above, and also your limited experience with the matter, I would strongly suggest you going for DS, as the simplest and most universal solution.

View solution in original post

15 Replies
Kaspars_Zibarts
Employee Employee
Employee

Regarding dynamic split you can read here, it just does SND vs CoreXL core management for you. Be aware there are some SK articles describing issues with it too 🙂

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

You should not worry too much in any case as you have bought a Ferrari for 25k connections 🙂 it will last very long

To find answers to your other questions best is to look at output of fw ctl affinity -l and mq_mgmt --show

Bear in mind that your system is hyperthreaded therefore you see some cores "in the middle" associated with "other" or SND. That's your CPU siblings or hyperthreaded cores: 0-36, 1-37 .. 35-71. So if you start playing manually with affinity, you need to consider that carefully

Chinmaya_Naik
Advisor

Hi @Kaspars_Zibarts 

Thanks for the update.

As you can see CPU 2,3,4,36,37,38,39,40 is assign to "OTHERS" which not showing on below output.

Just I need to understand what is the use of "OTHER" CPU core and is this only comes when we enable SMT (Hyper threading) ?

*********************************************

Interface eth2-01: CPU 1
Interface Mgmt: CPU 0
Interface eth2-02: CPU 1
Interface eth2-03: CPU 1
fw_0: CPU 35
fw_1: CPU 70
fw_2: CPU 34
fw_3: CPU 69
fw_4: CPU 33
fw_5: CPU 68
fw_6: CPU 32
fw_7: CPU 67
fw_8: CPU 31
fw_9: CPU 66
fw_10: CPU 30
fw_11: CPU 65
fw_12: CPU 29
fw_13: CPU 64
fw_14: CPU 28
fw_15: CPU 63
fw_16: CPU 27
fw_17: CPU 62
fw_18: CPU 26
fw_19: CPU 61
fw_20: CPU 25
fw_21: CPU 60
fw_22: CPU 24
fw_23: CPU 59
fw_24: CPU 23
fw_25: CPU 58
fw_26: CPU 22
fw_27: CPU 57
fw_28: CPU 21
fw_29: CPU 56
fw_30: CPU 20
fw_31: CPU 55
fw_32: CPU 19
fw_33: CPU 54
fw_34: CPU 18
fw_35: CPU 53
fw_36: CPU 17
fw_37: CPU 52
fw_38: CPU 16
fw_39: CPU 51
fw_40: CPU 15
fw_41: CPU 50
fw_42: CPU 14
fw_43: CPU 49
fw_44: CPU 13
fw_45: CPU 48
fw_46: CPU 12
fw_47: CPU 47
fw_48: CPU 11
fw_49: CPU 46
fw_50: CPU 10
fw_51: CPU 45
fw_52: CPU 9
fw_53: CPU 44
fw_54: CPU 8
fw_55: CPU 43
fw_56: CPU 7
fw_57: CPU 42
fw_58: CPU 6
fw_59: CPU 41
fw_60: CPU 5
Daemon mpdaemon: CPU 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
Daemon fwd: CPU 71
Daemon cprid: CPU 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
Daemon cpd: CPU 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
Interface Sync: has multi queue enabled

 

Regards

@Chinmaya_Naik 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

You didn't add the multi queue command output

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

So far it seems they are not attached to neither SND nor CoreXL

0 Kudos
_Val_
Admin
Admin

This version are you running?

Chinmaya_Naik
Advisor

@_Val_ 

The existing appliance which is 12000Series is currently running on production with R77.30 and the new appliance which going to place is 26000s with R80.40 OS.

So basically we are going to replace the 12000 SG so I need to the change the Core XL configuration on new 26000SGas per the best practice.

After clean installation  26000SG by default take below configuration:

Total CORE with SMT enable: 72 Core

CoreXL_SND: 2

OTHER:8

CoreXL_FW: 61

FWD:1

Regars

@Chinmaya_Naik  

_Val_
Admin
Admin

Okay, that's very good then. With R80.40 and 3.10 kernel, you have Dynamic Split feature mentioned in sk164155. All you need for an effective core distribution is two fold:

1. do not change manually affinity and corexl settings

2. enable dynamic split, as SK says.

Your cores will be automatically balanced between FWK and SND roles, depending on the traffic needs. 


More info about the Dynamic Split is here: https://community.checkpoint.com/t5/Member-Exclusive-Content/Dynamic-Workloads-TechTalk-Video-and-Sl...

Chinmaya_Naik
Advisor

@_Val_ 

Thanks for the update.

is there any impact or any performance related issue after enable  the Dynamic Split feature .

I planning  do the below configuration:

Assign 46 CORE to FW worker

16 CORE to SND

and FWD + OTHER = 9 CORE

Regards

@Chinmaya_Naik 

0 Kudos
_Val_
Admin
Admin

Several comments:

1. With Kernel Space FW, you can only assign up to 40 cores to FWKs
2. Any manual assignment will disable Dynamic Split. If you want to use DS, do not change the cores assignments
3. DS is helping with dynamic change of SND and FWK assignments, to cope with changing traffic patterns. The only performance impact is improved overall performance of the machine 
4. Mind with Hyper-Threading you have 36 real + 36 virtual cores. When assigning cores manually (if you ever go this road), you will need to make sure that each pair of "real + virtual" cores should assume the same role. 

Considering all above, and also your limited experience with the matter, I would strongly suggest you going for DS, as the simplest and most universal solution.

Chinmaya_Naik
Advisor

Hi @_Val_ 

Thanks for the clarification.

Just a few query I have.

What is the role of "OTHER" which currently occupied 8 CORE by default ?

Regards

@Chinmaya_Naik 

_Val_
Admin
Admin

Can't say, but I assume those were not attached to either SND or FWKs, or were/are in the transition phase from one role to another. 

0 Kudos
Chinmaya_Naik
Advisor

@_Val_  and Team,

What about for IPv6 CoreXL Firewall instances. Is this also part of dynamic Split ? or mannual changes is required like mannualy assigned the core for IPv6.

Because we have a requirement for IPv6 configuration.

Kindly help

 

0 Kudos
_Val_
Admin
Admin

The same, I believe

0 Kudos
_Val_
Admin
Admin

Quoting from sk164155:

Supported features: IPv6, Management Data Plane Separation (MDPS), Bridge mode

0 Kudos
Chinmaya_Naik
Advisor

@_Val_ 

Thank you

Sorry I miss that part on that SK😊

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events