This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mageshkumarg
Participant
‎2025-06-17 03:34 AM
Jump to solution

CoreXL affinity vs CoreXL Dynamic Dispatcher

Hello team,

My experience with checkpoint technology is at an intermediate level. As I read about CoreXL technology, I have following queries.

  1. By default, the affinity for security gateway is set to Automatic (i default auto). This indicates the gateway (SND) will associate interfaces with particular CPU cores (FW kernel instance). So, what function does the dynamic dispatcher serve in this situation?
  2. Will it assist in choosing CPU cores for the firewall interface by considering CPU usage?
  3. If yes, What function will the dynamic dispatcher serve after the CPU cores are selected for the interfaces?
  4. The firewall interfaces are aligned with firewall core instances either temporarily or permanently?

Refer SK/Guide:-

https://support.checkpoint.com/results/sk/sk105261

https://support.checkpoint.com/results/sk/sk174423

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_PerformanceTuning_AdminGuide...

 

 

Thanks in advance.

 

Regards,

Magesh

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2025-06-17 05:26 AM
Jump to solution

To answer your questions:

1) Automatic interface affinity is not used any more on interfaces that support Multi-Queue.  Prior to the use of Multi-Queue, every 60 seconds or so automatic interface affinity would measure interface utilization, and allocate SND resources to the busiest interfaces.  If there were enough SND cores available, the busiest interfaces would end up with their very own SND core and not have to share it with other interfaces.  Multi-Queue is enabled by default on all interfaces and replaces automatic interface affinity, and also allows multiple SND cores to service a busy interface.

The Dynamic Dispatcher is implemented on the SND Cores, but it is not directly related to automatic interface affinity or Multi-Queue.  The Dynamic Dispatcher monitors the load of the Firewall Worker Instances and directs new connections (and all their subsequent packets) to the least-busy worker core.  

2) The job of the Dynamic Dispatcher is to keep the Firewall Worker Cores evenly balanced (and it does consider the existing load on the Firewall Worker Cores to do this), while Multi-Queue attempts to keep the load balanced among the SND cores by balancing traffic loads.  I'm not sure if Multi-Queue really considers SND CPU load in its balancing of traffic; it is just trying to keep the raw traffic load balanced among the SND cores to my knowledge.

3) You're conflating the Dynamic Dispatcher and Multi-Queue with this question, they are functions both implemented by the SND cores but serve very different functions.  (Firewall Worker Core balancing vs. SND Core balancing)

4) Interfaces are not affined directly to the Firewall Worker Cores, interfaces are handled/affined by Multi-Queue by the SND cores.  If Dynamic Balancing/Split is in use, an interface that was being serviced by an SND core could suddenly not be if that core is reassigned to be a new Firewall Worker Instance.  The remaining SND cores will pick up the slack for that interface in that instance. 

In a static split scenario the number of SND cores cannot change, and each interface's load is distributed among all available SND cores by Multi-Queue, subject to the queue limits of some driver and NIC hardware.  For example the igb I211 NIC only supports a maximum two queues, so even if there are 8 SND Cores available only 2 of them can service that I211 interface at any one time.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(2)
4 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2025-06-17 05:26 AM
Jump to solution

To answer your questions:

1) Automatic interface affinity is not used any more on interfaces that support Multi-Queue.  Prior to the use of Multi-Queue, every 60 seconds or so automatic interface affinity would measure interface utilization, and allocate SND resources to the busiest interfaces.  If there were enough SND cores available, the busiest interfaces would end up with their very own SND core and not have to share it with other interfaces.  Multi-Queue is enabled by default on all interfaces and replaces automatic interface affinity, and also allows multiple SND cores to service a busy interface.

The Dynamic Dispatcher is implemented on the SND Cores, but it is not directly related to automatic interface affinity or Multi-Queue.  The Dynamic Dispatcher monitors the load of the Firewall Worker Instances and directs new connections (and all their subsequent packets) to the least-busy worker core.  

2) The job of the Dynamic Dispatcher is to keep the Firewall Worker Cores evenly balanced (and it does consider the existing load on the Firewall Worker Cores to do this), while Multi-Queue attempts to keep the load balanced among the SND cores by balancing traffic loads.  I'm not sure if Multi-Queue really considers SND CPU load in its balancing of traffic; it is just trying to keep the raw traffic load balanced among the SND cores to my knowledge.

3) You're conflating the Dynamic Dispatcher and Multi-Queue with this question, they are functions both implemented by the SND cores but serve very different functions.  (Firewall Worker Core balancing vs. SND Core balancing)

4) Interfaces are not affined directly to the Firewall Worker Cores, interfaces are handled/affined by Multi-Queue by the SND cores.  If Dynamic Balancing/Split is in use, an interface that was being serviced by an SND core could suddenly not be if that core is reassigned to be a new Firewall Worker Instance.  The remaining SND cores will pick up the slack for that interface in that instance. 

In a static split scenario the number of SND cores cannot change, and each interface's load is distributed among all available SND cores by Multi-Queue, subject to the queue limits of some driver and NIC hardware.  For example the igb I211 NIC only supports a maximum two queues, so even if there are 8 SND Cores available only 2 of them can service that I211 interface at any one time.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(2)
mageshkumarg
Participant
‎2025-06-18 05:33 AM
In response to Timothy_Hall
Jump to solution

Hi @Timothy_Hall 

Thanks for the detailed explanation. It seems that I have mixed up two distinct concepts related to load balancing.

Affinity and multi-queue, is the principle utilized for achieving load balancing among CoreXL SND.

Dynamic Dispatcher is utilized by the CoreXL SND to distribute packets evenly among CoreXL firewall instances.

Am I right?

Regards,

Magesh

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-06-18 08:07 AM
In response to mageshkumarg
Jump to solution

The Dynamic Dispatcher really distributes connections and all their associated packets (not just individual packets on their own), and "sticks" them to the same worker instance every time.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events