This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Borut
Collaborator
Collaborator
‎2019-10-28 05:00 AM
Jump to solution

Default process affinity on R80.30

Hi

I'm noticing some strange CPU usage on our gateway since upgrade to R80.30 3.10 (currently on JHF T50). The hardware was also changed at the same time (HP DL360 Gen10). We have an 8 core license.

The first thing I noticed was the weird CPU allocation for CoreXL and SecureXL. We have the gateway configured with 6 CoreXL cores, and 2 for SecureXL. In previous version (80.10) CPU's 2-7 were assigned for CoreXL and 0 and 1 to SecureXL. Now, the distribution is something I'm not used to.

# fw ctl affinity -l -r
CPU 0: eth8
CPU 1:
CPU 2:
CPU 3: fw_5
mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd
CPU 4: fw_3
mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd
CPU 5: fw_1
mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd
CPU 6:
CPU 7: eth9 eth4
CPU 8:
CPU 9: fw_4
CPU 10: fw_2
CPU 11: fw_0
All:
The current license permits the use of CPUs 0, 1, 2, 3, 4, 5, 6, 7 only.

What has changed in R80.30 that CoreXL is using cores 3,4,5,9,10,11? Is it trying to evenly distribute load between physical CPU's?  Why was SecureXL affinity set to cores 0 and 7 by default (why not 0 and 6)? I configured manual affinity using the default values.

Also, CoreXL instances don't seem to balance load as nicely as in R80.10.

This was the CPU usage in R80.10:

And this is R80.30

image.png

As you can see cores 3-5 are utilized much more than cores 9-11. I presume this is because default affinity for processes is set only to cores 3-5. Why is that? Is that a feature or a bug? 

Is there a simple way to persuade the process affinity to be on all CoreXL cores without manually setting the affinity in fwaffinity.conf for every possible process?

Best regards

0 Kudos
1 Solution

Accepted Solutions
Martin_Valenta
Advisor
‎2019-10-29 02:10 AM
Jump to solution

If you have only 8 core license, then disable cores on your physical servers to have only 4 cores per processor.
https://community.checkpoint.com/t5/General-Management-Topics/Open-server-disable-CPU-cores/m-p/2037...

View solution in original post

6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-10-28 08:13 AM
Jump to solution

- According to sk158112 Unable to assign FWD to a specific core, R80.30 has a CoreXL bug resolved only in Jumbo Hotfix Accumulator for R80.30 from Take 76 !

-  Your screens shows 12 cores, but only 8 are licensed - did you follow Performance Tuning R80.30 Administration Guide ?

- I would also suggest to consult CoreXL section in the sk98348 (Best Practices - Security Gateway Performance) and to look into sk153832: ATRG: SecureXL for R80.20 and above 

- and sk153373: New Multi-Queue Management for Check Point R80.30 with Gaia 3.10 kernel

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Borut
Collaborator
Collaborator
‎2019-10-29 12:02 AM
In response to G_W_Albrecht
Jump to solution

Hi G_W_Albrecht

- sk158112 talks about machines with SMT enabled. We have Hyperthreading disabled.

- Yes, we have a 12 core (2 physical  CPU's with 6 cores each) machine and a license for 8 cores. Nothing wrong with that. The performance is not the issue, just the weird core allocation for licensed cores and the fact that process affinities are not assigned to all CoreXL cores by default as was the case in versions lower than R80.30 (see my reply to Timothy).

- Thanks for suggesting performance optimization guides. I'm familiar with them but they don't apply with the problem I'm having. I'm aware of the procedures regarding changing process affinities, I'm just a little confused why the defaults have changed (not assigning process affinities to all CoreXL cores by default)

- Multiqueue is disabled on this specific gateway

Thanks for your answer

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-10-28 09:02 AM
Jump to solution

Looks like you have six physical CPUs with Hyperthreading enabled.  So your cores shake out like this:

Core 0/6: SND 1

Core 1/7: SND 2

Core 2/8: Unused?

Core 3/9: 2 workers

Core 4/10: 2 workers

Core 5/11: 2 workers

So the split is 2/6 which falls right into the license limit of 8 cores.  I think your output just looks strange since you have 12 total cores but are licensed for 8.  Normally someone will have 16 cores and be licensed for 8, or have 8 cores and be licensed for 4 and the core numbers are straight multiples of each other.  In that case the output is a little easier to interpret.

Process affinity is on cores 3/4/5.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Borut
Collaborator
Collaborator
‎2019-10-28 11:53 PM
In response to Timothy_Hall
Jump to solution

Hi Timothy

We have an open server with two physical CPU's - Intel(R) Xeon(R) Gold 6128 CPU @ 3.40GHz. That amounts to 12 physical CPU cores. Hyperthreading is disabled. The license is for 8 cores for budget reasons (and should be enough for what is needed). 

I found another machine with 2x6 physical cores with R80.20 installed with default process affinity settings. SND affinities are set manually.

# fw ctl affinity -l -r
CPU 0:  eth8 eth0 eth1 eth7
CPU 1:  eth9 eth11 eth4 eth5
CPU 2:  fw_5
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 3:  fw_4
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 4:  fw_3
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 5:  fw_2
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 6:  fw_1
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 7:  fw_0
        rtmd lpd mpdaemon fwd wsdnsd in.asessiond cpd cprid
CPU 8:
CPU 9:
CPU 10:
CPU 11:

 As you can see, the GW is using CPU ID's 0-7 (0-5 are on physical CPU0 and 7-8 are on CPU1) is on and process affinity is distributed among all CoreXL cores by default. fwaffinity.conf file is identical to the one on the R80.30 GW.

Something must have changed in R80.30 regarding which cores the GW is using on a two CPU machines (if licensed cores < available cores). I wonder If that is by design. Maybe they're also trying to share load between physical CPU's or something. I guess assigning process affinity to CPU cores on a second physical CPU is not working by default.

Also, is there a way to change that behavior without manually changing affinity for every single process via the fwaffinity.conf file.

0 Kudos
Martin_Valenta
Advisor
‎2019-10-29 02:10 AM
Jump to solution

If you have only 8 core license, then disable cores on your physical servers to have only 4 cores per processor.
https://community.checkpoint.com/t5/General-Management-Topics/Open-server-disable-CPU-cores/m-p/2037...
Borut
Collaborator
Collaborator
‎2019-11-05 01:08 AM
In response to Martin_Valenta
Jump to solution

Thank you Martin. We have lowered the active CPU cores to 4 per CPU. The process affinity looks normal now. There is still a difference in CoreXL/SecureXL cores assignment, but that does not bother me 🙂

CPU 0: eth8
CPU 1: fw_5
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
CPU 2: fw_3
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
CPU 3: fw_1
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
CPU 4: eth9 eth4
CPU 5: fw_4
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
CPU 6: fw_2
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
CPU 7: fw_0
mpdaemon fwd wsdnsd in.asessiond pdpd vpnd pepd usrchkd in.acapd lpd rad topod cprid cpd
All:

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events