- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Harmony Mobile 4:
New Version, New Capabilities
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
On all of our firewall I see only ID 0.
However, on one firewall two ID's are displayed. What does it mean?
Which CLI commands do I use to set up one and two ID's?
How can I activate or deactivate multiple SecureXL ID's?
On a four core system, the default split of SNDs to FWKs is 1/3.
On an eight core system, the default split of SNDs to FWKs is 2/6.
You can adjust the split via cpconfig (requires reboot).
That said, you're better off using Dynamic Split (adjusts this on the fly based on demand) on 8+ core systems on R81+ or R80.40 with the most recent JHF.
Actually the instance ID displayed by fwaccel stat does not show the number of cores allocated as SNDs; normally there is just one instance (#0) of SecureXL/sim in the kernel, and the multiple assigned SND cores are just offshoots of that one instance. Usually the only way you'd see a second instance of SecureXL is if there is a Falcon accelerator card present.
Based on how the network interfaces are spread between the two SecureXL instances, I'm wondering if your firewall's hardware architecture consists of two separate CPU sockets each with their own set of cores, and you are seeing a SecureXL instance running on each socket. Example: The 23800 model has two sockets with a Intel Xeon E5-2680v3 (12 physical cores) on each for a total of 24 physical cores. Perhaps there is now a SecureXL instance running on each individual socket? I did mention the presence of multiple sockets on pages 64-65 of the third edition of my book, and advised placing NIC cards on the PCI bus attached to the specific socket that would have a SND core(s) assigned for that specific NIC to avoid excessive traffic on the bridge between sockets.
Either way I haven't seen this before so it must be something new. @Joschua_M what code version are you running and what specific hardware is being utilized on the firewall showing multiple SecureXL instances? If the firewall is open hardware please provide detailed specifications. Also please provide the output of the lsmod command so we can see if there are truly two instances of the sim driver in the kernel. Thanks!
Very unusual split of the SND ID's. Normally only the ID 0 can be seen, as @Timothy_Hall mentioned. The assignment of the interface to the different SND instances is also very strange.
Which Firewall version and which JHF version are you using?
Can you execute the following CLI commands and show us the output:
# more /proc/interrupts
# mq_mng --show -vv
# dynamic_split -p
# lsmod
# fw ctl affinity -l
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY