Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joschua_M
Explorer

SecureXL ID

On all of our firewall I see only ID 0.

However, on one firewall two ID's are displayed. What does it mean?

Which CLI commands do I use to set up one and two ID's?

How can I activate or deactivate multiple SecureXL ID's?


securexl_id.jpg

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

On a four core system, the default split of SNDs to FWKs is 1/3.
On an eight core system, the default split of SNDs to FWKs is 2/6.

You can adjust the split via cpconfig (requires reboot).
That said, you're better off using Dynamic Split (adjusts this on the fly based on demand) on 8+ core systems on R81+ or R80.40 with the most recent JHF.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Actually the instance ID displayed by fwaccel stat does not show the number of cores allocated as SNDs; normally there is just one instance (#0) of SecureXL/sim in the kernel, and the multiple assigned SND cores are just offshoots of that one instance.  Usually the only way you'd see a second instance of SecureXL is if there is a Falcon accelerator card present.  

Based on how the network interfaces are spread between the two SecureXL instances, I'm wondering if your firewall's hardware architecture consists of two separate CPU sockets each with their own set of cores, and you are seeing a SecureXL instance running on each socket.  Example: The 23800 model has two sockets with a Intel Xeon E5-2680v3 (12 physical cores) on each for a total of 24 physical cores.  Perhaps there is now a SecureXL instance running on each individual socket?  I did mention the presence of multiple sockets on pages 64-65 of the third edition of my book, and advised placing NIC cards on the PCI bus attached to the specific socket that would have a SND core(s) assigned for that specific NIC to avoid excessive traffic on the bridge between sockets.

Either way I haven't seen this before so it must be something new.  @Joschua_M what code version are you running and what specific hardware is being utilized on the firewall showing multiple SecureXL instances?  If the firewall is open hardware please provide detailed specifications.  Also please provide the output of the lsmod command so we can see if there are truly two instances of the sim driver in the kernel.  Thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Very unusual split of the SND ID's. Normally only the ID 0 can be seen, as @Timothy_Hall  mentioned. The assignment of the interface to the different SND instances is also very strange. 

Which Firewall version and which JHF version are you using?

Can you execute the following CLI commands and show us the output:
# more /proc/interrupts
# mq_mng --show  -vv                                   
# dynamic_split -p
# lsmod
# fw ctl affinity -l

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events