Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Wagen
Contributor

VSX Tuning Question

 Hi Guys,

I have found many interesting articles about VSX tuning here in the forum:

https://community.checkpoint.com/t5/VSX/Interface-Affinity-with-VSX/td-p/51136

https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/member-exclusives/224/1/VSX%20per...

I understand that, but how exactly do I set this up under VSV and which CLI commands do I have to use?
Is here a sample file that allows me to set the SecureXL and CoreXL instances?

For example, how do I set Multiqueueing/SecureXL for Core 0,1,2,3,17,18,19,20 and CoreXL for VS1 to Core 4,5,21,22

Which CLI commands do I have to use to make the settings permanent?

Regards
Christian

 

0 Kudos
40 Replies
Kaspars_Zibarts
Authority
Authority

You can't tell with SNMP how much CPU is single VS / VSW using if they are sharing resources I'm afraid. Unless you have dedicated cores per VS.

If I'm honest VSW takes nearly nothing in my experience. Two VSWs sharing the same single hyper-threaded core pushing 30Gbps used 25% peak hour. On 26000T appliance.

0 Kudos
genisis__
Advisor

Thanks,  the CPU question was aimed more at the VS, but this really is a a missing part for external monitoring and capacity management, and I can't see how this could be monitored via SNMP unless, as you suggested have dedicate cores, even then how would SNMP be able to monitor it as its the same issue, SNMP only seems to pick up the CPU OID for the overall tin.

0 Kudos
Henrik_Noerr1
Contributor

Actually you can pull all process load for a given VS. We do this with: CHECKPOINT-MIB::fwInstancesCPUTable

This allows us to graph each VS individually and collectively, see below:

All VS share the same some 24 cores and 8 SNDs 

fwk load of a VS with 5 cores assigned

all VS fwk load SUM'ed per VS

VSX load

fwk 5 coresfwk 5 coresall VS on cluster fwk loadall VS on cluster fwk loadgeneral VSX loadgeneral VSX load

 

genisis__
Advisor

I take it there is a OID for this and its different per VS?  How you you actually use this from an SNMP MGR such as PRTG?

I did a snmpwalk and could not see this.

Downloaded the last (R81) MIB file from Checkpoint  (SK90470)

The MIB file has syntax errors so corrected theses.

converted and uploaded to PRTG using the below link:

Can't find a sensor for my device in PRTG but I believe it supports SNMP. How to proceed? | Paessler...

But not really seeing any difference.

 

Additionally search the MIB file for 'fwInstancesCPUTable' and it does not exist? (See attached)

0 Kudos
Henrik_Noerr1
Contributor

Hey,

I poll each VS through the VSX DMI. Use snmp v3 with the flag -n ctxname_vsid17 - to poll a specific VS through the DMI.

The oid is there. Check the official mib in sk90470 (I use r80.40)

But without knowing prtg I can only recommend to look into a TIG stack - Telegraf/InfluxDB/Grafana solution. It will improve your monitoring level many times.

I have attached a telegraf config to get you started for single VS monitoring.

 

0 Kudos
Kaspars_Zibarts
Authority
Authority

Very nice! 🙂

0 Kudos
Henrik_Noerr1
Contributor

I saw you mentioned Solarwinds as well.

You cannot add devices with the same IP address through the webinterface. The IP address is a unique identifier within Solarwinds and they will not support multiple devices, even with different context flags - horrible design choice.

We have it working by adding the nodes directly into the mssql db, but it is not supported and is a stupid workaround.

There is an RFE on thwack regarding this. It has existed since 2008.

/Henrik

0 Kudos
genisis__
Advisor

Awesome thanks, will give this a go.

0 Kudos
Kaspars_Zibarts
Authority
Authority

Good old MRTG had a similar limitation so I managed to suss out from the code that it was case sensitive, so I just had to create targets with different combinations of upper lower case letters 🙂

Remember that you should be able to poll VS directly by setting vs-direct-access

0 Kudos
Henrik_Noerr1
Contributor

hah that is a great limitation 🙂

I rerely see a design where direct VS polling is doable. Many VS are simply cut off from the monitoring platform (implicit by design).

I like we can poll each VS from the DMI, but I would like that Check Point was more consistent offering VS data from VS0 snmp tables.

Some data is available others not. 

0 Kudos
genisis__
Advisor

I managed to use the MIB file on PRTG, however still not able to see '::fwInstancesCPUTable' reference within the snmpwalk.  I have at least got the VSWs in and now Connections Limit, Peak and concurrent values, even managed to figure how how to combine the values into one chart.

 

0 Kudos