This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Firewallteam_DE
Explorer
‎2019-10-09 03:03 AM

What "set vsx on/off" actually does under hood?

Hello Guys

I am having trouble finding what does turning on/off vsx mode does to firewall cluster.

 

I have 2 members fully configured in cluster VSLS mode, running coreXL, few virtual-systems on it and soon in production. In many guides theres suggestion to turn off vsx mode before applying some commands which otherwise cannot be accepted. I only understand that vsx mode is "interface and routes configuration protection". But is there anything beyond human factor protection in CLI?

 

Subsequently, I have this problem:

automatic affinity on one cluster member is working fine, and it doesn't on another:

A:

eth1-01 : 8
eth1-02 : 8
eth1-03 : 0
eth1-04 : 8
eth2-01 : 0
eth2-04 : 8
eth2-05 : 0
eth2-08 : 8
eth3-01 : 0
eth3-02 : 0

 

B:

eth1-01 : 0
eth1-02 : 0
eth1-03 : 0
eth1-04 : 0
eth2-01 : 0
eth2-04 : 0
eth2-05 : 0
eth2-08 : 0
eth3-01 : 0
eth3-02 : 0

some CP article suggests checking "fw ctl multik get_mode" to see if dynamic dispatcher is on, but this command cannot be run in vsx mode:

Option not supported in VSX mode.

Edit: (there are 2 cores for vs:0 in my setup) after restarting and re-entering default affinity mode (automatic) all interfaces are assigned core 0 (I expected even distribution between cores 0, 8). There is no traffic passing interfaces yet.

Thank you

Tomas

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-10-09 07:07 AM

Before risking my VSX VSLS configuration i would rather involve TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-11-06 02:00 PM
In response to G_W_Albrecht

Here's link to my cpx presentation on the subject of VSX optimisation

https://community.checkpoint.com/t5/Member-Exclusive-Content/VSX-performance-optimisation-pdf/m-p/41...

Hard to answer without having full details of the system.

As for vsx off - yes it's mainly to protect system from making silly mistakes in areas that are owned my management i.e routing and interfaces. You will learn to survive without it 🙂 can't remember last time I turned vsx off 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2019-11-06 03:06 PM

Which GW version are you utilising?
Dynamic dispatcher is available only from R80.20 and above for VSX mode.
CCSM R77/R80/ELITE
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-11-06 09:20 PM
In response to Chris_Atkinson

And be careful not to mix up two things - affinity for SXL or interfaces and affinity for for fw workers. Your original post mixed two together. Try printing both types with fw ctl affinity -l and we can take it from there

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events