I have a situation were we implemented a checkpoint with IPS in a bridged interface scenario, on 10Gbps interfaces. The the default Checkpoint affinity for the cpu's were to assign the mgmt and 1 of the bridged interfaces to 1 CPU and the Sync and the other bridged interface to a second CPU. We then hit a problem of traffic throughput that caused both CPU's to run between 90 and 100%. This effectively locked us out of the device and caused major latency problems. The device is currently bypassed.
I have changed the affinity to combine the mgmt and sync on 1 cpu and am looking to assign 2 cpu's to each of the bridged interfaces. Leaving 11 cpu's for firewall workers.
So noting the above is there any experience out there that can comment on whether the 2 x cpu per bridged interface "should be" sufficient or whether it would be advisable to increase them.
I am running r77.30 with dynamic dispatching enable and only 6 firewall rules. Because we were locked out of the device I could not gather any meaningful stats.