This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Teddy_Brewski
Collaborator
‎2018-08-06 07:03 AM
Jump to solution

Multiple questions (licensing, number of cores)

Hello,

Licensing: we own several R77 licenses used with open servers. When we renew our contract with Check Point can we upgrade to R80 using existing licenses, or R80 licenses have to be purchased separately? As far as I understood the licensing model with R80 has changed and now many features/blades come in a bundle. So if we have a 2 core limit with R77 license how is it going to be transferred to R80? Or do we have to "trade in" our old licenses and buy the new ones?

Number of cores: is there any correlation between a number of cores and number of 10Gbe interfaces for a Check Point installation under open servers? I understand that it will very much depend on the load, but assuming that no heavy blades are used, with 16-18K concurrent connections per second, is this more or less one core per one 10Gbe interface?

Bonding: when creating a bond, is it a good idea (performance wise) to assign ports from NICs installed in different PCIe slots?

Thank you in advance.

1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2018-08-06 07:44 AM
Jump to solution

Here we go:

Q: When we renew our contract with Check Point can we upgrade to R80 using existing licenses, or R80 licenses have to be purchased separately?
A: Yes, you do not need to purchase different licenses, unless you need more cores.

Q:  if we have a 2 core limit with R77 license how is it going to be transferred to R80?
A: yes, of course.
Q: is there any correlation between a number of cores and number of 10Gbe interfaces for a Check Point installation under open servers?
A: not from the licensing perspective. However, to get more out of your powerful open server machines, you may want considering to purchase new licenses with more cores included.

Q: when creating a bond, is it a good idea (performance wise) to assign ports from NICs installed in different PCIe slots?

A: Different PCI slots can be used for bonding. More important is to manage SIM affinity. However, with only 2 CPUs licenses and the mentioned load, this is not an issue.

View solution in original post

0 Kudos
2 Replies
_Val_
Admin
Admin
‎2018-08-06 07:44 AM
Jump to solution

Here we go:

Q: When we renew our contract with Check Point can we upgrade to R80 using existing licenses, or R80 licenses have to be purchased separately?
A: Yes, you do not need to purchase different licenses, unless you need more cores.

Q:  if we have a 2 core limit with R77 license how is it going to be transferred to R80?
A: yes, of course.
Q: is there any correlation between a number of cores and number of 10Gbe interfaces for a Check Point installation under open servers?
A: not from the licensing perspective. However, to get more out of your powerful open server machines, you may want considering to purchase new licenses with more cores included.

Q: when creating a bond, is it a good idea (performance wise) to assign ports from NICs installed in different PCIe slots?

A: Different PCI slots can be used for bonding. More important is to manage SIM affinity. However, with only 2 CPUs licenses and the mentioned load, this is not an issue.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-08-07 06:38 AM
Jump to solution

Any time the number of licensed cores differs from the number of physical cores on open hardware gateways, watch out for what call I call the licensing "core crunch" in the second edition of my book.  This situation cannot occur on a Check Point gateway appliance that has the correct bundled license installed:

The Trial License “Core Crunch”


This issue can be summed up quite succinctly with just one fateful screenshot:


Figure 7-14: Example Showing Effects of a Licensing "Core Crunch"


What the...? We can see that there are 4 processing cores total yet there are six Firewall Workers splattered all over the place. But how did it get this way? Some further investigation utilizing commands we covered earlier can help:


Figure 7-15: Diagnosing a Licensing "Core Crunch"


Oops. This situation can occur on an open hardware firewall, which has more physical cores than permanently licensed cores. When this example firewall was first configured, it was using the built-in 15-day Trial Period license which permits an unlimited number of cores to be employed by CoreXL. Because there were 8 total cores present, the default allocation of 2 SND/IRQ cores and 6 Firewall Worker cores was initially set under the trial license. However once the permanent license for only 4 cores was applied and the firewall rebooted, there were still 2 SND/IRQ and 6 Firewall Worker cores allocated, and they all got “crunched” onto the 4 allowed cores as shown in the command output above. The SND/IRQ and Firewall Worker functions are tripping all over each other, and in some cases separate Firewall Workers are fighting each other for the same core! Needless to say the CPU fast caches will be getting mercilessly thrashed and overall firewall performance will be absolutely dismal.

To correct this particular situation described in our example: run cpconfig to allocate 3 Firewall Worker cores, and then reboot the firewall. However even after performing this step, as you might suspect the remaining 4 unlicensed cores will do practically nothing, while the 4 licensed ones are forced to carry the entire traffic load; core licensing limits are actively enforced by the Check Point code. This situation should never occur on a Check Point firewall appliance unless the wrong license is applied, as the license bundled with the appliance will always permit the same number of cores as actual physical cores.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events