VSX Affinity Commands (fw ctl affinity -s -d)
This section shows you how to use the fw ctl affinity command to set affinities in a VSX environment. When you run this command, the system automatically creates or updates the affinity configuration files. All affinity configurations are kept after reboot.
You can define specified processes as affinity exceptions. Affinity commands do not apply these processes. To define an exception, add the process name to the $FWDIR/conf/vsaffinity_exception.conf file. You cannot add kernel threads as affinity exceptions.
|
Important - Do not add Check Point processes to the exception list. This can cause system instability.
|
Affinity Priorities
When a CPU core has more than one affinity, the affinity is applied based on these priorities:
- Firewall instance
- Process
- Virtual System
Setting Affinities
Use fw ctl affinity -s -d to set these CPU affinities:
- Firewall instance
- Processes
- Virtual System
You can set Firewall instance affinity to one or more CPUs on each Virtual System individually.
Syntax
> fw ctl affinity -s -d
> fw ctl affinity -s -d [-vsid <vs_ids>] -cpu <cpu_id>
> fw ctl affinity -s -d -pname <process> [-vsid <ranges>] -cpu <cpu_id>
> fw ctl affinity -s -d -inst <instance_id> -cpu <cpu_id>
Parameter
|
Description
|
-s -d
|
Set affinity for a VSX environment.
|
-vsid <vs_ids>
|
<vs_ids> can be:
- No <vs_ids> (default) - Shows the current Virtual System context.
- One Virtual System.
- A comma-separated list of Virtual Systems (1,2,4,5).
- A range of Virtual Systems (VS 3-5).
all - Shows all Virtual Systems.
Note: This parameter is only relevant in a VSX environment.
|
-cpu <cpu_id>
|
One or more CPU cores. You can define a range from which the system selects the instances. The format for a range is:
<from_cpu_id>-<to_cpu_id>.
|
-pname <process>
|
Configure affinity for the specified process.
|
-inst <instance_id>
|
One or more Firewall instances. You can define a range from which the system selects the instances. The format for a range is:
<from_instance_id>-<to_instance_id>.
|
Setting affinities for all SGMs from the SMO:
From gclish, run:
> fw ctl affinity-s -d <options>
From Expert mode, run:
# g_fw ctl affinity-s -d <options>
To set affinities for a specified SGM:
Run:
> blade <sgm_id>
> fw ctl affinity -s -d <options>
Setting Firewall instance affinity with ranges
This example creates two Firewall instance affinities for the Virtual System on context 1. One affinity is assigned to instance 0 and the other is automatically assigned from the range of instances 2-4. These instances are automatically assigned to CPU cores in the range of 0-2.
> vsenv 1
> fw ctl affinity -s -d -inst 0 2-4 -cpu 0-2
VDevice 0: CPU 0 1 2 - set successfully
Note: If there were previously configured processes/FWK instances, this operation has overridden them and deleted their configuration files
Athens-ch01-02:0>
Setting VSX processes affinity (-pname)
Set the affinity of processes to one or more CPUs. You can use -vsid to set the affinity for a process to Virtual Systems in any context. If you do not use -vsid, the affinity of the current context is set.
> fw ctl affinity -s -d -pname cpd -vsid 0-1 -cpu 0 2
VDevice 0-1 : CPU 0 2 - set successfully
Virtual System affinity (-vsid)
Use -vsid to define an affinity for specified Virtual Systems. This example sets the affinity for Virtual System contexts 0 and 1 to CPU cores 0 and 2. If you do not use -vsid, this command sets the affinity for the current VSX context.
> fw ctl affinity -s -d -vsid 0-1 -cpu 0 2
VDevice 0-1 : CPU 0 2 - set successfully
|
