Allocation of Processing CPU Cores

The CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. software architecture includes the Secure Network Distributor (SND).

The SND is responsible for these:

• Processing the incoming traffic from the network interfaces

• Securely accelerating authorized packets (if SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. is enabled)

• Distributing non-accelerated packets between the CoreXL Firewall instances.

The association of a particular interface with a specific processing CPU core is called the interface's affinity with that CPU core. This affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. causes the interface's traffic to be directed to that CPU core and the CoreXL SND to run on that CPU core.

The association of a particular CoreXL Firewall instance with a specific CPU core is called the CoreXL Firewall instance's affinity with that CPU core.

The association of a particular user space process with a specific CPU core is called the process's affinity with that CPU core.

The default affinity setting for all interfaces is Automatic. Automatic affinity means that if SecureXL is enabled, the affinity for each interface is reset periodically and balanced between the available CPU cores. If SecureXL is disabled, the default affinities of all interfaces are with one available CPU core. In both cases, all processing CPU cores that run a CoreXL Firewall instance, or defined as the affinity for another user space process, is considered unavailable, and the affinity for interfaces is not set to those CPU cores.

In some cases, which we discuss in the following sections, it may be advisable to change the distribution of CoreXL Firewall instances, the CoreXL SND, and other user space processes, between the processing CPU cores. To do so, you change the affinities of different NICs (interfaces) or user space processes. However, to ensure CoreXL efficiency, traffic from all interfaces must be directed to CPU cores that do not run CoreXL Firewall instances. Therefore, if you change affinities of interfaces or other user space processes, you must configure the number of CoreXL Firewall instances accordingly. You also must make sure that the CoreXL Firewall instances run on other processing CPU cores.

Under normal circumstances, we do not recommend for a CoreXL SND and a CoreXL Firewall instance to share the same CPU core. However, it is necessary for the CoreXL SND and a CoreXL Firewall instance to share a CPU core when Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. runs on a computer with exactly two CPU cores.