Configuring Affinity Settings

The script $FWDIR/scripts/fwaffinity_apply on Security Gateway executes automatically during boot and controls the affinity settings. When you make a change to affinity settings, the changes do not take effect until you either reboot the Security Gateway, or manually execute the $FWDIR/scripts/fwaffinity_apply script.

The $FWDIR/scripts/fwaffinity_apply script configures the interfaces affinity according to the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change the interfaces affinity settings, edit that configuration file.

Note - When the SecureXL is enabled, only the SecureXL SIM Affinity configuration defines the interfaces affinities. Security Gateway ignores the interface affinity settings in the $FWDIR/conf/fwaffinity.conf file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXL affinity settings.

Each line in this plain-text file uses the same format: <type> <id> <cpu_id>

Data	Allowed Values	Description
<type>	i	Configures the affinity of an interface.
	n	Configures the affinity of a Check Point daemon.
	k	Configures the affinity of a CoreXL Firewall instance.
<id>	Name of Interface	If <type> = i.
	Name of Daemon	If <type> = n.
	ID of CoreXL Firewall instance	If <type> = k.
	default	Configures affinities of interfaces that are not specified other lines.
<cpu_id>	CPU ID Number	Specifies the ID numbers of processing CPU cores, to which you affine an interface, a Check Point daemon, or a CoreXL Firewall instance.
	all	Specifies all processing CPU cores as available to configure the affinity of an interface, a Check Point daemon, or a CoreXL Firewall instance.
	auto	Configures Automatic mode. See Allocation of Processing CPU Cores.
	ignore	No specified affinity. This is useful to exclude an interface from the "default" configuration.

Notes:

The default configuration in this file is:

i default auto
Possible combinations:
- To configure the affinity of an interface:
  i <Name of Interface> {<CPU ID Number> | all | ignore | auto}
  
  i default {<CPU ID Number> | all | ignore | auto}
- To configure the affinity of a Check Point daemon:
  n <Name of Daemon> {<CPU ID Number> | all | ignore | auto}
- To configure the affinity of a CoreXL Firewall instance:
  k <ID of CoreXL Firewall instance> {<CPU ID Number> | all | ignore | auto}
To view the IRQs of all interfaces, run:
fw ctl affinity -l -v -a
Interfaces that share an IRQ cannot have different CPU cores as their affinities.
This also applies when one interface is included in the default affinity setting.

You must either configure the same affinity for all interfaces, or use ignore for one of these interfaces.

The $FWDIR/scripts/fwaffinity_apply Script

Use the following syntax to execute this shell script:

[Expert@MyGW:0]# $FWDIR/scripts/fwaffinity_apply <Parameter>

Parameters

Parameter	Description
`-q`	Quiet mode - print only error messages.
`-t` <Type>	Applies affinity only for the specified type: `i` - For an interface `n` - For a Check Point daemon name `k` - For a CoreXL Firewall instance
`-f`	Sets interface affinity even if SecureXL SIM Affinity is set to Automatic mode.

Parameter

Description

-q

Quiet mode - print only error messages.

-t <Type>

Applies affinity only for the specified type:

i - For an interface
n - For a Check Point daemon name
k - For a CoreXL Firewall instance

-f

Sets interface affinity even if SecureXL SIM Affinity is set to Automatic mode.