Print Download PDF Send Feedback

Previous

Next

Multi-Queue

In This Section:

Introduction to Multiple Traffic Queues

Multi-Queue Administration

Basic Multi-Queue Configuration

Advanced Multi-Queue settings

Special Scenarios and Configurations

Troubleshooting

Introduction to Multiple Traffic Queues

By default, each network interface has one traffic queue handled by one CPU. You cannot use more CPU cores for acceleration than the number of interfaces handling traffic. Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, more than one CPU core is used for acceleration.

Note - Multi-Queue is relevant only if SecureXL is enabled.

Multi-Queue Requirements and Limitations

Deciding Whether to Enable the Multi-Queue

This section helps you decide if you can benefit from the Multi-Queue.

We recommend that you do these steps before you configure the Multi-Queue:

  1. Make sure that network interfaces support Multi-Queue.
  2. Make sure that SecureXL is enabled.
  3. Examine the CPU roles allocation.
  4. Examine the CPU cores utilization.
  5. Decide if you can allocate more CPU cores to run the CoreXL SND instances.

To make sure that network interfaces support Multi-Queue

Only network cards that use the igb (1Gb), ixgbe (10Gb), i40e (40Gb), or mlx5_core (40Gb) drivers support the Multi-Queue.

Important - Before you upgrade these drivers, make sure that the latest version supports the Multi-Queue.

Gateway Type

Network Interfaces that Support the Multi-Queue

Check Point Appliance

These expansion line cards support the Multi-Queue:

  • CPAC-4-1C
  • CPAC-4-1F
  • CPAC-8-1C
  • CPAC-2-10F
  • CPAC-4-10F
  • CPAC-2-40F
  • CPAC-2-100/25F
  • CPAC-2-10-FSR

Open Server

Network cards that use one of these drivers support the Multi-Queue:

  • igb (1Gb)
  • ixgbe (10Gb)
  • i40e (40Gb)
  • mlx5_core (40Gb)

Notes:

To make sure that SecureXL is enabled

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to the Gaia Clish, or the Expert mode.

3

Run:

fwaccel stat -t

4

Examine the Status column.

Example from a non-VSX Gateway:

[Expert@MyGW:0]# fwaccel stat -t
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,| |
| | | |eth5,eth6,eth7 |Acceleration,Cryptography |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#

5

If the SecureXL is disabled, enable it. Run:

fwaccel on

To examine the CPU roles allocation

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to the Gaia Clish, or the Expert mode.

3

Run:

fw ctl affinity -l [-a][-v][-r]

Example - CPU0 and CPU1 run the CoreXL SND instances:

[Expert@GW:0]# fw ctl affinity -l
Mgmt: CPU 0
eth1-04: CPU 1
eth1-05: CPU 0
eth1-06: CPU 1
eth1-07: CPU 0
fw_0: CPU 5
fw_1: CPU 4
fw_2: CPU 3
fw_3: CPU 2
[Expert@GW:0]#

To examine the CPU cores utilization

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to the Gaia Clish, or the Expert mode.

3

Run:

top

4

Press 1 to show all the CPU cores.

Example:

To decide if you can allocate more CPU cores to run the CoreXL SND instances

If you have more active network interfaces than the CPU cores that run CoreXL SND instances, you can allocate more CPU cores to run more CoreXL SND instances.

We recommend to configure the Multi-Queue when:

  1. CoreXL SND instances cause high CPU load (idle is less than 20%).
  2. CoreXL Firewall instances cause low CPU load (idle is greater than 50%).

Note - You cannot assign more CPU cores to run CoreXL SND instances if you change interface IRQ affinity.