Alternative Affinity Settings for 16000 and 26000 Appliances

Background

With the default CoreXL affinity settings, all CoreXL SNDs are affined to the same CPU socket. As a result, the number of CoreXL Firewall instances affined to each CPU socket is not balanced.

To improve the memory behavior and possibly improve the Security Gateway's performance, you can evenly distribute the affinities of CoreXL SNDs and CoreXL Firewall instances between the CPU sockets.

The configuration provided below is a recommendation for Threat Prevention and NGFW.

Syntax

These are the applicable CLI commands:

mq_mng -s manual -c <IDs of CoreXL SND Instances>

fw ctl affinity -sa -c <IDs of CoreXL Firewall Instances>

Parameters

Parameter	Description
`<`IDs of CoreXL SND Instances`>`	IDs of CoreXL SND Instances separated with: spaces (example: `0 1`) commas (example: `0,1`) hyphens (example: `0-1`)
`<`IDs of CoreXL Firewall Instances`>`	IDs of CoreXL Firewall Instances separated with: spaces (example: `0 1`) hyphens (example: `0-1`)

Parameter

Description

<IDs of CoreXL SND Instances>

IDs of CoreXL SND Instances separated with:

spaces (example: 0 1)
commas (example: 0,1)
hyphens (example: 0-1)

<IDs of CoreXL Firewall Instances>

IDs of CoreXL Firewall Instances separated with:

spaces (example: 0 1)
hyphens (example: 0-1)

Notes:

To see the list of CoreXL Firewall Instances, run:
fw ctl multik stat
To see the list of CPU cores, run:
cat /proc/cpuinfo | grep processor

To configure the alternative CoreXL affinity settings

Step	Instructions
1	Connect to the command line on the Security Appliance over SSH, or console.
2	Log in to Gaia Clish, or the Expert mode.
3	Run the `cpconfig` command.
4	Enter the number of the Check Point CoreXL option.
5	Enter the number of the (1) Change the number of firewall instances option.
6	Set number of firewall instances: On 16000 models - to 39 On 26000 models - to 59
7	Exit from the `cpconfig` menu.
8	Reboot the Security Appliance.
9	Connect to the command line on the Security Appliance over SSH, or console.
10	Log in to the Expert mode.
11	Examine the current CoreXL affinity configuration: `fw ctl affinity -l [-a] [-v] [-r] [-q]`
12	Configure the Multi-Queue: On 16000 models, run: `mq_mng -s manual -c 0-1 12-13 24-25 36-37` On 26000 models, run: `mq_mng -s manual -c 0-2 18-20 36-38 54-56`
13	Configure the affinity of CoreXL Firewall instances to specific CPU cores: On 16000 models, run: `fw ctl affinity -sa -c 2-11 14-23 26-35 38-46` On 26000 models, run: `fw ctl affinity -sa -c 3-17 21-35 39-53 57-70`
14	Examine the new CoreXL configuration: `fw ctl affinity -l [-a] [-v] [-r] [-q]`

To configure the default CoreXL affinity settings

Step	Instructions
1	Connect to the command line on the Security Appliance over SSH, or console.
2	Log in to Gaia Clish, or the Expert mode.
3	Run the `cpconfig` command.
4	Enter the number of the Check Point CoreXL option.
5	Enter the number of the (1) Change the number of firewall instances option.
6	Set number of firewall instances: On 16000 models - to 43 On 26000 models - to 61
7	Exit from the `cpconfig` menu.
8	Reboot the Security Appliance.
9	Connect to the command line on the Security Appliance over SSH, or console.
10	Log in to the Expert mode.
11	Examine the current CoreXL affinity configuration: `fw ctl affinity -l [-a] [-v] [-r] [-q]`
12	Configure the Multi-Queue: On 16000 models, run: `mq_mng -s manual -c 0-1 24-25` On 26000 models, run: `mq_mng -s manual -c 0-4 36-40`
13	Configure the affinity of CoreXL Firewall instances to specific CPU cores: On 16000 models, run: `fw ctl affinity -sa -c 2-23 26-46` On 26000 models, run: `fw ctl affinity -sa -c 5-35 41-70`
14	Examine the new CoreXL configuration: `fw ctl affinity -l [-a] [-v] [-r] [-q]`