|
|
|
In This Section: |
When most of the traffic is accelerated by the SecureXL, the CPU load from the CoreXL SND instances can be very high, while the CPU load from the CoreXL Firewall instances can be very low. This is an inefficient utilization of CPU capacity.
By default, the number of CPU cores allocated to CoreXL SND instances is limited by the number of network interfaces that handle the traffic. Because each interface has one traffic queue, only one CPU core can handle each traffic queue at a time. This means that each CoreXL SND instance can use only one CPU core at a time for each network interface.
Check Point Multi-Queue lets you configure more than one traffic queue for each network interface. For each interface, you can use more than one CPU core (that runs CoreXL SND) for traffic acceleration. This balances the load efficiently between the CPU cores that run the CoreXL SND instances and the CPU cores that run CoreXL Firewall instances.
Important - Multi-Queue applies only if SecureXL is enabled (this is the default).
Interface Driver |
Interface Speed |
Maximal Number of RX Queues |
|---|---|---|
|
1 Gb |
4 |
|
10 Gb |
16 |
|
40 Gb |
14 |
|
40 Gb |
10 |
This section helps you decide if you can benefit from the Multi-Queue.
We recommend that you do these steps before you change the default Multi-Queue configuration:
To make sure that SecureXL is enabled
Step |
Description |
|---|---|
1 |
Connect to the command line on the Security Group. |
2 |
Log in to the Gaia Clish, or the Expert mode. |
3 |
Run: |
4 |
Examine the Status column. Example from a non-VSX Gateway: [Expert@MyChassis-0x-0x:0]# fwaccel stat -t +-----------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +-----------------------------------------------------------------------------+ |0 |SND |enabled |eth0,eth1,eth2,eth3,eth4,| | | | |eth5,eth6,eth7 |Acceleration,Cryptography | +-----------------------------------------------------------------------------+ [Expert@MyChassis-0x-0x:0]# |
5 |
If the SecureXL is disabled, enable it. Run: |
To examine the CPU roles allocation
Step |
Description |
|---|---|
1 |
Connect to the command line on the Security Group. |
2 |
Log in to the Gaia Clish, or the Expert mode. |
3 |
Run: |
Example - CPU0 and CPU1 run the CoreXL SND instances:
[Expert@MyChassis-0x-0x:0]# fw ctl affinity -l Mgmt: CPU 0 eth1-04: CPU 1 eth1-05: CPU 0 eth1-06: CPU 1 eth1-07: CPU 0 fw_0: CPU 5 fw_1: CPU 4 fw_2: CPU 3 fw_3: CPU 2 [Expert@MyChassis-0x-0x:0]# |
To examine the CPU cores utilization
Step |
Description |
|---|---|
1 |
Connect to the command line on the Security Group. |
2 |
Log in to the Expert mode. |
3 |
Run:
|
4 |
Press 1 to show all the CPU cores. |
Example:
top - 18:02:33 up 8 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48 Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie
Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 28.7%id, 5.9%wa, 0.0%hi, 63.4%si, 0.0%st Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 27.6%id, 0.0%wa, 0.0%hi, 71.4%si, 0.0%st Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 66.5%id, 0.0%wa, 4.0%hi, 25.5%si, 0.0%st Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 71.3%id, 0.0%wa, 0.0%hi, 25.7%si, 0.0%st Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 69.0%id, 0.0%wa, 0.0%hi, 25.0%si, 0.0%st
Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers Swap: 14707496k total, 0k used, 14707496k free, 484340k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3301 root 15 0 0 O 0 R 31 0.0 747:04 [fw_worker_3] 3326 root 15 0 0 O 0 R 29 0.0 593:35 [fw_worker_0] ... ... ... |
To decide if you can allocate more CPU cores to run the CoreXL SND instances
If you have more active network interfaces than the CPU cores that run CoreXL SND instances, you can allocate more CPU cores to run more CoreXL SND instances.
We recommend to configure the Multi-Queue when:
Note - You cannot assign more CPU cores to run CoreXL SND instances if you change interface IRQ affinity.
