Alternative Affinity Settings for 16000 and 26000 Appliances

Background

With the default CoreXL affinity settings, all CoreXL SNDs are affined to the same CPU socket. As a result, the number of CoreXL Firewall instances affined to each CPU socket is not balanced.

To improve the memory behavior and possibly improve the Security Gateway's performance, you can evenly distribute the affinities of CoreXL SNDs and CoreXL Firewall instances between the CPU sockets.

The configuration provided below is a recommendation for Threat Prevention and NGFW.

Syntax

These are the applicable CLI commands:

g_all mq_mng -s manual -c <IDs of CoreXL SND Instances>

g_all fw ctl affinity -sa -c <IDs of CoreXL Firewall Instances>

Parameters

Parameter	Description
`<`IDs of CoreXL SND Instances`>`	IDs of CoreXL SND Instances separated with: spaces (example: `0 1`) commas (example: `0,1`) hyphens (example: `0-1`)
`<`IDs of CoreXL Firewall Instances`>`	IDs of CoreXL Firewall Instances separated with: spaces (example: `0 1`) hyphens (example: `0-1`)

Parameter

Description

<IDs of CoreXL SND Instances>

IDs of CoreXL SND Instances separated with:

spaces (example: 0 1)
commas (example: 0,1)
hyphens (example: 0-1)

<IDs of CoreXL Firewall Instances>

IDs of CoreXL Firewall Instances separated with:

spaces (example: 0 1)
hyphens (example: 0-1)

Notes:

To see the list of CoreXL Firewall Instances, run:
g_all fw ctl multik stat
To see the list of CPU cores, run:
g_all cat /proc/cpuinfo | grep processor

To configure the alternative CoreXL affinity settings

Step	Instructions
1	Connect to the command line on the Security Appliance over SSH, or console.
2	Log in to the Expert mode.
3	Run the `cpconfig` command.
4	Enter the number of the Check Point CoreXL option.
5	Enter the number of the (1) Change the number of firewall instances option.
6	Set number of firewall instances: On 16000 models - to 39 On 26000 models - to 59
7	Exit from the `cpconfig` menu.
8	Reboot the Security Appliance.
9	Connect to the command line on the Security Appliance over SSH, or console.
10	Login to the Expert mode.
11	Examine the current CoreXL affinity configuration: `g_all fw ctl affinity -l [-a] [-v] [-r] [-q]`
12	Configure the Multi-Queue: On 16000 models, run: `g_all mq_mng -s manual -c 0-1 12-13 24-25 36-37` On 26000 models, run: `g_all mq_mng -s manual -c 0-2 18-20 36-38 54-56`
13	Configure the affinity of CoreXL Firewall instances to specific CPU cores: On 16000 models, run: `g_all fw ctl affinity -sa -c 2-11 14-23 26-35 38-46` On 26000 models, run: `g_all fw ctl affinity -sa -c 3-17 21-35 39-53 57-70`
14	Examine the new CoreXL configuration: `g_all fw ctl affinity -l [-a] [-v] [-r] [-q]`

To configure the default CoreXL affinity settings

Step	Instructions
1	Connect to the command line on the Security Appliance over SSH, or console.
2	Log in to the Expert mode.
3	Run the `cpconfig` command.
4	Enter the number of the Check Point CoreXL option.
5	Enter the number of the (1) Change the number of firewall instances option.
6	Set number of firewall instances: On 16000 models - to 43 On 26000 models - to 61
7	Exit from the `cpconfig` menu.
8	Reboot the Security Appliance.
9	Connect to the command line on the Security Appliance over SSH, or console.
10	Login to the Expert mode.
11	Examine the current CoreXL affinity configuration: `g_all fw ctl affinity -l [-a] [-v] [-r] [-q]`
12	Configure the Multi-Queue: On 16000 models, run: `g_all mq_mng -s manual -c 0-1 24-25` On 26000 models, run: `g_all mq_mng -s manual -c 0-4 36-40`
13	Configure the affinity of CoreXL Firewall instances to specific CPU cores: On 16000 models, run: `g_all fw ctl affinity -sa -c 2-23 26-46` On 26000 models, run: `g_all fw ctl affinity -sa -c 5-35 41-70`
14	Examine the new CoreXL configuration: `g_all fw ctl affinity -l [-a] [-v] [-r] [-q]`