Allocating Additional CPU Cores to the CoreXL SND

The default configuration of CoreXL Firewall instances and the CoreXL SND instances might not be optimal for your needs.

If the default number of CoreXL SND instances is not enough to process the incoming traffic, and your Security Gateway computer contains enough CPU cores, you can reduce the number of CoreXL Firewall instances. This automatically allocates additional CPU cores to run the CoreXL SND instances.

This scenario is likely to occur if much of the traffic is accelerated by SecureXL. In this case, the task load of the CoreXL SND instances may be disproportionate to that of the CoreXL Firewall instances.

To check if the SND is slowing down the traffic:

Step

Description

1

Identify the processing CPU core, to which the interfaces direct their traffic:

fw ctl affinity -l -r

2

Under heavy traffic conditions, run the top command.

Examine the values for the different CPU cores in the idle column.

Best Practice - We recommend to allocate an additional CPU core to the CoreXL SND only if all these conditions are met:

  • There are at least 8 processing CPU cores.

  • In the output of the top command, the idle values for the CPU cores that run the CoreXL SND instances are in the 0%-5% range.

  • In the output of the top command, the sum of the idle values for the CPU cores that run the CoreXL Firewall instances is significantly higher than 100%.

If at least one of the above conditions is not met, the default CoreXL configuration is sufficient.

To allocate an additional processing CPU core to the CoreXL SND:

Item

Description

1

Reduce the number of CoreXL Firewall instances in the cpconfig menu.

See Configuring IPv4 and IPv6 CoreXL Firewall instances.

2

Set interface affinities to the remaining CPU cores.

See Setting Affinities for Interfaces on the Host Security Appliance.

3

Reboot to apply the new configuration.