Running the 'fw ctl affinity -s' command in Gateway Mode

~~$ [LironR , 02 March 2023] TP-10929 - corrcted note about the 'fw ctl affinityClosed The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. -s' command

Description

The fw ctl affinity -s command configures the CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity settings on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. for:

  • Interfaces

  • User-space processes

  • CoreXL Firewall instances

Note - The Security Gateway saves these changes in the $FWDIR/conf/fwaffinity.conf configuration file.

Syntax

  • To see the built-in help:

    fw ctl affinity

  • To configure the affinity for a specified interface by its name:

    fw ctl affinity -s -i <Interface Name>

          all

          <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

  • To configure the affinity for a specified CoreXL Firewall instance:

    fw ctl affinity -s -k <CoreXL Firewall instance ID>

          all

          <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

  • To configure the affinity for a specified user-space process by its PID:

    fw ctl affinity -s -p <Process ID>

          all

          <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

  • To configure the affinity for a specified user-space process by its name:

    fw ctl affinity -s -n <Process Name>

          all

          <CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

Parameters

Parameter

Description

-i <Interface Name>

Configures the affinity for the specified interface.

-k <CoreXL Firewall instance ID>

Configures the affinity for the specified CoreXL Firewall instance.

-p <Process ID>

Configures the affinity for the Check Point user-space process (for example: fwd, vpnd) specified by its PID.

-n <Process Name>

Configures the affinity for the Check Point user-space process (for example: fwd, vpnd) specified by its name.

Important - The process name is case-sensitive.

all

Configures the affinity for all CPU cores (numbers start from zero).

<CPU ID0> ... <CPU IDn>

Configures the affinity for the specified CPU cores (numbers start from zero).

Example 1 - Affine the interface eth1 to the CPU core #1

[Expert@MyGW:0]# fw ctl affinity -s -i eth1 1
eth1: CPU 1 - set successfully
Multi-queue affinity was not changed.  For More info, see sk113834.
[Expert@MyGW:0]#

Example 2 - Affine the CoreXL Firewall instance #1 to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -k 1 2
fw_1: CPU 2 - set successfully
Multi-queue affinity was not changed.  For More info, see sk113834.
[Expert@MyGW:0]#

Example 3 - Affine the process CPD by its PID to the CPU core #2

[Expert@MyGW:0]# cpwd_admin list | egrep "PID|cpd"
APP        PID    STAT  #START  START_TIME             MON  COMMAND
CPD        6080   E     1       [13:46:27] 17/9/2018   Y    cpd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -p 6080 2
Process 6080: CPU 2 - set successfully
Multi-queue affinity was not changed.  For More info, see sk113834.
[Expert@MyGW:0]#

Example 4 - Affine the process CPD by its name to the CPU core #2

[Expert@MyGW:0]# fw ctl affinity -s -n cpd 2
cpd: CPU 2 - set successfully
Multi-queue affinity was not changed.  For More info, see sk113834.
[Expert@MyGW:0]#