Affinity Settings for 16000, 26000, and 28000 Appliances

Background

With the default CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings, all CoreXL SND instances are affined to the same CPU socket. As a result, the number of CoreXL Firewall instances affined to each CPU socket is not balanced.

To improve the memory behavior and possibly improve the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.'s performance, you can evenly distribute the affinities of CoreXL SND instances and CoreXL Firewall instances between the CPU sockets.

The configuration provided below is a recommendation for Threat Prevention and NGFW.

Syntax

These are the applicable CLI commands:

mq_mng -s manual -c <IDs of CoreXL SND Instances>

fw ctl affinity -sa -c <IDs of CoreXL Firewall Instances>

Parameters

Parameter	Description
`<IDs of CoreXL SND Instances>`	IDs of CoreXL SND Instances separated with: space (example: `0 1`) comma (example: `0,1`) hyphen (example: `0-1`)
`<IDs of CoreXL Firewall Instances>`	IDs of CoreXL Firewall Instances separated with: space (example: `0 1`) hyphen (example: `0-1`)

Parameter

Description

<IDs of CoreXL SND Instances>

IDs of CoreXL SND Instances separated with:

space (example: 0 1)
comma (example: 0,1)
hyphen (example: 0-1)

<IDs of CoreXL Firewall Instances>

IDs of CoreXL Firewall Instances separated with:

space (example: 0 1)
hyphen (example: 0-1)

Notes:

To see the list of CoreXL Firewall Instances, run:

fw ctl multik stat

To see the list of CPU cores, run:

cat /proc/cpuinfo | grep processor

For more information about these commands, see:
- Multi-Queue Basic Configuration
- fw ctl affinity

Procedure

Configuring the alternative CoreXL affinity settings on these models

Step

Instructions

Connect to the command line on the Security Appliance over SSH, or console.

Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or the Expert mode.

Run:

cpconfig

Enter the number of the Check Point CoreXL option.

Enter 1 to select the (1) Change the number of firewall instances option.

Configure the number of CoreXL Firewall instances:

On 16000 models - 39
On 26000 models - 59
On 28000 models - 59

Exit from the cpconfig menu.

Reboot the Security Appliance.

Connect to the command line on the Security Appliance over SSH, or console.

Examine the current CoreXL affinity configuration:

fw ctl affinity -l [-a] [-v] [-r] [-q]

Configure the Multi-Queue An acceleration feature on Security Gateway that configures more than one traffic queue for each network interface. Multi-Queue assigns more than one receive packet queue (RX Queue) and more than one transmit packet queue (TX Queue) to an interface. Multi-Queue is applicable only if SecureXL is enabled (this is the default). Acronym: MQ.:

On 16000 models, run:

mq_mng -s manual -c 0-1 12-13 24-25 36-37

On 26000 and 28000 models, run:

mq_mng -s manual -c 0-2 18-20 36-38 54-56

Configure the affinity of CoreXL Firewall instances to specific CPU cores:

On 16000 models, run:

fw ctl affinity -sa -c 2-11 14-23 26-35 38-46

On 26000 and 28000 models, run:

fw ctl affinity -sa -c 3-17 21-35 39-53 57-70

Examine the new CoreXL configuration:

fw ctl affinity -l [-a] [-v] [-r] [-q]

Configuring the default CoreXL affinity settings on these models

Step

Instructions

Connect to the command line on the Security Appliance over SSH, or console.

Log in to Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish, or the Expert mode.

Run:

cpconfig

Enter the number of the Check Point CoreXL option.

Enter 1 to select the (1) Change the number of firewall instances option.

Configure the number of CoreXL Firewall instances:

On 16000 models - 43
On 26000 models - 61
On 28000 models - 61

Exit from the cpconfig menu.

Reboot the Security Appliance.

Connect to the command line on the Security Appliance over SSH, or console.

Examine the current CoreXL affinity configuration:

fw ctl affinity -l [-a] [-v] [-r] [-q]

Configure the Multi-Queue:

On 16000 models, run:

mq_mng -s manual -c 0-1 24-25

On 26000 and 28000 models, run:

mq_mng -s manual -c 0-4 36-40

Configure the affinity of CoreXL Firewall instances to specific CPU cores:

On 16000 models, run:

fw ctl affinity -sa -c 2-23 26-46

On 26000 and 28000 models, run:

fw ctl affinity -sa -c 5-35 41-70

Examine the new CoreXL configuration:

fw ctl affinity -l [-a] [-v] [-r] [-q]