Configuring Affinity Settings

Important - For 16000, 26000, and 28000 Appliances, see Affinity Settings for 16000, 26000, and 28000 Appliances.

Introduction

The script $FWDIR/scripts/fwaffinity_apply on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. executes automatically during boot and controls the affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings. When you make a change to affinity settings, the changes do not take effect until you either reboot the Security Gateway, or manually execute the $FWDIR/scripts/fwaffinity_apply script.

The $FWDIR/scripts/fwaffinity_apply script configures the interfaces affinity according to the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change the interfaces affinity settings, edit that configuration file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity settings.

Each line in this plain-text file uses the same format:

<type> <id> <cpu_id>

Where:

Field	Allowed Value	Description
`<type>`	i	Configures the affinity of an interface.
	n	Configures the affinity of a Check Point daemon.
	k	Configures the affinity of a CoreXL Firewall instance.
`<id>`	Name of Interface	If <type> = i.
	Name of Daemon	If <type> = n.
	ID of CoreXL Firewall instance	If <type> = k.
	default	Configures affinities of interfaces that are not specified other lines.
`<cpu_id>`	Number (ID) of CPU core	Specifies the ID numbers of processing CPU cores, to which you affine an interface, a Check Point daemon, or a CoreXL Firewall instance.
	all	Specifies all processing CPU cores as available to configure the affinity of an interface, a Check Point daemon, or a CoreXL Firewall instance.
	auto	Configures Automatic mode. See Allocation of Processing CPU Cores.
	ignore	No specified affinity. This is useful to exclude an interface from the "default" configuration.

Notes:

The default configuration in this file is:

i default auto

Possible combinations:

To configure the affinity of an interface:

i <Name of Interface> {<CPU ID Number> | all | ignore | auto}

i default {<CPU ID Number> | all | ignore | auto}

To configure the affinity of a Check Point daemon:

n <Name of Daemon> {<CPU ID Number> | all | ignore | auto}

To configure the affinity of a CoreXL Firewall instance:

k <ID of CoreXL Firewall instance> {<CPU ID Number> | all | ignore | auto}

To view the IRQs of all interfaces, run:

fw ctl affinity -l -v -a

See fw ctl affinity.

Interfaces that share an IRQ cannot have different CPU cores as their affinities.

This also applies when one interface is included in the default affinity setting.

You must either configure the same affinity for all interfaces, or use ignore for one of these interfaces.

The $FWDIR/scripts/fwaffinity_apply Script

To execute this shell script, run in the Expert mode:

$FWDIR/scripts/fwaffinity_apply <Parameter>

Parameters

Parameter	Description
`-q`	Quiet mode - prints only error messages.
`-t <Type>`	Applies affinity only for the specified type: `-t i` - For an interface `-t n` - For a Check Point daemon name `-t k` - For a CoreXL Firewall instance

Parameter

Description

-q

Quiet mode - prints only error messages.

-t <Type>

Applies affinity only for the specified type:

-t i - For an interface
-t n - For a Check Point daemon name
-t k - For a CoreXL Firewall instance