Configuring Affinity Settings

Introduction

The script $FWDIR/scripts/fwaffinity_apply on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security Group Members Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM.) executes automatically during boot and controls the affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings. When you make a change in the affinity settings, the changes do not take effect until you either reboot the Security Gateway (Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.), or manually execute the $FWDIR/scripts/fwaffinity_apply script.

The $FWDIR/scripts/fwaffinity_apply script configures the affinity of interfaces based on the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change these affinity settings, edit that configuration file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity settings.

Each line in this plain-text file uses the same format:

<Type> <ID> <CPU_ID>

Where:

Field	Allowed Value	Description
`<Type>`	i	Configures the affinity of an interface.
	n	Configures the affinity of a Check Point daemon.
	k	Configures the affinity of a CoreXL Firewall instance.
`<ID>`	Name of Interface	If <type> = i.
	Name of Daemon	If <type> = n.
	ID of CoreXL Firewall instance	If <type> = k.
	default	Configures affinities for interfaces that are not specified other lines.
`<CPU_ID>`	Number (ID) of CPU core	Specifies the ID numbers of processing CPU cores, to which you affine an interface, a Check Point daemon, or a CoreXL Firewall instance.
	all	Specifies all processing CPU cores as available to configure the affinity of an interface, a Check Point daemon, or a CoreXL Firewall instance.
	auto	Configures Automatic mode. See Allocation of Processing CPU Cores.
	ignore	No specified affinity. This is useful to exclude an interface from the "default" configuration.

Notes:

The default configuration in this file is:

i default auto

Possible combinations:

To configure the affinity for an interface:

i <Name of Interface> {<CPU ID Number> | all | ignore | auto}

i default {<CPU ID Number> | all | ignore | auto}

To configure the affinity of a Check Point daemon:

n <Name of Daemon> {<CPU ID Number> | all | ignore | auto}

To configure the affinity of a CoreXL Firewall instance:

k <ID of CoreXL Firewall instance> {<CPU ID Number> | all | ignore | auto}

To view the IRQs of all interfaces, run:

On a Security Gateway (each Cluster Member Security Gateway that is part of a cluster.), run in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or the Expert mode:

fw ctl affinity -l -v -a

On a Scalable Platform Security Group, run in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group.:

fw ctl affinity -l -v -a

On a Scalable Platform Security Group, run in the Expert mode:

g_fw ctl affinity -l -v -a

See fw ctl affinity.

Interfaces that share an IRQ cannot have different CPU cores as their affinities.

This also applies when one interface is included in the default affinity setting.

You must either configure the same affinity of all interfaces, or use ignore for one of these interfaces.

On a Scalable Platform Security Group, after you edit the $FWDIR/conf/fwaffinity.conf file, you must copy it to all Security Group Members:

asg_cp2blades $FWDIR/conf/fwaffinity.conf

The $FWDIR/scripts/fwaffinity_apply Script

Syntax

To execute this shell script on a Security Gateway (each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member), run in the Expert mode:

$FWDIR/scripts/fwaffinity_apply <Parameter>

To execute this shell script on a Scalable Platform Security Group, run in the Expert mode:

g_all $FWDIR/scripts/fwaffinity_apply <Parameter>

Parameters

Parameter	Description
`-q`	Quiet mode - prints only error messages (standard output goes to `/dev/null`).
`-t i` `-t n` `-t k`	Applies affinity only for the specified type: `-t i` - For interfaces `-t n` - For Check Point daemons `-t k` - For CoreXL Firewall instances

Parameter

Description

-q

Quiet mode - prints only error messages (standard output goes to /dev/null).

-t i

-t n

-t k

Applies affinity only for the specified type:

-t i - For interfaces
-t n - For Check Point daemons
-t k - For CoreXL Firewall instances