Configuring Affinity Settings

Introduction

The script $FWDIR/scripts/fwaffinity_apply on Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security Group MembersClosed Member of a Security Group in ElasticXL Cluster, Maestro, and Scalable Chassis. Acronym: SGM.) executes automatically during boot and controls the affinityClosed The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings. When you make a change in the affinity settings, the changes do not take effect until you either reboot the Security Gateway (Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.), or manually execute the $FWDIR/scripts/fwaffinity_apply script.

The $FWDIR/scripts/fwaffinity_apply script configures the affinity of interfaces based on the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change these affinity settings, edit that configuration file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity settings.

Each line in this plain-text file uses the same format:

<Type> <ID> <CPU_ID>

Where:

Field

Allowed Value

Description

<Type>

i

Configures the affinity of an interface.

 

n

Configures the affinity of a Check Point daemon.

 

k

Configures the affinity of a CoreXL Firewall instance.

<ID>

Name of Interface

If <type> = i.

 

Name of Daemon

If <type> = n.

 

ID of CoreXL Firewall instance

If <type> = k.

 

default

Configures affinities for interfaces that are not specified other lines.

<CPU_ID>

Number (ID) of CPU core

Specifies the ID numbers of processing CPU cores, to which you affine an interface, a Check Point daemon, or a CoreXL Firewall instance.

 

all

Specifies all processing CPU cores as available to configure the affinity of an interface, a Check Point daemon, or a CoreXL Firewall instance.

 

auto

Configures Automatic mode.

See Allocation of Processing CPU Cores.

 

ignore

No specified affinity.

This is useful to exclude an interface from the "default" configuration.

Notes:

The $FWDIR/scripts/fwaffinity_apply Script

Syntax

Parameters

Parameter

Description

-q

Quiet mode - prints only error messages (standard output goes to /dev/null).

-t i

-t n

-t k

Applies affinity only for the specified type:

  • -t i - For interfaces

  • -t n - For Check Point daemons

  • -t k - For CoreXL Firewall instances