Dynamic Balancing of CoreXL Instances

Introduction

On Check Point Appliances, R80.40 added the ability to change the number of CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall and SND instances without reboot (Dynamic Balancing).

Important:

By default, this feature is enabled.
We do not recommend manual configuration of CoreXL Firewall and SND instances, because such configuration disables the CoreXL Dynamic Balancing.

To enable the CoreXL Dynamic Balancing again, you must disable it and enable it.
For CoreXL Dynamic Balancing requirements, see sk164155.

When CoreXL Dynamic Balancing is enabled, Security Gateways / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members monitor the average CPU utilization of CoreXL Firewall and SND instances and automatically increases or decreases the number of CoreXL Firewall instances.

The Dynamic Balancing Daemon (dsd) has three stages in each iteration:

Examine the current CPU utilization.
Decide if and what changes to make based on the current CPU utilization.
If needed, change the current CoreXL configuration in one of these ways:
- Add a CoreXL Firewall instance.
  
  This change is possible only under these conditions:
  1. Average difference in CPU utilization between CoreXL Firewall and SND instances is greater than 10%.
  2. The current number of CoreXL Firewall instances is less than it was during the boot.
- Add a CoreXL SND instance.
  
  This change stops a CoreXL Firewall instance and moves it to another CPU core.
  
  This change is possible only under these conditions:
  1. Average difference in CPU utilization between CoreXL Firewall and SND instances is greater than 10%.
  2. CoreXL Firewall instances consume the CPU cores at less than 40%.
  3. There is an available CPU core.

Syntax

Important:

There are commands for Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group.) and for the Expert mode.
In a Cluster, you must configure all the Cluster Members in the same way.

Enabling the feature

This command enables the CoreXL Dynamic Balancing.

Shell

Security Gateway (each Cluster Member)

Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish

set dynamic-balancing state enable

reboot

Gaia gClish

N / A

Expert mode

dynamic_balancing -o enable

reboot

Important:

After you enable this feature for the first time, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. may require a reboot in these cases:
- The current CoreXL configuration is not the default
- More CoreXL SND instances are required for the current CPU load
After the boot, you can stop, start, and restart this feature without a reboot.

Stopping the feature

This command stops the CoreXL Dynamic Balancing ("freezes" it).

Shell

Security Gateway (each Cluster Member)

Gaia Clish

set dynamic-balancing state stop

Gaia gClish

N / A

Expert mode

dynamic_balancing -o stop

Important:

When you stop this feature, the Security Gateway uses the last CoreXL Balancing configuration.
This change does not require a reboot.
This change survives the reboot.
The status of the CoreXL Dynamic Balancing appears as "off".

Starting the feature

This command starts the CoreXL Dynamic Balancing after it was stopped.

Shell

Security Gateway (each Cluster Member)

Gaia Clish

set dynamic-balancing state start

Gaia gClish

N / A

Expert mode

dynamic_balancing -o start

Important:

When you start this feature, the Security Gateway continues to change the CoreXL Balancing configuration automatically based on the CPU utilization.
This change does not require a reboot.
This change survives the reboot.

Resetting the feature

This command resets the CoreXL configuration to the default and keep the CoreXL Dynamic Balancing enabled.

This command is equivalent to the "disable" command followed by the "enable" command.

Shell

Security Gateway (each Cluster Member)

Gaia Clish

set dynamic-balancing state reset

Gaia gClish

N / A

Expert mode

dynamic_balancing -r

Important:

After this feature restarts, the CoreXL configuration returns to the default (see Default Configuration of CoreXL).
This change does not require a reboot.

Disabling the feature

This command disables the CoreXL Dynamic Balancing.

Shell

Security Gateway (each Cluster Member)

Gaia Clish

set dynamic-balancing state disable

reboot

Gaia gClish

N / A

Expert mode

dynamic_balancing -o disable

reboot

Important:

When you disable this feature, the CoreXL configuration returns to the default (see Default Configuration of CoreXL).
After you disable this feature, the Security Gateway requires a reboot.

The command shows the applicable message.

Monitoring

You can monitor the status of the CoreXL Dynamic Balancing with CLI commands:

Shell

Security Gateway (each Cluster Member)

Gaia Clish

show dynamic-balancing state

Gaia gClish

N / A

Expert mode

dynamic_balancing -p

You can monitor the status of the CoreXL Dynamic Balancing in the CPView tool:

Procedure

Connect to the command line on the Security Gateway.

Run:

cpview

From the top, click:

SysInfo
Examine this field:

DS Status
- On - Means the CoreXL Dynamic Balancing is enabled
- Off - Means the CoreXL Dynamic Balancing is disabled

You can monitor the performance of the CoreXL Dynamic Balancing in the CPView tool:

Procedure

Connect to the command line on the Security Gateway.

Run:

cpview

From the top, click:

CPU > Overview > Host
Examine these sections:
- Overview - Shows the current number of CoreXL instances and the average CPU utilization
- CPU - Shows the CPU cores, the CoreXL instance types they run, and the CPU utilization in different categories

You can monitor the CoreXL Firewall instances with this command:

Shell

Security Gateway (each Cluster Member)

Gaia Clish

fw ctl multik stat

Gaia gClish

N / A

Expert mode

fw ctl multik stat

You can monitor the CoreXL Affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. with this command:

Shell

Security Gateway (each Cluster Member)

Gaia Clish

fw ctl affinity -l -r -a

Gaia gClish

N / A

Expert mode

fw ctl affinity -l -r -a

You can examine these log files:
- When the CoreXL Dynamic Balancing changes the CoreXL configuration, it writes the applicable entries in the $FWDIR/log/dsd.elg file.
- When the CoreXL Dynamic Balancing starts, it writes the applicable
  
  entries in the $FWDIR/log/dynamic_split.elg file.