Allocating Additional CPU Cores to the CoreXL SND

The default configuration of CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instances and the CoreXL SND instances might not be optimal for your needs.

If the default number of CoreXL SND instances is not enough to process the incoming traffic, and your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. has enough CPU cores, you can decrease the number of CoreXL Firewall instances. This automatically allocates additional CPU cores to run the CoreXL SND instances.

This scenario is likely to occur if much of the traffic is accelerated by SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway.. In this case, the task load of the CoreXL SND instances may be disproportionate to that of the CoreXL Firewall instances.

To check if the SND is slowing down the traffic:

Step

Instructions

1

Identify the processing CPU core, to which the interfaces direct their traffic.

2

Under heavy traffic conditions, run the top command.

Examine the values for the different CPU cores in the idle column.

  • On a Security Appliance, run in the Expert mode:

    top

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_top

Best Practice - We recommend to allocate an additional CPU core to the CoreXL SND only if all these conditions are met:

  • There are at least 8 processing CPU cores.

  • In the output of the top command, the idle values for the CPU cores that run the CoreXL SND instances are in the 0%-5% range.

  • In the output of the top command, the sum of the idle values for the CPU cores that run the CoreXL Firewall instances is significantly higher than 100%.

If at least one of the above conditions is not met, the default CoreXL configuration is sufficient.

To allocate an additional processing CPU core to the CoreXL SND:

Item

Description

1

Decrease the number of CoreXL Firewall instances in the cpconfig menu.

See Configuring IPv4 and IPv6 CoreXL Firewall instances.

2

Configure interface affinities to the remaining CPU cores.

See Configuring Affinities for Interfaces.

3

Reboot to apply the new configuration.