Allocation of Processing CPU Cores

The CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. software architecture includes the Secure Network Distributor (SND).

The SND is responsible for these:

• Processing the incoming traffic from the network interfaces.

• Accelerating authorized packets (when SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. is enabled).

• Distributing non-accelerated packets between the CoreXL Firewall instances.

The association of a specific interface with a specific processing CPU core is called the interface's affinity with that CPU core. This affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. causes the interface's traffic to be directed to that CPU core and the CoreXL SND to run on that CPU core.

The association of a specific CoreXL Firewall instance with a specific CPU core is called the CoreXL Firewall instance's affinity with that CPU core.

The association of a specific user space process with a specific CPU core is called the process's affinity with that CPU core.

The default affinity setting for all interfaces is Automatic. Automatic affinity means that if SecureXL is enabled, the affinity of each interface is changed at specific intervals and balanced between the available CPU cores. If SecureXL is disabled, the default affinities of all interfaces are with one available CPU core. In both cases, all processing CPU cores that run a CoreXL Firewall instance, or configured as the affinity of a different user space process, is considered unavailable, and the affinity of interfaces is not set to those CPU cores.

In some cases, which we discuss in the sections below, it can be necessary to change the distribution of CoreXL Firewall instances, the CoreXL SND, and other user space processes, between the processing CPU cores. To do so, you change the affinities of different NICs (interfaces) or user space processes. To make sure CoreXL operates at an efficient level, traffic from all interfaces must be directed to CPU cores that do not run CoreXL Firewall instances. Therefore, if you change affinities for interfaces or other user space processes, you must configure the corresponding number of CoreXL Firewall instances. In addition, you must make sure that the CoreXL Firewall instances run on other processing CPU cores.

Usually, we do not recommend for a CoreXL SND and a CoreXL Firewall instance to use the same CPU core. It is necessary for the CoreXL SND and a CoreXL Firewall instance to use a CPU core when Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.) runs on a platform with only two CPU cores.