Configuring Affinities for Interfaces
The association of a specific interface with a specific processing CPU core is called the interface's affinity with that CPU core. This affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. causes the interface's traffic to be directed to that CPU core and the CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. SND to run on that CPU core.
Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. loads (Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Members load) affinities for interfaces during the boot from the CoreXL configuration file $FWDIR/conf/fwaffinity.conf
. In this configuration file, lines that begin with the letter "i
", define the affinities for interfaces.
Workflow:
Step |
Instructions |
|||
---|---|---|---|---|
1 |
Check which processing CPU cores run the CoreXL Firewall instances and which CPU cores handle the traffic from interfaces:
See fw ctl affinity. |
|||
2 |
Allocate the remaining CPU cores to run the CoreXL SND instances. To do so, configure the affinity of interfaces to the applicable CPU cores. For more information, see Allocation of Processing CPU Cores.
|
Configuring affinities for interfaces explicitly:
Step |
Instructions |
||||
---|---|---|---|---|---|
1 |
Connect to the command line on the Security Gateway (each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member / Scalable Platform Security Group). |
||||
2 |
Log in to the Expert mode. |
||||
3 |
Configure the affinity of each interface in the See Configuring Affinity Settings. For each interface, there must be a separate line that begins with the letter " Each of these lines must have this syntax:
For example, if it is necessary that the traffic from
|
||||
|
Alternatively, you can choose to configure affinities for interface explicitly for only one processing CPU core, and define other CPU cores as the default affinity of the remaining interfaces.
For example, if it is necessary that the traffic from
|
||||
4 |
Load the new configuration.
|
|
Best Practice - If you allocate only one CPU core to the CoreXL SND, it is best to have that CPU core selected automatically. To do so, leave the default automatic interface affinity and do not configure explicit affinities for interfaces to CPU cores. Make sure the
Make sure that the |
|
Best Practice - In addition, see Multi-Queue. |