Allocating a CPU Core for Heavy Logging

If the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. generates very large number of logs, it may be advisable to allocate a processing CPU core to the fwd daemon, which generates the logs.

Note - This change decreases the number of CPU cores available for CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instances.

Important Notes for Cluster:

You must configure the CoreXL in the same way on all the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. members.
If you enable CoreXL, disable CoreXL, or change the number of CoreXL Firewall instances, you should treat this change as a version upgrade.

Schedule a full maintenance window and follow the instructions in the R81 Installation and Upgrade Guide - Chapter Upgrading ClusterXL Deployments.

Perform either a Minimal Effort Upgrade procedure (requires downtime), or a Zero Downtime Upgrade procedure (no downtime, but active connections are lost). Instead of the version upgrade, configure the CoreXL on each cluster member Security Gateway that is part of a cluster..

To allocate a processing CPU core to the fwd daemon:

See Configuring Affinity Settings.

Step

Instructions

Connect to the command line on Security Gateway (each Cluster Member).

Run:

cpconfig

Enter the number of the Check Point CoreXL option.

Decrease the number of CoreXL Firewall instances.

See Configuring IPv4 and IPv6 CoreXL Firewall instances.

Exit from the cpconfig menu.

Examine which processing CPU cores run the CoreXL Firewall instances and which CPU cores handle the traffic from interfaces:

fw ctl affinity -l -r

See fw ctl affinity.

Back up the $FWDIR/conf/fwaffinity.conf file:

$FWDIR/conf/fwaffinity.conf{,_BKP}

Edit the $FWDIR/conf/fwaffinity.conf file:

vi $FWDIR/conf/fwaffinity.conf

Allocate one of the remaining CPU cores to the fwd daemon.

To do so, configure the affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. of the fwd daemon to that CPU core.

n fwd <CPU ID>

For example, to affine the fwd daemon to CPU core #2, add this line:

n fwd 2

Note - It is important to avoid the CPU cores that run the CoreXL SND instances only if these CPU cores are explicitly defined for the affinities of interfaces. If affinity of interfaces is configured in the Automatic mode, the fwd daemon can use all CPU cores that do not run CoreXL Firewall instances. Traffic from interfaces is automatically diverted to other CPU cores.

Save the changes in the file and exit the editor.

Apply the new configuration:

To apply immediately, run:

$FWDIR/scripts/fwaffinity_apply

To apply later, reboot the Security Gateway (each Cluster Member).