Allocation of Processing CPU Cores
The CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. software architecture includes the Secure Network Distributor (SND).
The SND is responsible for these:
-
Processing the incoming traffic from the network interfaces.
-
Accelerating authorized packets (when SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. is enabled). -
Distributing non-accelerated packets between the CoreXL Firewall instances.
The association of a specific interface with a specific processing CPU core is called the interface's affinity with that CPU core. This affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. causes the interface's traffic to be directed to that CPU core and the CoreXL SND to run on that CPU core.
The association of a specific CoreXL Firewall instance with a specific CPU core is called the CoreXL Firewall instance's affinity with that CPU core.
The association of a specific user space process with a specific CPU core is called the process's affinity with that CPU core.
The default affinity setting for all interfaces is Automatic. Automatic affinity means that if SecureXL is enabled, the affinity for each interface is changed at specific intervals and balanced between the available CPU cores. If SecureXL is disabled, the default affinities of all interfaces are with one available CPU core. In both cases, all processing CPU cores that run a CoreXL Firewall instance, or defined as the affinity for a different user space process, is considered unavailable, and the affinity for interfaces is not set to those CPU cores.
In some cases, which we discuss in the sections below, it can be necessary to change the distribution of CoreXL Firewall instances, the CoreXL SND, and other user space processes, between the processing CPU cores. To do so, you change the affinities of different NICs (interfaces) or user space processes. To make sure CoreXL operates at an efficient level, traffic from all interfaces must be directed to CPU cores that do not run CoreXL Firewall instances. Therefore, if you change affinities of interfaces or other user space processes, you must configure the corresponding number of CoreXL Firewall instances. In addition, you must make sure that the CoreXL Firewall instances run on other processing CPU cores.
Usually, we do not recommend for a CoreXL SND and a CoreXL Firewall instance to use the same CPU core. It is necessary for the CoreXL SND and a CoreXL Firewall instance to use a CPU core when Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. runs on a platform with only two CPU cores.