Configuring Affinity Settings

Introduction

The script $FWDIR/scripts/fwaffinity_apply on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security Group Members) executes automatically during boot and controls the affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings. When you make a change in the affinity settings, the changes do not take effect until you either reboot the Security Gateway (Scalable Platform Security Group), or manually execute the $FWDIR/scripts/fwaffinity_apply script.

The $FWDIR/scripts/fwaffinity_apply script configures the affinity of interfaces based on the settings in the $FWDIR/conf/fwaffinity.conf configuration file. To change these affinity settings, edit that configuration file.

The $FWDIR/conf/fwaffinity.conf Configuration File

The configuration file $FWDIR/conf/fwaffinity.conf controls CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity settings.

Each line in this plain-text file uses the same format:

<Type> <ID> <CPU_ID>

Where:

Field	Allowed Value	Description
<Type>	i	Configures the affinity of an interface.
	n	Configures the affinity of a Check Point daemon.
	k	Configures the affinity of a CoreXL Firewall instance.
<ID>	Name of Interface	If <type> = i.
	Name of Daemon	If <type> = n.
	ID of CoreXL Firewall instance	If <type> = k.
	default	Configures affinities for interfaces that are not specified other lines.
<CPU_ID>	Number (ID) of CPU core	Specifies the ID numbers of processing CPU cores, to which you affine an interface, a Check Point daemon, or a CoreXL Firewall instance.
	all	Specifies all processing CPU cores as available to configure the affinity of an interface, a Check Point daemon, or a CoreXL Firewall instance.
	auto	Configures Automatic mode. See Allocation of Processing CPU Cores.
	ignore	No specified affinity. This is useful to exclude an interface from the "default" configuration.

Notes:

• The default configuration in this file is:

  i default auto

• Possible combinations:

  • To configure the affinity for an interface:

    i <Name of Interface> {<CPU ID Number> | all | ignore | auto} i default {<CPU ID Number> | all | ignore | auto}

  • To configure the affinity of a Check Point daemon:

    n <Name of Daemon> {<CPU ID Number> | all | ignore | auto}

  • To configure the affinity of a CoreXL Firewall instance:

    k <ID of CoreXL Firewall instance> {<CPU ID Number> | all | ignore | auto}

• To view the IRQs of all interfaces, run:

  • On a Security Gateway (each Cluster Member Security Gateway that is part of a cluster.), run in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or the Expert mode:

    fw ctl affinity -l -v -a

  • On a Scalable Platform Security Group, run in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish:

    fw ctl affinity -l -v -a

  • On a Scalable Platform Security Group, run in the Expert mode:

    g_fw ctl affinity -l -v -a

  See fw ctl affinity.

• Interfaces that share an IRQ cannot have different CPU cores as their affinities.

  This also applies when one interface is included in the default affinity setting.

  You must either configure the same affinity of all interfaces, or use ignore for one of these interfaces.

• On a Scalable Platform Security Group, after you edit the $FWDIR/conf/fwaffinity.conf file, you must copy it to all Security Group Members:

  asg_cp2blades $FWDIR/conf/fwaffinity.conf