Dynamic Balancing of CoreXL Instances

Introduction

On Check Point Appliances, R80.40 added the ability to change the number of CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall and SND instances without reboot (Dynamic Balancing).

Important:

  • By default, this feature is enabled.

  • We do not recommend manual configuration of CoreXL Firewall and SND instances, because such configuration disables the CoreXL Dynamic Balancing.

    To enable the CoreXL Dynamic Balancing again, you must disable it and enable it.

  • For CoreXL Dynamic Balancing requirements, see sk164155.

When CoreXL Dynamic Balancing is enabled, Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. monitors the average CPU utilization of CoreXL Firewall and SND instances and automatically increases or decreases the number of CoreXL Firewall instances.

The Dynamic Balancing Daemon (dsd) has three stages in each iteration:

  1. Examine the current CPU utilization.

  2. Decide if and what changes to make based on the current CPU utilization.

  3. If needed, change the current CoreXL configuration in one of these ways:

    • Add a CoreXL Firewall instance.

      This change is possible only under these conditions:

      1. Average difference in CPU utilization between CoreXL Firewall and SND instances is greater than 10%.

      2. The current number of CoreXL Firewall instances is less than it was during the boot.

    • Add a CoreXL SND instance.

      This change stops a CoreXL Firewall instance and moves it to another CPU core.

      This change is possible only under these conditions:

      1. Average difference in CPU utilization between CoreXL Firewall and SND instances is greater than 10%.

      2. CoreXL Firewall instances consume the CPU cores at less than 40%.

      3. There is an available CPU core.

Syntax

Important:

Important:

  • After you enable this feature for the first time, the Security Gateway may require a reboot in these cases:

    • The current CoreXL configuration is not the default

    • More CoreXL SND instances are required for the current CPU load

  • After the boot, you can stop, start, and restart this feature without a reboot.

This command lets you stop the CoreXL Dynamic Balancing ("freeze" it).

  • In Gaia Clish:

    set dynamic-balancing state stop

  • In the Expert mode:

    dynamic_balancing -o stop

Important:

  • When you stop this feature, the Security Gateway uses the last CoreXL Balancing configuration.

  • This change does not require a reboot.

  • This change survives the reboot.

  • The status of the CoreXL Dynamic Balancing shows as "off".

This command lets you start the CoreXL Dynamic Balancing after it was stopped.

  • In Gaia Clish:

    set dynamic-balancing state start

  • In the Expert mode:

    dynamic_balancing -o start

Important:

  • When you start this feature, the Security Gateway continues to change the CoreXL Balancing configuration automatically based on the CPU utilization.

  • This change does not require a reboot.

  • This change survives the reboot.

This command lets you reset the CoreXL configuration to the default and keep the CoreXL Dynamic Balancing enabled.

This command is equivalent to the "disable" command followed by the "enable" command.

  • In Gaia Clish:

    set dynamic-balancing state reset

  • In the Expert mode:

    dynamic_balancing -r

Important:

  • After this feature restarts, the CoreXL configuration returns to the default (see Default Configuration of CoreXL).

  • This change does not require a reboot.

  • In Gaia Clish:

    set dynamic-balancing state disable

  • In the Expert mode:

    dynamic_balancing -o disable

Important:

  • When you disable this feature, the CoreXL configuration returns to the default (see Default Configuration of CoreXL).

  • After you disable this feature, the Security Gateway requires a reboot.

    The command shows the applicable message.

Monitoring

  • You can monitor the status of the CoreXL Dynamic Balancing with CLI commands:

    • In Gaia Clish:

      show dynamic-balancing state

    • In the Expert mode:

      dynamic_balancing -p

  • You can monitor the status of the CoreXL Dynamic Balancing in the CPView tool:

    1. Connect to the command line on the Security Gateway.

    2. Run:

      cpview

    3. From the top, click:

      SysInfo

    4. Examine this field:

      DS Status

      • On - Means the CoreXL Dynamic Balancing is enabled

      • Off - Means the CoreXL Dynamic Balancing is disabled

  • You can monitor the performance of the CoreXL Dynamic Balancing in the CPView tool:

    1. Connect to the command line on the Security Gateway.

    2. Run:

      cpview

    3. From the top, click:

      CPU > Overview > Host

    4. Examine these sections:

      • Overview - Shows the current number of CoreXL instances and the average CPU utilization

      • CPU - Shows the CPU cores, the CoreXL instance types they run, and the CPU utilization in different categories

  • You can monitor the CoreXL Firewall instances with this command:

    fw ctl multik stat

  • You can monitor the CoreXL AffinityClosed The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. with this command:

    fw ctl affinity -l -r -a

  • You can examine these log files:

    • When the CoreXL Dynamic Balancing changes the CoreXL configuration, it writes the applicable entries in the $FWDIR/log/dsd.elg file.

    • When the CoreXL Dynamic Balancing starts, it writes the applicable entries in the $FWDIR/log/dynamic_split.elg file.