Running the 'fw ctl affinity -s' command in VSX Mode
Description
The "fw ctl affinity -s" command configures the CoreXL
Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. affinity The assignment of a specified CoreXL Firewall instance, VSX Virtual System, interface, user space process, or IRQ to one or more specified CPU cores. settings on a VSNext Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. / Legacy VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. for:
-
Interfaces
-
User-space processes
-
CoreXL Firewall instances
Syntax
-
To see the built-in help:
fw ctl affinity -
To configure the affinities of VSNext Virtual Gateways / Legacy VSX Virtual Systems:
fw ctl affinity -s -d [-vsid <VSID ranges> ] -cpu <CPU ID ranges> -
To configure the affinities of a specified user-space process:
fw ctl affinity -s -d -pname <Process Name> [-vsid <VSID ranges>]-cpu all-cpu <CPU ID ranges> -
To configure the affinities of specified FWK daemon instances (user-space Firewall):
fw ctl affinity -s -d -inst <Instances Ranges> -cpu <CPU ID ranges> -
To configure the affinities of all FWK instances (user-space Firewalls):
fw ctl affinity -s -d -fwkall <Number of CPUs> -
To reset the affinities to defaults:
fw ctl affinity-vsx_factory_defaults-vsx_factory_defaults_no_prompt
Important
-
The command saves these configuration changes in the
$FWDIR/conf/fwaffinity.confconfiguration file. -
When you configure affinity of an interface, it automatically configures the affinities of all other interfaces that share the same IRQ to the same CPU core.
Parameters
|
Parameter |
Description |
||
|---|---|---|---|
|
|
Configures the affinity for:
|
||
|
|
Configures the affinity to:
|
||
|
|
Configures the affinity for the Check Point daemon specified by its name (for example:
|
||
|
|
Configures the affinity for:
|
||
|
|
Configures the affinity for all running FWK daemon instances to the specified number of CPU cores. If it is necessary to affine all running FWK daemon instances to all CPU cores, enter the number of all available CPU cores. |
||
|
|
Deletes all existing affinity settings and creates the default affinity settings during the next reboot.
|
||
|
|
Deletes all current affinity settings and creates the default affinity settings during the next reboot.
|
Example 1 - Affine the Virtual Devices #0,1,2,4,7,8 to the CPU cores #0,1,2,4
Example 2 - Affine the process CPD by its name for Virtual Devices #0-12 to the CPU core #7
Example 3 - Affine the FWK daemon instances #0,2,4 to the CPU core #5
Example 4 - Affine all FWK daemon instances to the last two CPU cores
Example 5 - Affine all FWK daemon instances to all CPU cores