Deciding Whether to Enable the Multi-Queue

This section helps you decide if you can benefit from the Multi-Queue An acceleration feature on Security Gateway that configures more than one traffic queue for each network interface. Multi-Queue assigns more than one receive packet queue (RX Queue) and more than one transmit packet queue (TX Queue) to an interface. Multi-Queue is applicable only if SecureXL is enabled (this is the default). Acronym: MQ..

1. Make sure that network interfaces support the Multi-Queue

   Only network cards that use these drivers can support the Multi-Queue.

   See Multi-Queue Requirements and Limitations.

   Important - Before you upgrade these drivers, make sure that the latest version supports the Multi-Queue.

   Notes: To view, which driver an interface uses, run this command in the Expert mode: On the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (each Cluster Member Security Gateway that is part of a cluster.), run: ethtool -i <Name of Interface> On the Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., run: g_ethtool -i <Name of Interface> When you install a new interface, you must run these two commands in the Expert mode: On the Security Gateway (each Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member), run: mq_mng --reconf reboot On the Scalable Platform Security Group, run: g_all mq_mng --reconf g_reboot -a

2. Make sure that SecureXL is enabled

   Step	Instructions
   1	Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.
   2	Log in to the Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., or the Expert mode. Note - On Scalable Platforms, you must run the applicable commands in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators and for Security Gateway Modules on Scalable Chassis. Commands you run in this shell apply to all Security Gateway Module / Security Appliances in the Security Group. or the Expert mode of the applicable Security Group.
   3	Get the SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. state (see fwaccel stat): On a Security Gateway (each Cluster Member), run in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish or the Expert mode: fwaccel stat On a Scalable Platform Security Group, run in Gaia gClish: fwaccel stat On a Scalable Platform Security Group, run in the Expert mode: g_fwaccel stat
   4	Examine the Status column. Example from a non-VSX Gateway [Expert@MyGW:0]# fwaccel stat +---------------------------------------------------------------------------------+ |Id|Name |Status |Interfaces |Features | +---------------------------------------------------------------------------------+ |0 |KPPAK |enabled |eth0,eth1 |Acceleration,Cryptography | | | | | | | | | | | |Crypto: Tunnel,UDPEncap,MD5, | | | | | |SHA1,3DES,DES,AES-128,AES-256,| | | | | |ESP,LinkSelection,DynamicVPN, | | | | | |NatTraversal,AES-XCBC,SHA256, | | | | | |SHA384,SHA512 | +---------------------------------------------------------------------------------+   Accept Templates : enabled Drop Templates : disabled NAT Templates : enabled LightSpeed Accel : disabled [Expert@MyGW:0]#
   5	If the SecureXL is disabled, enable it (see fwaccel on): On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode: fwaccel on On a Scalable Platform Security Group, run in Gaia gClish: fwaccel on On a Scalable Platform Security Group, run in the Expert mode: g_fwaccel on

3. Examine the CPU roles allocation

   Step	Instructions
   1	Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.
   2	Log in to the Gaia Clish, or the Expert mode. Note - On Scalable Platforms, you must run the applicable commands in Gaia gClish or the Expert mode of the applicable Security Group.
   3	Get the list of CPU roles (see fw ctl affinity): On a Security Gateway (each Cluster Member), run in Gaia Clish or the Expert mode: fw ctl affinity -l [-a] [-v] [-r] On a Scalable Platform Security Group, run in Gaia gClish: fw ctl affinity -l [-a] [-v] [-r] On a Scalable Platform Security Group, run in the Expert mode: g_fw ctl affinity -l [-a] [-v] [-r] Example CPU0 and CPU1 run the CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. SND instances: [Expert@GW:0]# fw ctl affinity -l Mgmt: CPU 0 eth1-04: CPU 1 eth1-05: CPU 0 eth1-06: CPU 1 eth1-07: CPU 0 fw_0: CPU 5 fw_1: CPU 4 fw_2: CPU 3 fw_3: CPU 2 [Expert@GW:0]#

4. Examine the CPU cores utilization

   Step	Instructions
   1	Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.
   2	Log in to the Gaia Clish, or the Expert mode. Note - On Scalable Platforms, you must run the applicable commands in Gaia gClish or the Expert mode of the applicable Security Group.
   3	Get the utilization of CPU cores: On a Security Gateway (each Cluster Member), run in the Expert mode: top On a Scalable Platform Security Group, run in the Gaia Clish: top On a Scalable Platform Security Group, run in the Expert mode: g_top
   4	Press 1 to show all the CPU cores. Example CPU cores that run CoreXL SND instances (CPU0 and CPU1) are approximately 30% idle. CPU cores that run CoreXL Firewall instances are approximately 70% idle. top - 18:02:33 up 8 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48 Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 28.7%id, 5.9%wa, 0.0%hi, 63.4%si, 0.0%st Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 27.6%id, 0.0%wa, 0.0%hi, 71.4%si, 0.0%st Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 66.5%id, 0.0%wa, 4.0%hi, 25.5%si, 0.0%st Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 71.3%id, 0.0%wa, 0.0%hi, 25.7%si, 0.0%st Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 69.0%id, 0.0%wa, 0.0%hi, 25.0%si, 0.0%st Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers Swap: 14707496k total, 0k used, 14707496k free, 484340k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3301 root 15 0 0 O 0 R 31 0.0 747:04 [fw_worker_3] 3326 root 15 0 0 O 0 R 29 0.0 593:35 [fw_worker_0] ... ... ...

5. Decide if you can allocate more CPU cores to run the CoreXL SND instances

   To decide if you can allocate more CPU cores to run the CoreXL SND instances

   If you have more active network interfaces than the CPU cores that run CoreXL SND instances, you can allocate more CPU cores to run more CoreXL SND instances.

   We recommend to configure the Multi-Queue when:

   1. CoreXL SND instances cause high CPU load (idle is less than 20%).

   2. CoreXL Firewall instances cause low CPU load (idle is greater than 50%).

   Note - You cannot assign more CPU cores to run CoreXL SND instances if you change interface IRQ affinity A state of binding an IRQ to one or more CPU cores..