CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: 5900 and SMT Or Assign particular core to Particular interface

  1. #1
    Join Date
    2012-06-13
    Posts
    358
    Rep Power
    7

    Default 5900 and SMT Or Assign particular core to Particular interface

    Hi there,

    I just switched to 5900 appliances with 32 GB RAM And it has 16 Cores. Though I guess only one core is assigned to Network which is fw_worker_0. Since my network DMZ is carrying huge traffic; I wanted to assign one more core to that interface or is it advisable to start SMT functionality?

    Please advise

    Thanks and Regards,
    Blason R

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,185
    Rep Power
    13

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    Hi there,

    I just switched to 5900 appliances with 32 GB RAM And it has 16 Cores. Though I guess only one core is assigned to Network which is fw_worker_0. Since my network DMZ is carrying huge traffic; I wanted to assign one more core to that interface or is it advisable to start SMT functionality?

    Please advise

    Thanks and Regards,
    Blason R
    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The SND/IRQ cores handle fully-accelerated traffic in the SXL path, emptying interface ring buffers, and keeping the six firewall worker cores load-balanced if the Dynamic Dispatcher is enabled. The Firewall Workers handle non-accelerated PXL/F2F traffic. Since you are using R77.30 I'd strongly advise enabling the Dynamic Dispatcher which is about as close to a no-brainer as it gets, assuming you have the latest GA jumbo hotfix loaded for R77.30.

    If you have LAN-speed traffic traversing the firewall, which types of cores to increase will highly depend on whether the traffic is accelerated or not (SXL path). Enabling SMT tends to help the most when the majority of the traffic is handled in PXL or F2F (use fwaccel stats -s to check this). Bottom line is I'd go with the default 2/6 split w/ no SMT and see what happens.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-06-13
    Posts
    358
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Great and thanks for quick and very useful feedback.

  4. #4
    Join Date
    2012-06-13
    Posts
    358
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by ShadowPeak.com View Post
    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The SND/IRQ cores handle fully-accelerated traffic in the SXL path, emptying interface ring buffers, and keeping the six firewall worker cores load-balanced if the Dynamic Dispatcher is enabled. The Firewall Workers handle non-accelerated PXL/F2F traffic. Since you are using R77.30 I'd strongly advise enabling the Dynamic Dispatcher which is about as close to a no-brainer as it gets, assuming you have the latest GA jumbo hotfix loaded for R77.30.

    If you have LAN-speed traffic traversing the firewall, which types of cores to increase will highly depend on whether the traffic is accelerated or not (SXL path). Enabling SMT tends to help the most when the majority of the traffic is handled in PXL or F2F (use fwaccel stats -s to check this). Bottom line is I'd go with the default 2/6 split w/ no SMT and see what happens.
    I am seeing 16 cpu in cpview; does that mean it has SMT enabled?

  5. #5
    Join Date
    2006-09-26
    Posts
    3,134
    Rep Power
    15

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    I am seeing 16 cpu in cpview; does that mean it has SMT enabled?
    This is what I don't understand. If I buy an open servers and install Checkpoint on it, SMT has to be disabled but it is enabled on Checkpoint appliances. After all, Checkpoint appliances are nothing more than an open servers running Intel chip set.

    What an irony.

Similar Threads

  1. How many CPU cores 5900 has?
    By blason in forum Firewall Blade
    Replies: 3
    Last Post: 2018-05-11, 09:05
  2. No HA Licensed Appliance > 5900
    By slowfood27 in forum Check Point 2012 Appliances
    Replies: 7
    Last Post: 2017-01-29, 10:26
  3. Replies: 5
    Last Post: 2016-04-21, 13:04
  4. bind failed: Cannot assign requested address
    By geelkabouter in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2007-10-03, 03:55
  5. Assign different log path to R61 Windows install
    By anthonws in forum Installing And Upgrading
    Replies: 5
    Last Post: 2007-04-11, 06:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •