CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 13 of 13

Thread: 5900 and SMT Or Assign particular core to Particular interface

  1. #1
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default 5900 and SMT Or Assign particular core to Particular interface

    Hi there,

    I just switched to 5900 appliances with 32 GB RAM And it has 16 Cores. Though I guess only one core is assigned to Network which is fw_worker_0. Since my network DMZ is carrying huge traffic; I wanted to assign one more core to that interface or is it advisable to start SMT functionality?

    Please advise

    Thanks and Regards,
    Blason R

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,218
    Rep Power
    13

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    Hi there,

    I just switched to 5900 appliances with 32 GB RAM And it has 16 Cores. Though I guess only one core is assigned to Network which is fw_worker_0. Since my network DMZ is carrying huge traffic; I wanted to assign one more core to that interface or is it advisable to start SMT functionality?

    Please advise

    Thanks and Regards,
    Blason R
    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The SND/IRQ cores handle fully-accelerated traffic in the SXL path, emptying interface ring buffers, and keeping the six firewall worker cores load-balanced if the Dynamic Dispatcher is enabled. The Firewall Workers handle non-accelerated PXL/F2F traffic. Since you are using R77.30 I'd strongly advise enabling the Dynamic Dispatcher which is about as close to a no-brainer as it gets, assuming you have the latest GA jumbo hotfix loaded for R77.30.

    If you have LAN-speed traffic traversing the firewall, which types of cores to increase will highly depend on whether the traffic is accelerated or not (SXL path). Enabling SMT tends to help the most when the majority of the traffic is handled in PXL or F2F (use fwaccel stats -s to check this). Bottom line is I'd go with the default 2/6 split w/ no SMT and see what happens.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Great and thanks for quick and very useful feedback.

  4. #4
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by ShadowPeak.com View Post
    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The SND/IRQ cores handle fully-accelerated traffic in the SXL path, emptying interface ring buffers, and keeping the six firewall worker cores load-balanced if the Dynamic Dispatcher is enabled. The Firewall Workers handle non-accelerated PXL/F2F traffic. Since you are using R77.30 I'd strongly advise enabling the Dynamic Dispatcher which is about as close to a no-brainer as it gets, assuming you have the latest GA jumbo hotfix loaded for R77.30.

    If you have LAN-speed traffic traversing the firewall, which types of cores to increase will highly depend on whether the traffic is accelerated or not (SXL path). Enabling SMT tends to help the most when the majority of the traffic is handled in PXL or F2F (use fwaccel stats -s to check this). Bottom line is I'd go with the default 2/6 split w/ no SMT and see what happens.
    I am seeing 16 cpu in cpview; does that mean it has SMT enabled?

  5. #5
    Join Date
    2006-09-26
    Posts
    3,150
    Rep Power
    15

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    I am seeing 16 cpu in cpview; does that mean it has SMT enabled?
    This is what I don't understand. If I buy an open servers and install Checkpoint on it, SMT has to be disabled but it is enabled on Checkpoint appliances. After all, Checkpoint appliances are nothing more than an open servers running Intel chip set.

    What an irony.

  6. #6
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Pertaining to my earlier thread since I have 8 Physical Core out of that 2 are assigned to SND. I am seeing below on firewall.

    Is this normal? I guess it should have shown NICs on CPU 1 as well?

    CPU 0: eth1 (irq 146) eth5 (irq 170) eth2 (irq 194) eth6 (irq 218) eth3 (irq 234) eth7 (irq 67) eth4 (irq 83) Sync (irq 115) Mgmt (irq 131)
    CPU 1:
    CPU 2: fw_5
    CPU 3: fw_4
    CPU 4: fw_3
    CPU 5: fw_2
    CPU 6: fw_1
    CPU 7: fw_0
    All: mpdaemon usrchkd rtmd in.geod fwd lpd in.acapd rad pepd vpnd fwpushd in.msd pdpd cprid cpd

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,218
    Rep Power
    13

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    Pertaining to my earlier thread since I have 8 Physical Core out of that 2 are assigned to SND. I am seeing below on firewall.

    Is this normal? I guess it should have shown NICs on CPU 1 as well?

    CPU 0: eth1 (irq 146) eth5 (irq 170) eth2 (irq 194) eth6 (irq 218) eth3 (irq 234) eth7 (irq 67) eth4 (irq 83) Sync (irq 115) Mgmt (irq 131)
    CPU 1:
    CPU 2: fw_5
    CPU 3: fw_4
    CPU 4: fw_3
    CPU 5: fw_2
    CPU 6: fw_1
    CPU 7: fw_0
    All: mpdaemon usrchkd rtmd in.geod fwd lpd in.acapd rad pepd vpnd fwpushd in.msd pdpd cprid cpd
    CPUs 0 and 1 are SND/IRQ cores, CPUs 2-7 are Firewall Worker cores.

    You aren't seeing any interfaces being handled by CPU 1 for one of the following reasons:

    1) SecureXL is off (fwaccel stat) and therefore automatic interface affinity is off too

    2) There is insufficient traffic passing through the firewall to trigger reassignment of interfaces to CPU 1 by automatic interface affinity, or the firewall shown here is the standby member in a cluster.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    1) SecureXL is off (fwaccel stat) and therefore automatic interface affinity is off too
    Nah - SecureXL is ON and running but most of the packets I am seeing in F2F. I also have DROP templates enabled

    **********
    Accelerator Status : on
    Accept Templates : disabled by Firewall
    disabled from rule #99 --> I have rules till #97 [ I guess Rule #99 is Mobile Access rule]
    Drop Templates : enabled
    NAT Templates : disabled by user
    **********
    Accelerated conns/Total conns : 140/13308 (1%)
    Accelerated pkts/Total pkts : 3765180/65194467 (5%)
    F2Fed pkts/Total pkts : 57056450/65194467 (87%) ==> I am not sure though why traffic is passing through F2F
    PXL pkts/Total pkts : 4372837/65194467 (6%)
    QXL pkts/Total pkts : 0/65194467 (0%)

    *****************
    F2F packets:
    --------------
    Violation Packets Violation Packets
    -------------------- --------------- -------------------- ---------------
    pkt is a fragment 208 pkt has IP options 21
    ICMP miss conn 19972 TCP-SYN miss conn 178522
    TCP-other miss conn 430793 UDP miss conn 212902
    other miss conn 1 VPN returned F2F 678
    ICMP conn is F2Fed 25719 TCP conn is F2Fed 65554173
    UDP conn is F2Fed 94796 other conn is F2Fed 0
    uni-directional viol 0 possible spoof viol 0
    TCP state viol 40683 out if not def/accl 382
    bridge, src=dst 0 routing decision err 0
    sanity checks failed 0 temp conn expired 26
    fwd to non-pivot 0 broadcast/multicast 0
    cluster message 0 partial conn 19036
    PXL returned F2F 8597 cluster forward 0
    chain forwarding 1 general reason 6




    2) There is insufficient traffic passing through the firewall to trigger reassignment of interfaces to CPU 1 by automatic interface affinity, or the firewall shown here is the standby member in a cluster.
    This is live or Active Firewall for sure. How can I confirm that there is insufficient traffic?

    I have latest HFA loaded as well.

  9. #9
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    OK - Does that mean since my CPU utilization is not hitting 75% DD is not being fully utilized?

    But again I am unsure why my most of the traffic is passing in F2F?

    Well after debugging little further; I noticed that most of traffic which is traversing through F2F path is https and has a Service defined as Any. I read in SK that even in this conditions where Service is ANY template can not be created.
    Last edited by blason; 2018-07-16 at 23:53.

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,218
    Rep Power
    13

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    To help determine reason for high F2F, please provide output of enabled_blades command run on firewall.

    Not sure what the sufficient traffic threshold is for automatic interface affinity to start rebalancing, please provide output of "netstat -ni".

    Traffic going F2F (throughput acceleration) has nothing to do with templating (session rate acceleration) even though they are both parts of SecureXL.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  11. #11
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by ShadowPeak.com View Post
    To help determine reason for high F2F, please provide output of enabled_blades command run on firewall.

    Not sure what the sufficient traffic threshold is for automatic interface affinity to start rebalancing, please provide output of "netstat -ni".

    Traffic going F2F (throughput acceleration) has nothing to do with templating (session rate acceleration) even though they are both parts of SecureXL.
    Well I did complete debugging and just FYI enabled_blades are NGTP except AntiSpam. Even talked to TAC confirmed that packets are traversing in F2F is due to ISP redundancy load balancing as packets are again sent to F2F path per SK104679.

    Though I do not have NAT Templates enabled but have Accept and DROP enabled. Do you think that would resolve the issue?

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,218
    Rep Power
    13

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Quote Originally Posted by blason View Post
    Well I did complete debugging and just FYI enabled_blades are NGTP except AntiSpam. Even talked to TAC confirmed that packets are traversing in F2F is due to ISP redundancy load balancing as packets are again sent to F2F path per SK104679.

    Though I do not have NAT Templates enabled but have Accept and DROP enabled. Do you think that would resolve the issue?
    No, load-balanced ISP Redundancy traffic will always go F2F. This was actually mentioned in my book and there is no workaround. If you configure ISP Redundancy for Primary/Backup instead, traffic can potentially be accelerated if you are current with Jumbo HFAs.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  13. #13
    Join Date
    2012-06-13
    Posts
    366
    Rep Power
    7

    Default Re: 5900 and SMT Or Assign particular core to Particular interface

    Yes, thanks for the help and really appreciate that.

Similar Threads

  1. How many CPU cores 5900 has?
    By blason in forum Firewall Blade
    Replies: 3
    Last Post: 2018-05-11, 09:05
  2. No HA Licensed Appliance > 5900
    By slowfood27 in forum Check Point 2012 Appliances
    Replies: 7
    Last Post: 2017-01-29, 10:26
  3. Replies: 5
    Last Post: 2016-04-21, 13:04
  4. bind failed: Cannot assign requested address
    By geelkabouter in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2007-10-03, 03:55
  5. Assign different log path to R61 Windows install
    By anthonws in forum Installing And Upgrading
    Replies: 5
    Last Post: 2007-04-11, 06:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •