Just a quick note about CoreXL

Posted on August 22, 2012

0



As a CCSE with about 5 years experienses I must admit I have never had any issue with multicores. But for the CCSE exam it must be clear and have to be saved in our mind.
The only required operating system is SecurePlatform, but I am always courious about the other platforms as well. Here I summarize the basics for CoreXL on SecurePlatform, IPSO (exNokia) and GAIA.

1. SecurePlatform

The documentations to read about CoreXL with Secureplatform (pdf-s can be found on the checkpoint page):
“CoreXL Advanced Configuration Guide 2007 Dec 20” – pdf
“CoreXL Administration Guide” – pdf
http://downloads.checkpoint.com/dc/download.htm?ID=14884 – How To Configure and Tune CoreXL on SecurePlatform

The commands used for CoreXL analysation:

[Expert@mygwy10]# fw ctl multik stat
ID | Active  | CPU | Connections | Peak
-------------------------------------------
 0 | Yes     | 3   |           2 |        6
 1 | Yes     | 2   |           4 |        7
 2 | Yes     | 1   |          11 |       14

[Expert@mygwy10]# fw ctl affinity -a -v -l
Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Kernel fw_0: CPU 3
Kernel fw_1: CPU 2
Kernel fw_2: CPU 1
Daemon in.asessiond: CPU all
Daemon in.geod: CPU all
Daemon in.aufpd: CPU all
Daemon fwd: CPU all
Daemon vpnd: CPU all
Daemon dtlsd: CPU all
Daemon mpdaemon: CPU all
Daemon cprid: CPU all
Daemon cpd: CPU all
[Expert@mygwy20]# fw ctl affinity -a -l -v
Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Interface eth2 (irq 83): CPU 0
Interface eth3 (irq 67): CPU 0
Kernel fw_0: CPU 5
Kernel fw_1: CPU 4
Kernel fw_2: CPU 3
Kernel fw_3: CPU 2
Daemon rtmd: CPU all
Daemon in.aufpd: CPU all
Daemon dtlsd: CPU all
Daemon in.asessiond: CPU all
Daemon vpnd: CPU all
Daemon mpdaemon: CPU all
Daemon fwd: CPU all
Daemon in.geod: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all

The configuration file for fine tuning Corexl can be found in $FWDIR/conf:
/var/opt/CPsuite-R75/fw1/conf/fwaffinity.conf

2. IPSO

CoreXL and IPSO is unfortunately not famous about its documentation (concering that the IPSO is on the way to dev/null it will not be changed…). The only useful information I found here:
https://www.cpug.org/forums/check-point-ip-appliances-ipso-formerly-sold-nokia/17626-ip1280-performance-issues.html
and just a few SKs on Checkpoint page:
sk44824 – How to utilize more than two cores on IP2455 (same as the cpug link, but this requires login on Checkpoint, the other one not.)
sk61701 – coreXL Known Limitation! Especially the ID 00417888 for the not supported features and the fact with vpn and corexl.)

The “configuration” file for tuning CoreXL can be found in /etc:
/etc/swi_net_affinity.sh
It is worth to understand how IPSO uses multiple cores and assigns them.

As the informations in the link are uniqe in the Internet – I think it is worth coping it here in this post:


1- fw_worker_X represents a firewall kernel instance when CoreXL is enabled, so its functions are related to fw, nat, encrypt/decrypt and others and anything is done about network interface processing
2- net_taskq is the process responsible for processing Network Interfaces
2.1- So, if you want to add more processors to Network Interfaces, you have to verify the /etc/swi_net_affinity.sh script starting at line 92. You’ll be able to see the condition that the system make to decide how many SND instances will be used, the default is:
MAXCPU=4 (1280)
FW_THR=3 (CoreXL default decision of 3 firewall instances)
TQ_THR=$((MAXCPU – $FW_THR))
If the total number of CPU’s unused by CoreXL are greater than 2, define the net:taskq:cnt with the value of 2, else, define the net:taskq:cnt as 1. So, in the example, the value of SND instances is 1 and this explain the only one SND process swi1: net_taskq0.
2.2- Then you just have the net_taskq instance 0
3- So, if you want to set network interface affinity, you should have at least two net_taskq instances (for example swi1: net_taskq0 and swi1: net_taskq1)
4- In this scenario, to change the network interface affinity you have just two possibilities:
4.1- Change the condition from /etc/swi_net_affinity.sh script. The following actions must be taken:
First: Change the number of CoreXL instances from 3 to 2.
Second: Manually change the /etc/swi_net_affinity.sh and change the condition “if [ $TQ_THR -gt 2 ];” to “if [ $TQ_THR -ge 2 ];”
4.2- Disabling CoreXL, will set the number of firewall kernel instances to 1 and the number of net_taskq will be 2 according to /etc/swi_net_affinity.sh default setting.

Through the /etc/swi_net_affinity.sh you can see how Check Point decides which core is responsible for net_taskq and CoreXL instance. It starts allocating cores to Interface IRQ and after to CoreXL.

The commands used for CoreXL analysation on IPSO:

myfirewall[root]# fw ctl multik stat
ID | Active  | CPU | Connections | Peak
-------------------------------------------
 0 | Yes     | N/A |        3871 |    10664
 1 | Yes     | N/A |        4179 |    11835
 2 | Yes     | N/A |        4367 |    13632

The command fw ctl affinity does not exist on IPSO!

To check the connection on a core use -i for fw command, for Example:

myfirewall[root]# fw -i 0 tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158  4153 10664   12472

myfirewall[root]# fw -i 1 tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158  4222 11835   12806

Links to help understand the swi_net_affinity.sh file (at least for myself):
http://msdn.microsoft.com/en-us/library/windows/hardware/ff567236%28v=vs.85%29.aspx
http://www.mjmwired.net/kernel/Documentation/networking/ixgbe.txt
http://systhread.net/texts/200008sysctl.php
http://informationsecuritytips.com/2009/01/ipsctl-command-to-check-nokia-firewall-hardware/

3. GAIA

Nothing new on the commands, its like Secureplatform

[Expert@myfirewall2]# fw ctl affinity -a -v -l
Interface eth3-01 (irq 67): CPU all
Interface eth1-08 (irq 91): CPU all
Interface eth3-02 (irq 139): CPU all
Interface eth3-03 (irq 195): CPU all
Interface eth3-04 (irq 219): CPU all
Interface Sync (irq 92): CPU all
Interface Mgmt (irq 124): CPU all
Kernel fw_0: CPU 5
Kernel fw_1: CPU 4
Kernel fw_2: CPU 3
Kernel fw_3: CPU 2
Daemon in.asessiond: CPU all
Daemon in.geod: CPU all
Daemon mpdaemon: CPU all
Daemon fwd: CPU all
Daemon dtlsd: CPU all
Daemon in.aufpd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@myfirewall2]#
[Expert@myfirewall2]# fw ctl affinity -l -r
CPU 0:
CPU 1:
CPU 2:  fw_3
CPU 3:  fw_2
CPU 4:  fw_1
CPU 5:  fw_0
All:    eth3-01 eth1-08 eth3-02 eth3-03 eth3-04 Sync Mgmt
        in.asessiond in.geod mpdaemon fwd dtlsd in.aufpd cpd cprid

and the fw ctl multik stat command:

[Expert@myfirewall2]# fw ctl multik stat
ID | Active  | CPU | Connections | Peak
-------------------------------------------
 0 | Yes     | 5   |          11 |       14
 1 | Yes     | 4   |           0 |       11
 2 | Yes     | 3   |           0 |      113
 3 | Yes     | 2   |           2 |       15

Have you read the docs I mentioned? :-)

Advertisements