Professional Documents
Culture Documents
CoreXL Dynamic Dispatcher in R77.30 - R80.10 and Above
CoreXL Dynamic Dispatcher in R77.30 - R80.10 and Above
10 and above
Solution ID sk105261
Technical Level
Product CoreXL
Version R77.30, R80.10, R80.20, R80.30, R80.40
OS Gaia, SecurePlatform 2.6
Platform / Model All
Date Created 19-May-2015
Solution
Table of Contents:
1. Introduction
2. CoreXL Dynamic Dispatcher
3. Configuration on Security Gateway R77.30
4. Configuration on Security Gateway R80.10 and above
5. Monitoring CoreXL load distribution
6. Limitations
7. FAQ
8. Related documentation
9. Related solutions
(1) Introduction
CoreXL is a performance-enhancing technology for Security Gateways on platforms with multiple CPU cores. CoreXL enhances Security Gateway performance by enabling
the processing CPU cores to concurrently perform multiple tasks.
On a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated copy, or Firewall instance, runs on one processing CPU core.
These Firewall instances handle traffic concurrently, and each Firewall instance is a complete and independent Firewall inspection kernel. When CoreXL is enabled, all the
Firewall kernel instances in the Security Gateway process traffic through the same interfaces and apply the same security policy.
The CoreXL software architecture includes the Secure Network Distributor (SND). The SND is responsible for:
Traffic received on network interface cards (NICs) is directed to a processing core running the SND.
The dispatcher is executed when a packet should be forwarded to a CoreXL FW instance (in Slow path and Medium path - see sk98737 for details) and is in charge of
selecting the CoreXL FW instance that will inspects the packet.
In R77.20 and lower versions, traffic distribution between CoreXL FW instances is statically based on Source IP addresses, Destination IP addresses, and the IP 'Protocol'
type. Therefore, there are possible scenarios where one or more CoreXL FW instances would handle more connections, or perform more processing on the packets
forwarded to them, than the other CoreXL FW instances.
This may lead to a situation, where the load is not balanced across the CPU cores, on which the CoreXL FW instances are running.
To help mitigate the above issue, CoreXL Dynamic Dispatcher feature was introduced in R77.30 Security Gateway.
The dynamic decision is made for first packets of connections, by assigning each of the CoreXL FW instances a rank, and selecting the CoreXL FW instance with the lowest
rank.
The rank for each CoreXL FW instance is calculated according to its CPU utilization.
The higher the CPU utilization, the higher the CoreXL FW instance's rank is, hence this CoreXL FW instance is less likely to be selected by the CoreXL SND.
The CoreXL Dynamic Dispatcher allows for better load distribution and helps mitigate connectivity issues during traffic "peaks", as connections opened at a high rate that
would have been assigned to the same CoreXL FW instance by a static decision, will now be distributed to several CoreXL FW instances.
When CoreXL Dynamic Dispatcher is enabled, the dynamic decision is always made (even when there is no significant load).
Important Notes:
Before enabling the CoreXL Dynamic Dispatcher, refer to "Limitations" section and to "FAQ" section.
In R77.30, when working with CoreXL Dynamic Dispatcher, the only officially supported modes are:
Instructions:
Example output:
Note: In cluster environment, this procedure must be performed on all members of the cluster. Since a reboot is required, it is recommended to follow the Gaia
Installation and Upgrade Guide - either "Minimal Effort" procedure, or "Zero Downtime" procedure.
Example output:
Note: In cluster environment, this procedure must be performed on all members of the cluster. Since a reboot is required, it is recommended to follow the Installatio
and Upgrade Guide for Gaia Platforms - Chapter 'Upgrading ClusterXL Deployments' - either "Minimal Effort" procedure, or "Zero Downtime" procedure.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261&partition=Basic&product=Co… 2/5
5/19/2020 CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above
Example output:
Important Notes:
Instructions:
Example output:
Note: In cluster environment, this procedure must be performed on all members of the cluster. Since a reboot is required, it is recommended to follow the Installatio
and Upgrade Guide - Chapter 'Upgrading ClusterXL Deployments' - either "Minimal Effort Upgrade" procedure, or "Zero Downtime Upgrade" procedure.
Example output:
Note: In cluster environment, this procedure must be performed on all members of the cluster. Since a reboot is required, it is recommended to follow the Installatio
and Upgrade Guide - Chapter 'Upgrading ClusterXL Deployments' - either "Minimal Effort Upgrade" procedure, or "Zero Downtime Upgrade" procedure.
Example output:
Note: To monitor the CoreXL Dynamic Dispatcher in action, it must already be enabled with fw ctl multik set_mode 9 command and Security Gateway must already be
rebooted.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261&partition=Basic&product=Co… 3/5
5/19/2020 CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above
The examples provided below were taken from the machine without VPN blade or VoIP traffic and with disabled CoreXL Dynamic Dispatcher. These examples show an
excellent reason to enable CoreXL Dynamic Dispatcher to mitigate the load imbalance between CoreXL FW instances:
1. Check on which CPU cores the CoreXL FW instances are running with the fw ctl affinity -l -r command.
Example (CoreXL FW instances are running on CPU 1, CPU 2, and CPU 3):
2. Check the current CPU utilization by each CoreXL FW instance with the top command.
Note: If the output does not show all CPU cores (if 3rd line shows "Cpu(s):"), then press "1" and then "Shift+W".
Example (Load on CPU 3 is 24% by SoftIRQ; CoreXL FW instance 0 is consuming 18%; other CoreXL FW instances (fw_worker threads) are idle):
3. Check the distribution of connections across all CoreXL FW instances with the fw ctl multik stat command.
Example (refer to the "Peak" column - CoreXL FW instance 0 processed almost all connections, while other CoreXL FW instances were idle):
(6) Limitations
The CoreXL Dynamic Dispatcher is not supported in the following scenarios:
Security Gateway is configured in VSX mode (not supported on any of the VSs, including VS0), in versions R80.10 and below.
SAM acceleration card is installed on the appliance
Carrier Grade NAT (CGN) is configured
Security Gateway is configured in Monitor Mode (per sk101670)
6in4 tunnel (SIT interface) is configured
Some lines in the $FWDIR/boot/modules/fwkern.conf file are commented out (refer to sk106309).
The following types of traffic are not load-balanced by the CoreXL Dynamic Dispatcher (this traffic will always be handled by the same CoreXL FW instance):
VoIP
VPN encrypted packets
sk108894 - Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled
sk108856 - R77.30 cluster member might go Down after disabling CoreXL Dynamic Dispatcher only on one member
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261&partition=Basic&product=Co… 4/5
5/19/2020 CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above
(7) FAQ
When should I enable CoreXL Dynamic Dispatcher?
Note: The thresholds given in this answer are approximate and should be suitable for majority of environments.
When will Security Gateway benefit from enabling CoreXL Dynamic Dispatcher?
When CPU load is not properly balanced, Dynamic Dispatcher will distribute the load equally between the CPU cores.
Dynamic Dispatcher will mostly benefit on machines with large number of CPU cores (multi core machines). On machine with small number of
CPU cores, the static hash distribution of traffic is good enough, and the benefit of enabling Dynamic Dispatcher is low.
Additional common scenarios, in which enabling CoreXL Dynamic Dispatcher will improve Security Gateway performance, are cases when traffic is
dropped/delayed due CPU load on Security Gateway.
For example, during traffic peaks, during policy installation.
Refer to "Monitoring CoreXL load distribution" section.
Can CoreXL assign some connections statically and some connections dynamically?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105261&partition=Basic&product=Co… 5/5