CoreXL: Tips and Tricks

So I’ve was working with a bunch of SE’s in Chicago and one of them says to me “I can tell if someone has no experience with setting up a system by typing sim affinity -l. That will tell me if CoreXL has been balanced or not, then the person either knows their stuff or not”.

I’ll admit, until this past month I was clueless. I took a survey at the last CP get together in Minneapolis here and turns out so are most my peers. In addition I work with some awesome CP Diamond engineers and they never mentioned it. So I didn’t feel quite as bad, but it was time to get busy.

I’ve been working on this big CoreXL project and hopefully can share with you someday. CoreXL is one of those hidden Check Point gems that Marketing should be shouting from the rooftops about in order to compete with the ASIC competitors. But as usual CoreXL has really bad and spotty documentation so not even the techies get it. The best bet is to read the SKs, but its like blind people feeling an elephant trying to guess what it is. Well over the past month I think I am finally starting to get the big picture and hopefully can share with you in the future. It is cool.

Anyways here is a cool tip I learned the other day. CoreXL balances 4 functions amongst processors:

  1.  Interface processing
  2. Firewall instances
  3. Firewall helper processes
  4. Linux processes

If you have a ‘busy’ box, you can tell if network I/O is one of the issues impacting performance. I had this box with default config and decided to SCP a 3gig file between the SYNC interfaces. This forced the CPU %SI (software interrupts)to 80% and the system started rebalancing.

If you see this:

corexl-balancing

you may have an issue. By default interfaces are set to ALL, which means all processors can be used when handling processing for that interface. If the system is NOT busy, CPU0 will typically handle all the interface interrupts. If the box is ‘busy’ (CPU and %SI is high > 50% approx) and is having problems processing network I/O, then the rebalancing starts and the interfaces are assigned specific CPUs. In addition, if this re-balancing continues to happen with the interfaces THEN you really may be having network I/O problems. Check your ifconfig for errors if packets are dropping.

You can also tell if the interfaces have been rebalancing since boot by looking at the interrupt handling. The /proc/interrupts tells you if an interface interrupts has been handled by multiple multiple CPUs. If so then the box has been busy and trying to keep up and has auto rebalanced by moving interrupt handling amongst several CPUs.

interface-rebalancing

Hopefully I can share more with you in the future!

Have a balanced day!

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

Trackbacks

  • By FWD zombie – Anyone else? | DreezSecurityBlog on December 4, 2013 at 8:27 pm

    […] locally and we are dropping logs. The box is a total overkill and hardly breathing (See this to verify), but still logs are dropping constantly. I know we aren’t the only one this is happening to […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: