Table of Contents

• Introduction
• Key Features
• System requirements
• Usage
• Monitoring
• Smart Console Extension
• FAQs
• Known Limitations

Introduction

Dynamic Balancing (Dynamic Split) is a performance-enhancing daemon that balances the load between CoreXL SNDs and CoreXL Firewalls. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage.

Each Check Point Security Gateway CPU belongs to one of two groups, each of which performs a different task: 

• Firewall instance
• SND (with the exception of a single CPU running FWD in large User-Space appliances). 

The distribution of jobs across a Security Gateways CPUs is referred to as the Security Gateway's split. As the distribution of work across these groups depends on your security policy and traffic, we highly recommend that you configure your split to fit your specific needs.

CoreXL's Out-of-the-Box Dynamic Balancing performs a dynamic change of the split. It monitors your system and makes changes as needed.

Starting in R81, this feature is on by default. 

Key Features

• Out-of-the-box optimization
• A flexible split to suit your profile

System requirements

• Supported Platforms: Dynamic Balancing is supported only on Check Point Appliances. 
  
  
• Supported Models: Dynamic Balancing is supported only on these models:
  
  • All models in these series: 7000, 15000, 16000, 23000, 26000 and 28000
  • 5000 series: 5600, 5800 and 5900
  • 6000 series: 6200T, 6400, 6500, 6600, 6700, 6800 and 6900
  • 3000 series: 3100, 3200, 3600 and 3800
    
    
  Note: On models with fewer than eight cores, you must enable a GNAT port allocation feature. Refer to sk165153. If Dynamic Balancing was enabled before or is on by default, post-enabling GNAT and the required reboot, Dynamic Balancing will automatically start running.  
  
  Note: R80.40 is the last supported version for 2200 / 4000 / 12000 / 13000 / 21000 appliances.  

• Supported versions: Check Point R80.40 with Jumbo Hotfix Take 25 and higher

• Supported configurations: Security Gateway (Kernel or USFW), Stand-Alone, and VSX
  • VSX support is for:
    • R80.40 Jumbo Hotfix Take 126
    • R81 with Jumbo Hotfix Take 58 
    • R81.10 and above
    • Note: VSX support is off by default 
• Supported features: IPv6, Management Data Plane Separation (MDPS), Bridge mode 
  
  
• Not supported: Check Point Maestro

Usage

To enable Dynamic Balancing

1. From Expert mode, run dynamic_balancing -o enable
    From Clish, run set dynamic-balancing state enable

2. You can receive a prompt if one of these requirements is not met. 

a. On non-VSX environments, if your current CoreXL split is not the default, you will be asked to change the number of instances.

• • From the Expert mode, Enter y
  • From Clish (non-interactive), run the command set dynamic-balancing state enable set_default_fw_instances

b. On VSX environments, if your current FWK affinity is not the same amongst all VSs, you will be asked to set it to default. Refer to the Performance Tuning R81 Administration Guide and refer to this section: CoreXL > CoreXL Commands > fw ctl affinity > Running the 'fw ctl affinity -s' command in VSX Mode.  

3. Reboot your appliance.

Important note for cluster environments: You must configure all cluster members in the same way. In the High Availability mode, start with the Standby member.

Syntax

Expert: dynamic_balancing -o { enable | disable | stop | start }
Clish: set dynamic-balancing state { enable | disable | stop | start }

Action	Description
enable	Starts Dynamic Balancing from the Gateway’s default split.
disable	Returns the Gateway to its default configuration.
stop	Stops Dynamic Balancing from making split changes. Survives reboot. The CoreXL split will be restored after the reboot to the same configuration when the command was executed.
start	Starts Dynamic Balancing after it it is stopped by a user.

Monitoring

• You can verify this via CPView, under the SysInfo tab:

  

• You can monitor Dynamic Balancing via CPView, under the CPU tab:

  

• Check for Dynamic Balancing status through Expert Mode:

  [Expert@Host]# dynamic_balancing -p
  Output: Dynamic Balancing is currently On/Off

Smart Console Extension

The SmartConsole Extension provides both monitoring and control over Dynamic Balancing.

To enable this feature, use the "Import SmartConsole Extension..." option in your SmartConsole with this URL: https://dannyjung.de/ds.json 

For more information, refer to this CheckMates discussion.  

FAQs

• Who should use Dynamic Balancing?
  

  Dynamic Balancing is especially beneficial for:

  • Customers who use non-default splits
  • Customers with env. bottle-necks by Secure Network Distributors (SNDs)
  • Customers with environments that may change usage over time - you can "auto tune" your device with no outage, no reboots, no need for any skills!

• Why don't I get more Secure Network Distributors (SNDs)?
  

  There are few possible reasons:

  • Average utilization of SNDs vs FireWall is relatively close (we require 10% difference by default)
  • FireWalls are utilized more than 40%
  • All eligible SNDs are already used as SNDs

• Why don't I get more Firewalls?
  

  There are few possible reasons:

  • Average utilization of SNDs vs Firewalls is relatively close (we require 10% difference by default)
  • All loaded firewall instances are already active

• How does it work with Cluster?
  

  In Cluster HA mode, changes the active member makes are synced to the passive member.

• Feature enablement on one member is only in cluster configuration - any sync related issues?
  

  No, as at any given time, both members will have same number of Firewall instances. Dynamic Workloads will merely “stop” the instance, meaning new connection are not to be dispatched to it.

• How does it work with VSX?
  

  Dynamic Balancing in VSX is similar to Security Gateways in that it aims to balance the SNDs and FWs cores. As opposed to Security Gateways, FW instances do not have static core affinity, and their amount does not determine the amount of SNDs. As a result, Dynamic Balancing does not require a certain amount of FW instances to be configured, and only adjusts their core affinity.
  
  When adding an SND, the feature sets the affinity of FWK processes in all VSs to the list of new cores (rather than move a FW instance from one core to a different core, as done in Security Gateways). The maximum quantity of SND cores will be according to the NIC driver, with the highest number of queues in all VSs.
  
  When you add a VS, the feature sets the new VS’s FWK to the current FWKs cores affinity.

• Why requiring a reboot upon 1st enablement of the feature?
  

  Dynamic Balancing requires several configuration changes that can only be set upon boot, to allow best performance in all splits (mostly relevant when more SNDs are needed vs default split).

• What are the scenarios in which the feature is to automatically turn itself off?
  

  Dynamic Balancing monitors the system periodically for manual changes that might conflict with its own actions (such as: Firewall instances state or affinity changes, interfaces affinity changes etc.), and will stop itself if such action is detected. Refer to sk163815 for more information.  

• Can excessive split changes impact production environment?
  

  Dynamic Balancing has mechanisms within its logic aimed to prevent un-wanted changes (uses threshold to not be over sensitive, detects frequent conflicting changes and more). Essentially, it uses existing, established Firewall/Linux commands, that were used in Check Point devices for years, while automating their use to be as effective as possible.

• Where do I monitor feature is enabled? 
  

  

• Do I need to perform reboot once I want to disable/stop Dynamic Balancing?
  

  Stopping the Dynamic Balancing does not require a reboot. Disabling Dynamic Balancing requires a reboot, since part of the disable process is to revert the configuration back to default, which includes several settings that can only be set on boot (mainly due to memory allocations performed at system init).

• If Dynamic Balancing is enabled, is CoreXL setting in cpconfig disabled ? Meaning I am not able to change CoreXL numbers?
  

  No, but changes made in the CoreXL cpconfig only take effect after reboot. Note that rebooting with a non-default instance number (i.e. manual changes done by the user) will prevent Dynamic Balancing from starting in order not to overwrite users' actions (a proper alert to the user is to be sent in such cases).

• Why do I see more than one Firewall instance on a single CPU?
  

  When Dynamic Balancing adds additional SNDs:

  1. It finds the least utilized Firewall instance and stops it (meaning that new connections are no longer dispatched to this instance, but it continues to handle its existing ones)
  2. Moves this Firewall instance to the CPU of the next least utilized Firewall instance, such that both instances, the stopped one and the existing one, will be affined to this CPU
  3. Turns the free CPU to start working as SND

• Why in some scenarios, I can still see the connections being opened on the stopped instances?
  

  Although the Dynamic Dispatcher excludes the stopped instance from its dispatching calculations, in cases where a VPN tunnel was previously created on this instance, some connections, such as NAT-T or ones belong to a non-accelerated tunnel, may be opened on this instance to allow a certain performance optimization.

• What does “BOTH” or “OTHER” mean in the CPVIEW CPU tab?
  

  There are two primary types of CPUs: CoreXL_FW and CoreXL_SND.
  "BOTH" means the CPU currently operates as a FW and an SND.
  "OTHER" means the CPU does not currently operate as a FW or SND.
  In most scenarios, this is an expected, temporary state, caused by CPU role change.
  If this is not a temporary state, it could imply an affinity misconfiguration.

Notes

Dynamic Balancing manages network card ports that have Multi-Queue enabled. The "mq_mng --show" command shows such ports as "Dynamic".
While Dynamic Balancing is active, it assumes control over several resources (listed below). Manual changes may not work, or cause Dynamic Balancing to stop its work (refer to sk163815 for more details):

• Changes in affinity of CoreXL Firewall instances, starting or stopping CoreXL Firewall instances, and changing the number of CoreXL Firewall instances.
• Changes in Multi-Queue affinity/mode, or changes in the number of RxTx queue weights.

Known Limitations

Issue ID	Description	Comments
PRJ-15874	When you downgrade to Jumbo Hotfix Take where the Dynamic Balancing is not supported, it remains enabled. In this case, the affinity of the Security Gateway will be configured incorrectly.	Disable the Dynamic Balancing before you uninstall the Jumbo Hotfix