Dynamic Balancing (Dynamic Split) is a performance-enhancing daemon that balances the load between CoreXL SNDs and CoreXL Firewalls. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage.
Each Check Point Security Gateway CPU belongs to one of two groups, each of which performs a different task:
Firewall instance
SND (with the exception of a single CPU running FWD in large User-Space appliances).
The distribution of jobs across a Security Gateways CPUs is referred to as the Security Gateway's split. As the distribution of work across these groups depends on your security policy and traffic, we highly recommend that you configure your split to fit your specific needs.
CoreXL's Out-of-the-Box Dynamic Balancing performs a dynamic change of the split. It monitors your system and makes changes as needed.
Starting in R81, this feature is on by default.
Note: If you manually changed CoreXL or Multi-Queue affinity settings on the old version, the feature will not be on by default on the upgraded version.
Key Features
Out-of-the-box optimization
A flexible split to suit your profile
System requirements
Supported Platforms: Dynamic Balancing is supported only on Check Point Appliances.
Supported Models: Dynamic Balancing is supported only on these models:
All models in these series: 7000, 15000, 16000, 23000, 26000 and 28000
5000 series: 5600, 5800 and 5900
6000 series: 6200T, 6400, 6500, 6600, 6700, 6800 and 6900
3000 series: 3100, 3200, 3600 and 3800
Note: On models with fewer than eight cores, you must enable a GNAT port allocation feature. Refer to sk165153. If Dynamic Balancing was enabled before or is on by default, post-enabling GNAT and the required reboot, Dynamic Balancing will automatically start running.
Note: R80.40 is the last supported version for 2200 / 4000 / 12000 / 13000 / 21000 appliances.
Supported versions: Check Point R80.40 with Jumbo Hotfix Take 25 and higher
Supported configurations: Security Gateway (Kernel or USFW), Stand-Alone, and VSX
VSX support is for:
R80.40 Jumbo Hotfix Take 126
R81 with Jumbo Hotfix Take 58
R81.10 and above
Note: VSX support is off by default
Supported features: IPv6, Management Data Plane Separation (MDPS), Bridge mode
Not supported: Check Point Maestro
Usage
To enable Dynamic Balancing
1. From Expert mode, run dynamic_balancing -o enable From Clish, run set dynamic-balancing state enable
2. You can receive a prompt if one of these requirements is not met.
a. On non-VSX environments, if your current CoreXL split is not the default, you will be asked to change the number of instances.
From the Expert mode, Enter y
From Clish (non-interactive), run the command set dynamic-balancing state enable set_default_fw_instances
b. On VSX environments, if your current FWK affinity is not the same amongst all VSs, you will be asked to set it to default. Refer to the Performance Tuning R81 Administration Guide and refer to this section: CoreXL > CoreXL Commands > fw ctl affinity > Running the 'fw ctl affinity -s' command in VSX Mode.
3. Reboot your appliance. Important note for cluster environments: You must configure all cluster members in the same way. In the High Availability mode, start with the Standby member.
Starts Dynamic Balancing from the Gateway’s default split.
disable
Returns the Gateway to its default configuration.
stop
Stops Dynamic Balancing from making split changes. Survives reboot. The CoreXL split will be restored after the reboot to the same configuration when the command was executed.
start
Starts Dynamic Balancing after it is stopped by a user.
Monitoring
You can verify this via CPView, under the SysInfo tab:
You can monitor Dynamic Balancing via CPView, under the CPU tab:
Check for Dynamic Balancing status through Expert Mode:
[Expert@Host]# dynamic_balancing -p Output: Dynamic Balancing is currently On/Off
Smart Console Extension
The SmartConsole Extension provides both monitoring and control over Dynamic Balancing.
To enable this feature, use the "Import SmartConsole Extension..." option in your SmartConsole with this URL: https://dannyjung.de/ds.json
For more information, refer to this CheckMates discussion.
In Cluster HA mode, changes the active member makes are synced to the passive member. This does not apply to Virtual Routing Redundancy Protocol (VRRP).
No, as at any given time, both members will have same number of Firewall instances. Dynamic Workloads will merely “stop” the instance, meaning new connection are not to be dispatched to it.
Dynamic Balancing in VSX is similar to Security Gateways in that it aims to balance the SNDs and FWs cores. As opposed to Security Gateways, FW instances do not have static core affinity, and their amount does not determine the amount of SNDs. As a result, Dynamic Balancing does not require a certain amount of FW instances to be configured, and only adjusts their core affinity.
When adding an SND, the feature sets the affinity of FWK processes in all VSs to the list of new cores (rather than move a FW instance from one core to a different core, as done in Security Gateways). The maximum quantity of SND cores will be according to the NIC driver, with the highest number of queues in all VSs.
When you add a VS, the feature sets the new VS’s FWK to the current FWKs cores affinity.
Dynamic Balancing requires several configuration changes that can only be set upon boot, to allow best performance in all splits (mostly relevant when more SNDs are needed vs default split).
Dynamic Balancing monitors the system periodically for manual changes that might conflict with its own actions (such as: Firewall instances state or affinity changes, interfaces affinity changes etc.), and will stop itself if such action is detected. Refer to sk163815 for more information.
Dynamic Balancing has mechanisms within its logic aimed to prevent un-wanted changes (uses threshold to not be over sensitive, detects frequent conflicting changes and more). Essentially, it uses existing, established Firewall/Linux commands, that were used in Check Point devices for years, while automating their use to be as effective as possible.
Stopping the Dynamic Balancing does not require a reboot. Disabling Dynamic Balancing requires a reboot, since part of the disable process is to revert the configuration back to default, which includes several settings that can only be set on boot (mainly due to memory allocations performed at system init).
No, but changes made in the CoreXL cpconfig only take effect after reboot. Note that rebooting with a non-default instance number (i.e. manual changes done by the user) will prevent Dynamic Balancing from starting in order not to overwrite users' actions (a proper alert to the user is to be sent in such cases).
It finds the least utilized Firewall instance and stops it (meaning that new connections are no longer dispatched to this instance, but it continues to handle its existing ones)
Moves this Firewall instance to the CPU of the next least utilized Firewall instance, such that both instances, the stopped one and the existing one, will be affined to this CPU
Although the Dynamic Dispatcher excludes the stopped instance from its dispatching calculations, in cases where a VPN tunnel was previously created on this instance, some connections, such as NAT-T or ones belong to a non-accelerated tunnel, may be opened on this instance to allow a certain performance optimization.
There are two primary types of CPUs: CoreXL_FW and CoreXL_SND. "BOTH" means the CPU currently operates as a FW and anSND. "OTHER" means the CPU does not currently operate as a FW or SND. In most scenarios, this is an expected, temporary state, caused by CPU role change. If this is not a temporary state, it could imply an affinity misconfiguration.
Notes
Dynamic Balancing manages network card ports that have Multi-Queue enabled. The "mq_mng --show" command shows such ports as "Dynamic". While Dynamic Balancing is active, it assumes control over several resources (listed below). Manual changes may not work, or cause Dynamic Balancing to stop its work (refer to sk163815 for more details):
Changes in affinity of CoreXL Firewall instances, starting or stopping CoreXL Firewall instances, and changing the number of CoreXL Firewall instances.
Changes in Multi-Queue affinity/mode, or changes in the number of RxTx queue weights.
Known Limitations
Issue ID
Description
Comments
PRJ-15874
When you downgrade to Jumbo Hotfix Take where the Dynamic Balancing is not supported, it remains enabled. In this case, the affinity of the Security Gateway will be configured incorrectly.
Disable the Dynamic Balancing before you uninstall the Jumbo Hotfix
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
