Table of Contents

• Introduction
• Key Features
• Usage
• System requirements
• Monitoring
• Smart Console Extension
• FAQ
• Known Limitations

Introduction

Dynamic Balancing (Dynamic Split) is a performance-enhancing daemon that balances the load between CoreXL SNDs and CoreXL Firewalls. It dynamically changes the split between CoreXL SNDs and CoreXL Firewalls and does not require a reboot or cause an outage.

Each Check Point Security Gateway CPU belongs to one of two groups, each of which performs a different task: 

• Firewall instance
• SND (with the exception of a single CPU running FWD in large User-Space appliances). 

The distribution of jobs across a Security Gateways CPUs is referred to as the Security Gateway's split. As the distribution of work across these groups depends on your security policy and traffic, we highly recommend that you configure your split to fit your specific needs.

CoreXL's Out-of-the-Box Dynamic Balancing performs a dynamic change of the split. It monitors your system and makes changes as needed.

Key Features

• Out-of-the-box optimization
• A flexible split to suit your profile

Usage

To enable Dynamic Balancing

1. From the Expert mode, run # dynamic_split -o enable
2. If your current split is not the default, you may receive a prompt to change your number of instances. Click y.  
3. If your setup includes a cluster, enable dynamic split on both appliances.
4. Reboot your appliance.  

Syntax

-o { enable | disable | stop | start }

Action	Description
enable	Starts dynamic split from the gateway’s default split.
disable	Returns the gateway to its default configuration.
stop	Stops the dynamic split from making changes. Restores to the configuration when the command was executed.
start	Starts the dynamic split after it was stopped by a user

System requirements

• Supported Platforms: Dynamic Balancing is supported only on Check Point Appliances. 
  
  
• Supported Models: Dynamic Balancing is supported only on these models:
  
  • All models in these series: 7000, 15000, 16000, 23000, 26000 and 28000
  • 5000 series: 5600, 5800 and 5900
  • 6000 series: 6200T, 6400, 6500, 6600, 6700, 6800 and 6900
  • 3000 series: 3100, 3200, 3600 and 3800
  Note: On models with fewer than 8 cores, a GNAT port allocation feature must be enabled. Refer to sk165153.

• Supported versions: Check Point R80.40 with Jumbo Hotfix Take 25 and higher

• Supported configurations: Security Gateway (Kernel or USFW), Stand-Alone
  
  
• Supported features: IPv6, Management Data Plane Separation (MDPS), Bridge mode 
  
  
• Not supported: Check Point Appliances that run in VSX mode (regardless of the number of CPU cores), Check Point Maestro

Monitoring

• You can verify this via CPView, under the SysInfo tab:

  

• You can monitor Dynamic Balancing via CPView, under the CPU tab:

  

• You can check for Dynamic Balancing status via Expert Mode. To do so, run:

  [Expert@Host]# dynamic_split -p
  Output: Dynamic Split is currently on/off

Smart Console Extension

The SmartConsole Extension provides both monitoring and control over Dynamic Balancing.

To enable this feature, use the "Import SmartConsole Extension..." option in your SmartConsole with the following URL: https://dannyjung.de/ds.json 

For more details, see the following CheckMates article.

FAQ

• What is in it for me? Who’s the main audience of it?
  

  Dynamic Balancing is especially beneficial for:

  • Customers who use non-default splits
  • Customers with env. bottle-necks by Secure Network Distributors (SNDs)
  • Customers with environments that may change usage over time - you can "auto tune" your device with no outage, no reboots, no need for any skills!

• Why don't I get more Secure Network Distributors (SNDs)?
  

  There are few possible reasons:

  • Average utilization of SNDs vs FireWall is relatively close (we require 10% difference by default)
  • FireWalls are utilized more than 40%
  • All eligible SNDs are already used as SNDs

• Why don't I get more Firewalls?
  

  There are few possible reasons:

  • Average utilization of SNDs vs Firewalls is relatively close (we require 10% difference by default)
  • All loaded firewall instances are already active

• How does it work with Cluster?
  

  In Cluster HA mode, changes the active member makes are synced to the passive member.

• Feature enablement on one member is only in cluster configuration - any sync related issues?
  

  No, as at any given time, both members will have same number of Firewall instances. Dynamic Workloads will merely “stop” the instance, meaning new connection are not to be dispatched to it.

• Any impact per different blade policy?
  

  Dynamic Balancing configures the initial split differently based on machine blade policy; if heavier blades are enabled, more instances will be activated and vice versa

• You can change from dynamic SND/Core distribution to manual. But once changed, you cannot go back to dynamic. Will this option become available in the future?
  

  Yes, the option of allowing manual user configuration, and having Dynamic balancing adapt to them once it is re-enabled will be released in one of the future R80.40 Jumbo Hotfix Takes.

• Why requiring a reboot upon 1st enablement of the feature?
  

  Dynamic Balancing requires several configuration changes that can only be set upon boot, to allow best performance in all splits (mostly relevant when more SNDs are needed vs default split).

• What are the scenarios in which the feature is to automatically turn itself off?
  

  Dynamic Balancing monitors the system periodically for manual changes that might conflict with its own actions (such as: Firewall instance stopped, affinity changes, interface setting changes etc.), and will stop itself if such action is detected.

• Can excessive split changes impact production environment?
  

  Dynamic Balancing has mechanisms within its logic aimed to prevent un-wanted changes (uses threshold to not be over sensitive, detects frequent conflicting changes and more). Essentially, it uses existing, established Firewall/Linux commands, that were used in Check Point devices for years, while automating their use to be as effective as possible.

• Where do I monitor feature is enabled? 
  

  

• ‘other’ attribute in CPView - what does it mean?
  

  A CPU that is not a FW instance nor SND, for example, the CPU reserved for FWD would show as ‘other’.

• Do I need to perform reboot once I want to disable/stop Dynamic Balancing?
  

  Stopping the Dynamic Balancing does not require a reboot. Disabling Dynamic Balancing requires a reboot, since part of the disable process is to revert the configuration back to default, which includes several settings that can only be set on boot (mainly due to memory allocations performed at system init).

• If Dynamic Balancing is enabled, is CoreXL setting in cpconfig disabled ? Meaning I am not able to change CoreXL numbers?
  

  No, but changes made in the CoreXL cpconfig only take effect after reboot. Note that rebooting with a non-default instance number (i.e. manual changes done by the user) will prevent Dynamic Balancing from starting in order not to overwrite users' actions (a proper alert to the user is to be sent in such cases).

• Why do I see more than one Firewall instance on a single CPU ?
  

  When Dynamic Balancing adds additional SNDs:

  1. It finds the least utilized Firewall instance and stops it (meaning that new connections are no longer dispatched to this instance, but it continues to handle its existing ones)
  2. Moves this Firewall instance to the CPU of the next least utilized Firewall instance, such that both instances, the stopped one and the existing one, will be affined to this CPU
  3. Turns the free CPU to start working as SND

Notes

Dynamic Balancing manages network card ports that have Multi-Queue enabled. The "mq_mng --show" command shows such ports as "Dynamic".
While Dynamic Balancing is active, it assumes control over several resources (listed below). Manual changes may not work, or cause Dynamic Balancing to stop its work (refer to sk163815 for more details):

• Changes in affinity of CoreXL Firewall instances, starting or stopping CoreXL Firewall instances, and changing the number of CoreXL Firewall instances.
• Changes in Multi-Queue affinity/mode, or changes in the number of RxTx queue weights.

To perform the below operations, Dynamic Balancing must first be disabled, and then re-enabled:

1. Disabling/enabling Hyper Threading
2. Configuring a new network card port which did not have Multi-Queue enabled.

Known Limitations

Issue ID	Description	Comments
PMTR-59810	Dynamic Balancing is not supported on VSX Gateways and VSX Clusters.	-
PRJ-15874	When you downgrade to Jumbo Hotfix Take where the Dynamic Balancing is not supported, it remains enabled. In this case, the affinity of the Security Gateway will be configured incorrectly.	Disable the Dynamic Balancing before you uninstall the Jumbo Hotfix