Uploaded by Steven Salas

CoreXL Administration Guide

advertisement
CoreXL Administration Guide
January 3, 2008
In This Document
Introduction
page 2
Supported Hardware and Operating System
page 2
Setting Up CoreXL
page 2
Adding Processing Cores to the Hardware
page 4
CoreXL Configuration
page 6
Command Line Reference
page 8
Copyright © 2007 Check Point Software Technologies, Ltd. All rights reserved
1
Introduction
Introduction
CoreXL is a performance-enhancing technology for VPN-1 gateways on multi-core
processing platforms. CoreXL enhances VPN-1 performance by enabling the processing
cores to concurrently perform multiple tasks.
CoreXL provides almost linear scalability of performance, according to the number of
processing cores on a single machine. The increase in performance is achieved without
requiring any changes to management or to network topology.
CoreXL joins ClusterXL Load Sharing and SecureXL (Performance Pack) as part of
Check Point’s fully complementary family of traffic acceleration technologies.
In a CoreXL gateway, the firewall kernel is replicated multiple times. Each replicated
copy, or instance, of the firewall kernel runs on one processing core. The instances
handle traffic concurrently, and each instance is a complete and independent VPN-1
inspection kernel.
CoreXL is based on the NGX R65 version of VPN-1. As far as network topology,
management configuration, and security policies are concerned, a CoreXL gateway
functions as a regular VPN-1 NGX R65 gateway. All of the kernel instances of a
gateway handle traffic going through the same gateway interfaces and apply the same
gateway security policy.
This document provides basic information for deploying VPN-1 with CoreXL. Optional
advanced configuration is discussed in the CoreXL Advanced Configuration Guide.
Note - Before installing CoreXL, read the latest version of the VPN-1 NGX R65 with CoreXL Release
Notes, available at: http://www.checkpoint.com/support/technical/documents/index.html
Supported Hardware and Operating System
For hardware and operating system requirements, see the VPN-1 NGX R65 with CoreXL
Release Notes at:
http://www.checkpoint.com/support/technical/documents/index.html
Setting Up CoreXL
No adjustments to the network are required.
For management, use only the NGX R65 version of SmartCenter or of Provider-1.
No changes to security policies is necessary. You can use the same policies for regular
NGX R65 and for CoreXL gateways, as long as they do not use unsupported features
(see the VPN-1 NGX R65 with CoreXL Release Notes).
CoreXL Administration Guide. Last Update: January 3, 2008
2
Setting Up CoreXL
To install CoreXL:
1. Disable Hyper-Threading (if supported on your hardware platform) in the BIOS.
2. From a VPN-1 NGX R65 with CoreXL installation source (CD or network file server),
install VPN-1 on the gateway. Perform the installation according to the instructions
for a new installation in the Internet Security Product Suite Getting Started Guide,
through system configuration and reboot.
Install in a Distributed deployment only. Standalone deployment is not supported.
Note - During the VPN-1 installation process, you can select to install Performance Pack. CoreXL and
Performance Pack increase performance using different technologies, and can function together in a
complementary fashion. If you install Performance Pack and later decide not to run it, you will be
able to then disable it. For considerations and instructions regarding running Performance Pack on
a CoreXL gateway, see “Running Performance Pack with CoreXL” on page 6.
3. To enhance performance, configure the hardware so that interfaces handling heavy
traffic do not share interrupt requests (IRQs). To view the IRQs of all interfaces,
run:
fw ctl affinity -l -v -a
If multiple interfaces share an IRQ, try to make sure only one interface handles
heavy traffic.
4. To enhance performance, if your CoreXL gateway is not handling VPN traffic,
disable VPN on the gateway, as follows:
a. In SmartDashboard, double-click the CoreXL gateway icon to open the gateway’s
General Properties.
b. Under Check Point Products, clear VPN.
c. Install Policy.
5. If your platform contains only two processing cores, the default configuration does
not provide optimal performance. In this case, optimize your configuration as
follows:
a. On the gateway, run:
/etc/fw/boot/fwboot bootconf set_kernnum 2
b. Reboot for the setting to take effect.
c. Verify that two firewall kernels are running by using the following command:
fw ctl multik stat
CoreXL Administration Guide. Last Update: January 3, 2008
3
Adding Processing Cores to the Hardware
The output should show 2 instances. For example:
ID | Active | CPU | Connections | Peak
------------------------------------------0 | Yes
|
1 |
2 |
19
1 | Yes
|
0 |
2 |
18
d. Configure Interface Affinity to achieve optimal performance according to one of
the following two options:
Option 1 — Running with Performance Pack automatic Affinity configuration
1. Verify that automatic mode is enabled by running the command:
sim affinity -a
2. Edit $ FWDIR/scripts/fwaffinity_used_cpus
3. Add the following as the first line of the file:
exit
There is no need to reboot.
Option 2 — Running with manual Affinity configuration
Define which core should handle the traffic of each interface (the Interface
Affinity). If you have multiple interfaces, you need to decide which interfaces to
associate with each of the two cores. Try to achieve a balance of expected traffic
between the cores. You can check the resulting balance of traffic by using the top
command.
To set interface affinities, please refer to the CoreXL Advanced Configuration Guide.
Adding Processing Cores to the Hardware
Increasing the number of processing cores on the hardware platform does not
automatically increase the number of kernel instances. If the number of kernel
instances is not increased, CoreXL does not utilize some of the processing cores.
To increase the number of kernel instances, after upgrading, reinstall CoreXL.
Alternatively, you can manually increase the number of instances - see the CoreXL
Advanced Configuration Guide.
CoreXL Administration Guide. Last Update: January 3, 2008
4
Adding Processing Cores to the Hardware
In general, reinstalling CoreXL will change the number of kernel instances if you have
upgraded the hardware to an increased number of processing cores, or if the number of
processing cores stays the same but the number of kernel instances was previously
manually changed from the default.
In a clustered deployment, changing the number of kernel instances (such as by
reinstalling CoreXL) should be treated as a version upgrade. Follow the instructions in
the NGX R65 Upgrade guide, in the “Upgrading ClusterXL Deployments” chapter, and
perform either a Minimal Effort Upgrade (using network downtime) or a Zero Downtime
Upgrade (no downtime, but active connections may be lost), substituting the instance
number change for the version upgrade in the procedure. A Full Connectivity Upgrade
cannot be performed in a CoreXL cluster.
CoreXL Administration Guide. Last Update: January 3, 2008
5
CoreXL Configuration
CoreXL Configuration
This section contains information on the default configuration and on basic
configuration options. See the CoreXL Advanced Configuration Guide for information on
changing the allocation of processing cores for different tasks.
In This Section
Running Performance Pack with CoreXL
page 6
Default Configuration
page 6
Viewing the Existing Configuration
page 8
Running Performance Pack with CoreXL
CoreXL can run with or without Performance Pack. Performance Pack’s effect on
performance in a CoreXL gateway can vary according to the nature of the traffic passing
through the gateway. If most of the traffic is accelerated by Performance Pack, you
should have Performance Pack running.
Once Performance Pack is installed, you can enable or disable Performance Pack by
using the cpconfig utility, and selecting “Enable / Disable Check Point SecureXL”.
Default Configuration
Four or more cores
When running CoreXL on four or more processing cores, the number of kernel instances
in the CoreXL post-setup configuration is one less than the number of processing cores.
The remaining processing core is responsible for processing incoming traffic from the
network interfaces, securely accelerating authorized packets (if Performance Pack is
running) and distributing non-accelerated packets among kernel instances.
Upon installation of CoreXL, the number of kernel instances is set to n-1, where n is
the total number of processing cores on the platform. The instances are numbered from
0 to n-2.
CoreXL is designed for a maximum of eight processing cores. If your platform has more
than that, the number of kernel instances will still be set to only seven.
CoreXL Administration Guide. Last Update: January 3, 2008
6
Default Configuration
Two cores
When running CoreXL on two processing cores, the number of kernel instances in the
CoreXL post-setup configuration will be set to two and will be numbered 0 and 1 . The
incoming traffic will be processed on the same core(s) which are assigned for the
instances according to the Interface Affinity configured during setup (see step 5d of
Setting Up CoreXL).
CoreXL Administration Guide. Last Update: January 3, 2008
7
Viewing the Existing Configuration
Viewing the Existing Configuration
For an explanation of kernel, daemon and interface affinities, see the CoreXL Advanced
Configuration Guide.
•
You can view the existing affinities of interfaces, of VPN-1 kernel instances, and of
other processes, by using the fw ctl affinity -l command. For details, see “fw
ctl affinity -l” on page 10.
•
To view affinities and additional statistics of all kernel instances, run the following
command:
fw ctl multik stat
•
If Performance Pack is running, you can view interface affinities by using the
following Performance Pack command:
sim affinity -l
Command Line Reference
In This Section
fw ctl affinity
page 8
fw ctl multik stat
page 11
fw -i
page 11
fw ctl affinity
The fw ctl affinity command controls affinity settings.
To set affinities: fw ctl affinity -s
To list existing affinities: fw ctl affinity -l
CoreXL Administration Guide. Last Update: January 3, 2008
8
fw ctl affinity
fw ctl affinity -s
Use this command to set affinities. For an explanation of kernel, daemon and interface
affinities, see the CoreXL Advanced Configuration Guide.
fw ctl affinity -s settings are not persistent through a restart of VPN-1. If you want
the settings to be persistent, either use sim affinity (a Performance Pack command see the Performance Pack Administration Guide for details) or edit the fwaffinity.conf
configuration file (see the CoreXL Advanced Configuration Guide for details).
To set interface affinities, you should use fw ctl affinity only if Performance Pack is
not running. If Performance Pack is running, you should set affinities by using the
Performance Pack sim affinity command. These settings will be persistent. If
Performance Pack’s sim affinity is set to Automatic mode (even if Performance Pack
was subsequently disabled), you will not be able to set interface affinities by using fw
ctl affinity -s.
Syntax
fw ctl affinity -s <proc_selection> <cpuid>
<proc_selection> is one of the following parameters:
Parameter
Description
-p <pid>
Sets affinity for a particular process, where <pid> is the process
ID#.
-n <cpdname>
Sets affinity for a Check Point daemon, where <cpdname> is the
Check Point daemon name (for example: fwd).
-k <instance>
Sets affinity for a kernel instance, where <instance> is the
instance’s number.
-i <interfacename>
Sets affinity for an interface, where <interfacename> is the
interface name (for example: eth0).
<cpuid> should be a processing core number or a list of processing core numbers. To
have no affinity to any specific processing core, <cpuid> should be: all.
Note - Setting an Interface Affinity will set the affinities of all interfaces sharing the same IRQ to the
same processing core. To view the IRQs of all interfaces, run: fw ctl affinity -l -v -a .
Example
To set kernel instance #3 to run on processing core #5, run:
fw ctl affinity -s -k 3 5
CoreXL Administration Guide. Last Update: January 3, 2008
9
fw ctl affinity
fw ctl affinity -l
Use this command to list existing affinities. For an explanation of kernel, daemon and
interface affinities, see the CoreXL Advanced Configuration Guide.
Syntax
fw ctl affinity -l [<proc_selection>] [<listtype>]
If <proc_selection> is omitted, fw ctl affinity -l lists affinities of all Check Point
daemons, kernel instances and interfaces. Otherwise, <proc_selection> is one of the
following parameters:
Parameter
Description
-p <pid>
Displays the affinity of a particular process, where <pid> is the
process ID#.
-n <cpdname>
Displays the affinity of a Check Point daemon, where <cpdname>
is the Check Point daemon name (for example: fwd).
-k <instance>
Displays the affinity of a kernel instance, where <instance> is
the instance’s number.
-i <interfacename> Displays the affinity of an interface, where <interfacename> is
the interface name (for example: eth0).
If <listtype> is omitted, fw ctl affinity -l lists items with specific affinities, and
their affinities. Otherwise, <listtype> is one or more of the following parameters:
Parameter
Description
-a
All: includes items without specific affinities.
-r
Reverse: lists each processing core and the items that have it as
their affinity.
-v
Verbose: list includes additional information.
Example
To list complete affinity information for all Check Point daemons, kernel instances and
interfaces, including items without specific affinities, and with additional information,
run:
fw ctl affinity -l -a -v
CoreXL Administration Guide. Last Update: January 3, 2008
10
fw ctl multik stat
fw ctl multik stat
The fw ctl multik stat (multi-kernel statistics) command displays information for
each kernel instance. The state and processing core number of each instance is
displayed, along with:
•
The number of connections currently being handled.
•
The peak number of concurrent connections the instance has handled since its
inception.
fw -i
Generally, when VPN-1 line commands are executed on a CoreXL gateway they will
relate to the gateway as a whole, rather than to an individual kernel instance. For
example, the fw tab command will enable viewing or editing of a single table of
information aggregated for all kernel instances.
You can specify that certain commands apply to an individual kernel instance by adding
-i <kern> after fw in the command, where <kern> is the kernel instance’s number.
fw -i applies to the following commands:
fw ctl debug (when used without the -buf parameter)
fw ctl get
fw ctl set
fw ctl leak
fw ctl pstat
fw monitor
fw tab
For details and additional parameters for these commands, see the Command Line
Interface Reference Guide.
Example
To view the connections table for kernel instance #1 use the following command:
fw -i 1 tab -t connections
CoreXL Administration Guide. Last Update: January 3, 2008
11
Download