The fw_worker process
represents a firewall kernel instance on a multi-core Check Point Security
Gateway that utilizes CoreXL (R70 and higher).
CoreXL is a Check Point technology
that allows firewall and IPS security code to run on multiple processors/cores
concurrently. The CoreXL layer accelerates traffic that cannot be handled by
the SecureXL device or traffic that requires deep packet inspection. CoreXL is
able to provide near linear scalability of performance, based on the number of
processing cores on a single machine. This increase in performance is achieved
without requiring any changes to management or network topology. In a CoreXL
gateway, the firewall kernel is replicated so that each replicated copy
(instance) runs on a processing core. These instances handle traffic
concurrently, and each instance is a complete and independent inspection
kernel.
You can configure the number of
firewall kernel instances (fw_worker) on a on a multi-core Check Point gateway
via 'cpconfig'. Of course you need a CoreXL license on the gateway based on the
number firewall instances.
Upon installation of CoreXL, the
number of kernel instances is derived from the total number of cores in the
system as described in the following table:
|
Number
of CPU cores
|
Number
of FW Instances
|
|
1
|
CoreXL
is disabled
|
|
2
|
2
|
|
4
|
3
|
|
8
|
6
|
|
12
|
10
|
|
More
than 12
|
n-2
|
Below is an example of a Power-1 5070
gateway, which has 4 CPU cores:
[Expert@HostName]#
cpconfig
This
program will let you re-configure
your
Check Point products configuration.
Configuration
Options:
----------------------
(1)
Licenses and contracts
(2)
SNMP Extension
(3)
PKCS#11 Token
(4)
Random Pool
(5)
Secure Internal Communication
(6)
Disable Advanced Routing
(7)
Enable cluster membership for this gateway
(8)
Disable Check Point SecureXL
(9)
Configure Check Point CoreXL
(10)
Automatic start of Check Point Products
(11)
Exit
Enter
your choice (1-11) :9
Configuring
Configure Check Point CoreXL...
===========================================
CoreXL
is currently enabled with 2 firewall instances.
(1)
Change the number of firewall instances
(2)
Disable Check Point CoreXL
(3)
Exit
Enter
your choice (1-3) : 1
This
machine has 4 CPUs.
How
many firewall instances would you like to enable (2 to 4) [3] ? 3
CoreXL
was enabled successfully with 3 firewall instances.
Important:
This change will take effect after reboot.
Press
Enter to continue...
After reboot, you should see 3
CoreXL FW instances (0-2):
[Expert@HostName]# ps auxw | grep
fw_worker
root
2089 0.0 0.0 0 0 ? S Mar04 4:02 [fw_worker_0]
root
2155 0.0 0.0 0 0 ? S Mar04 0:01 [fw_worker_1]
root
2229 0.0 0.0 0 0 ? S Mar04 3:07 [fw_worker_2]
To display the status of the CoreXL
instances and the number of connections through each instance (current number
and peak number of concurrent connections), use the 'fw
ctl multik stat' command. It will show you how the
concurrent connections table is distibuted across the cores:
[Expert@HostName]# fw ctl multik
stat
ID
| Active | CPU | Connections | Peak
-------------------------------------------
0 |
Yes | 0 |
4 | 8
1 |
Yes | 0 |
1 | 3
To see what connections are assigned
to a particular core, use this command 'fw -i
<instance> tab -t connections':
[Expert@HostName]# fw -i 0 tab -t
connections
[Expert@HostName]# fw -i 0 tab -t connections -s
[Expert@HostName]# fw -i 0 tab -t connections -s
No comments:
Post a Comment