topic Re: HTTPS Inspection Performance in Firewall and Security Management

HTTPS Inspection Performance

Itzel_Gtz26 — Fri, 04 Aug 2023 23:12:24 GMT

I'm thinking of enabling HTTPS Inspection, but I want to know:

* How it affects the performance of my devices
* Is an extra blade necessary?
* Can the certificate generated by the device be generated without any problem?

Re: HTTPS Inspection Performance

Chris_Atkinson — Sat, 05 Aug 2023 05:02:50 GMT

HTTPS inspection will have a performance impact relative to the traffic mix seen in the environment. To assist offset this R81.20 provides the best HTTPS inspection performance relative to other versions.

Typically you would import a certificate from your organisation's CA and this should be trusted by clients in favour of using one generated from the Management itself.

Most other blades depend on HTTPS inspection for better visibility / enforcement of encrypted traffic.

Re: HTTPS Inspection Performance

genisis__ — Sat, 05 Aug 2023 14:29:27 GMT

Chris,

What are the performance ratings for each device, this is not published in the device spec sheets and really should be.

Re: HTTPS Inspection Performance

Chris_Atkinson — Sun, 06 Aug 2023 10:21:33 GMT

I believe we are planning to update datasheets with the metrics based on R81.20 in future.

If you need specific data prior you can engage Solution Centre via your local CP office / SE.

Re: HTTPS Inspection Performance

genisis__ — Sun, 06 Aug 2023 15:50:19 GMT

Thanks Chris.

Re: HTTPS Inspection Performance

Itzel_Gtz26 — Mon, 07 Aug 2023 23:38:09 GMT

So in R81.10 there is no way to know how it affects performance?

Re: HTTPS Inspection Performance

genisis__ — Tue, 08 Aug 2023 09:02:40 GMT

Oh there is, but Checkpoint does not publish this. In my option if you look at the current appliances, there is no hardware offload for SSL encryption/decryption, so you know that if an appliance is rated at 4GB throughput with NGTP there are a few assumptions you would potentially need to make:

- The figures quoted are not with TLS inspection on; Therefore what is inspected in NGTP is greatly reduced.
- If TLS inspection was turned on, and depending how your policy is configured (big variable) , take that 4GB and you may as well assume throughput figure is more like 500MB (again an assumption).

In most cases I suspect that Checkpoint would not recommended anything less then a 6600 when TLS inspection is required, and at the cost point this becomes a totally impractical solution for branch offices, which is why allot of companies that are not cash rich are moving away from Checkpoint to vendors that tick all the boxes at a better price point.

What I'm hoping, and again have said this to Checkpoint, that their hardware needs a radical update and all figured, by default should be published with TLS inspection turned on and we need to clear understanding of the testing carried out ie. what is the TLS policy actually inspecting.

Palo and Fortinet both have hardware offload for TLS inspection (Dependent on model and use case).

Re: HTTPS Inspection Performance

Chris_Atkinson — Tue, 08 Aug 2023 12:21:43 GMT

Are you looking for an arbitrary % overhead figure and to what end?

Yes there is a performance penalty with multiple inputs/variables that your local SE can help to quantify specific to your environment & requirements. Please work with them to better understand your scenario & sizing accordingly.

Re: HTTPS Inspection Performance

Timothy_Hall — Tue, 08 Aug 2023 13:09:49 GMT

Can I get a clarification on what specific portion of the HTTPS Inspection feature had its performance improved in R81.20, specifically was it:

1) Bulk encryption/decryption speed & efficiency - kind of unlikely there is much to be gained here that hasn't already been

2) HTTPS negotiation, key creation & signing (wstlsd/pkxld), example: PRJ-35986, PMTR-69155; SSL Inspection; UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3 - more likely

3) Active streaming allowing TCP window to increase to far higher values UPDATE: Check Point Active
Streaming (CPAS) TCP Window scale factor is now increased up to 6 or a fix for fragmentation occurring when client MSS and server MSS differ under active streaming - most likely but not directly a performance improvement in the HTTPS Inspection feature itself

Thanks!

Re: HTTPS Inspection Performance

Chris_Atkinson — Tue, 08 Aug 2023 13:52:03 GMT

Hey @Timothy_Hall I'll attempt to source some feedback for you and revert

Re: HTTPS Inspection Performance

Timothy_Hall — Tue, 08 Aug 2023 19:44:31 GMT

Thanks Chris. Obviously the follow-up question would be are these performance enhancement features unique to R81.20, or can/will they be back-ported into earlier releases via Jumbo HFA.

Re: HTTPS Inspection Performance

Chris_Atkinson — Mon, 14 Aug 2023 09:14:58 GMT

Enhancements were made throughout the chain from handshake through to blade handover in order to realize the improvement.

I don't have visibility of specifics or portability aspects at this time, those are areas for R&D.