topic Re: CP4800 C2S VPN Optimization in SASE and Remote Access

CP4800 C2S VPN Optimization

SubSeven11 — Thu, 19 Mar 2020 22:11:39 GMT

Ladies and Gentleman,

due to corona crisis we have build up a secondary backup VPN gateway in our infrastructure with an CP4800 appliance. This gateway should only be used when the primary VPN Gateway CP5800 is overloaded.
Actually we know that the primary GW can handle up to 4000 VPN C2S Session on R77.30 - but the backup GW with R80.10 is only for VPN GW which routes all traffic to the primary GW.

In direct comparison the CP4800 GW with the newer R80.10 and only 10 VPN user is much slower (direct comparison between two gw - 4800 10-15mbit slower) than the primary GW with R77.30 and 3000 Users. We already tried alot of checks and configuration setting.

Any body out there who can give some tipps/tricks or hints for performance tweeks?
4800 does not support AES-NI so this SK will not work for us.

Active Blades: FW, NAT, VPN

Internet Interface (incoming traffic) = eth4

xxx1:TACP-0> fw ctl affinity -l
eth5: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
eth4: CPU 0
Kernel fw_0: CPU 3
Kernel fw_1: CPU 2
Kernel fw_2: CPU 1
Daemon mpdaemon: CPU 1 2 3
Daemon fwd: CPU 1 2 3
Daemon lpd: CPU 1 2 3
Daemon wsdnsd: CPU 1 2 3
Daemon cpd: CPU 1 2 3
Daemon cprid: CPU 1 2 3

xxx1:TACP-0> fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
Security disables template offloads from rule #15
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by user
NMR Templates : enabled
NMT Templates : enabled

Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
McastRoutingV2, NMR, NMT, NAT64, GTPAcceleration,
SCTPAcceleration
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

xxx1:TACP-0> fw ver
This is Check Point's software version R80.10 - Build 083

It will be great if somebody has some tuning tipps for us.

Br. Sub7

Re: CP4800 C2S VPN Optimization

PhoneBoy — Thu, 19 Mar 2020 22:48:04 GMT

Why did you build the backup gateway with R80.10 and not with a later release?
There are some significant improvements in later releases, particularly with SecureXL and encryption.

It would also help to know how clients are connecting (using which version of which client).

Re: CP4800 C2S VPN Optimization

SubSeven11 — Thu, 19 Mar 2020 22:57:27 GMT

It was an existing Gateway which was only used for Wireless LAN connection with PBR.
So nobody is in the office and the Gateway will not used for a while.
It was pretty easy to integrate and activate mobile access on this gateway.
We are using E81.40 on the Clients with FOB + Softtoken Authentication.

Any Ideas how to became this appliance faster?
All checks on the routers and switches did not show any relevant configurations that should be changed or optimized.

Br.

Re: CP4800 C2S VPN Optimization

SubSeven11 — Thu, 19 Mar 2020 23:22:22 GMT

I was thinking about Encryption Strenght and had a look into the Global Settings -> Activated some additional Supported Algortihms. Actualy it seems that it is now a little bit faster then before!

Re: CP4800 C2S VPN Optimization

PhoneBoy — Thu, 19 Mar 2020 23:24:46 GMT

That will definitely help.
Am curious how you were testing the speed and if you had similar settings to your other gateway.

Re: CP4800 C2S VPN Optimization

SubSeven11 — Thu, 19 Mar 2020 23:39:41 GMT

My testing setup (yes I know that actually all local providers in EUROPE have some problems with bandwith)

Testing with Speedtesting Providers in the Public Internet like "speedtest.net" and others..
Looking how fast it is going without VPN directly from local infrastructure to the internet.

Testing with IPERF3 on Client + Server which is located in the Dataceneter.
Only Reachable with VPN for some Encryption Domains.
IPERF3.exe -R -c "IP-Adress"

Do that with Primary Gateway CP5800 R77.30 and then do it with the Backup GW CP4800 R80.10.
- Compare Results.

I know there will be some overhead in the packets but it should bring up at least 50% of public inet speed in the VPN.
My actual Test is 120Mbit/s Public / 60Mbit with VPN to Datacenter.
This was my experience in the last years over the same provider.

Do you have any hints to additional settings or encryption algorithms that could bring more performance?
Actually it is a litte bit better on the Backup GW 53Mbit/s.

Re: CP4800 C2S VPN Optimization

PhoneBoy — Fri, 20 Mar 2020 01:34:19 GMT

AES-128 might the be the lightest in terms of CPU, but is less secure with the shorter key lengths.
AES-256 is probably the best balance of security and performance.
Also, don't forget the hashes.
SHA-1 is considered insecure and you should probably use SHA-256 instead, but I'm sure with more CPU overhead.
That said, I don't know if the others are better/worse.

Re: CP4800 C2S VPN Optimization

Timothy_Hall — Fri, 20 Mar 2020 15:17:52 GMT

Prohibit the use of 3DES completely as it is much slower especially if the firewall supports AES-NI. This may break some very very old VPN clients if you have any floating around but that is unlikely. Force DH Group 20 and AES-256 for Phase 1 and AES-128 for phase 2 which carries the majority of traffic. Force SHA-256 for both phases. Not sure if RA VPN supports AES-GCM-128 for Phase 2 but it is much more efficient than straight AES-128 if AES-NI is supported on the firewall. Avoid SHA-384 as VPN traffic using it cannot be accelerated by the firewall.

These are very general recommendations specifically geared for performance, if the VPN traffic is subject to additional security requirements you may need stronger algorithms.

Re: CP4800 C2S VPN Optimization

SubSeven11 — Fri, 27 Mar 2020 12:57:36 GMT

Want to give a feedback to this topic:

Check Point 4800 can manage up to 650 concurrent VPN Users in our enviroment with mixed real traffic.
But it will slow down alot the bandwith.

The global settings helped with bandwith because easy encryption methods before we reached the maximum on this GW.
We will switch to a bigger appliance to manage much more Users.

Thans to all!