https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243331#M12217 <P>Potentially an MTU issue, look into MSS clamping per&nbsp;<SPAN>sk121114.</SPAN></P> <P><SPAN>Ensure 3DES isn't used where possible in favour of AES-NI friendly algorithms.</SPAN></P> <P><SPAN>Which version of R81.10.xx is used ?</SPAN></P> Mon, 10 Mar 2025 06:54:59 GMT Chris_Atkinson 2025-03-10T06:54:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243325#M12214 <P>Hello everyone,<BR />I set up a site to site between a Check Point 1500 machine that is managed locally and a Fortigate machine<BR />The site above works fine but all traffic in https + http is very slow.<BR />We checked downloading and uploading files and it was fine.<BR />I would be happy to get some direction on what to check to locate the source of the problem<BR />And if possible also an explanation of how to check if something is unclear.<BR />Thanks to all who answered</P> Sat, 08 Mar 2025 17:57:42 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243325#M12214 Bynet_Security_ 2025-03-08T17:57:42Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243326#M12215 <P>Hey, which Check Point product do you have installed?&nbsp;</P> Sat, 08 Mar 2025 18:02:37 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243326#M12215 AdiGH 2025-03-08T18:02:37Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243328#M12216 <P>what blades you have enabled on the 1500?</P> <P>What encryption methods you use on the site to site?</P> Sat, 08 Mar 2025 20:39:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243328#M12216 Lesley 2025-03-08T20:39:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243331#M12217 <P>Potentially an MTU issue, look into MSS clamping per&nbsp;<SPAN>sk121114.</SPAN></P> <P><SPAN>Ensure 3DES isn't used where possible in favour of AES-NI friendly algorithms.</SPAN></P> <P><SPAN>Which version of R81.10.xx is used ?</SPAN></P> Mon, 10 Mar 2025 06:54:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243331#M12217 Chris_Atkinson 2025-03-10T06:54:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243353#M12218 <P>Please post outputs of <A href="https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40528" target="_blank" rel="noopener">Super Seven</A> plus <STRONG>enabled_blades</STRONG>.&nbsp;</P> <P>MSS clamping would normally only apply to IPSec traffic and not HTTPS traffic.&nbsp; This is because in IPSec the whole ESP packet (mostly) is digitally signed and therefore cannot be fragmented (DF flag).&nbsp; With HTTPS the payload stream of data is digitally signed, and the packets carrying it can be fragmented into a zillion pieces, as long as the payload stream of data being carried reassembles correctly.&nbsp; This is why HTTPS/TLS based Remote Access VPN clients are more resistant to low MTU performance issues.</P> Sun, 09 Mar 2025 15:18:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Slow-traffic-on-https-http-on-site-to-site/m-p/243353#M12218 Timothy_Hall 2025-03-09T15:18:46Z