Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cyrill_Kaspar
Participant
Jump to solution

CloudGuard for AWS Performance Optimization

Dear all

I've just watched "Security Gateway Performance Optimization with Tim Hall Video" and checked our VPN Cluster on premise that connects to our AWS Transit VPC CloudGuard gateways.

While our active on prem cluster member shows a nice result:

fwaccel stats -s
Accelerated conns/Total conns : 899/980 (91%)
Accelerated pkts/Total pkts   : 8083891/9502493 (85%)
F2Fed pkts/Total pkts   : 1418602/9502493 (14%)
PXL pkts/Total pkts   : 0/9502493 (0%)

it looks very different on our CloudGuard gateways:

fwaccel stats -s
Accelerated conns/Total conns : 0/242 (0%)
Accelerated pkts/Total pkts   : 0/104845 (0%)
F2Fed pkts/Total pkts   : 81177/104845 (77%)
PXL pkts/Total pkts   : 23668/104845 (22%)

or

Accelerated conns/Total conns : 0/43 (0%)
Accelerated pkts/Total pkts   : 0/78349 (0%)
F2Fed pkts/Total pkts   : 77560/78349 (98%)
PXL pkts/Total pkts   : 789/78349 (1%)

on both CloudGuard gateways secureXL is up:

fwaccel stat    
Accelerator Status : on
Accept Templates   : enabled
Drop Templates     : disabled
NAT Templates      : disabled by user
NMR Templates      : enabled
NMT Templates      : enabled

My question:

Is this a typical/normal behavior for virtual gateways in the cloud?

Best regards and thank you in advance for the feedback.

Cyrill

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The same optimization rules apply for CloudGuard IaaS as well. 

You might see if any of the following apply: SecureXL Mechanism 

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

The same optimization rules apply for CloudGuard IaaS as well. 

You might see if any of the following apply: SecureXL Mechanism 

0 Kudos
Cyrill_Kaspar
Participant

Dear Dameon

Thanx for your reply.
After having read your linked SK, I assume my findings relate to VPN traffic and that not much traffic that could be accelerated is generated yet. Most of the rules relate to AWS Datacenter Objects (tags) anyway.
In our on prem R77.30 environment we started to move all rules using NSX Datacenter Objects to the end of the ruleset.

Wish us luck as we are migrating 38 vSec services and four dual clusters to 80.10...

Best regards

Cyrill

0 Kudos
PhoneBoy
Admin
Admin

The datacenter objects should accelerate with SecureXL.

However, if you're running R77.30, it's possible the real issue is lack of multi-core VPN support: New Feature in R80.10: Multicore VPN Support with Software Blades

0 Kudos
Cyrill_Kaspar
Participant

Hi Dameon

Thanx for the input but we're running on

Product version Check Point Gaia R80.10
OS build 26
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

By the way: 38 CloudGuard instances, 8 HW gateways and 2 SMS successfully migrated to R80.10 over the weekend...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events