This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cyrill_Kaspar
Contributor
‎2018-10-24 02:19 AM
Jump to solution

CloudGuard for AWS Performance Optimization

Dear all

I've just watched "Security Gateway Performance Optimization with Tim Hall Video" and checked our VPN Cluster on premise that connects to our AWS Transit VPC CloudGuard gateways.

While our active on prem cluster member shows a nice result:

fwaccel stats -s
Accelerated conns/Total conns : 899/980 (91%)
Accelerated pkts/Total pkts   : 8083891/9502493 (85%)
F2Fed pkts/Total pkts   : 1418602/9502493 (14%)
PXL pkts/Total pkts   : 0/9502493 (0%)

it looks very different on our CloudGuard gateways:

fwaccel stats -s
Accelerated conns/Total conns : 0/242 (0%)
Accelerated pkts/Total pkts   : 0/104845 (0%)
F2Fed pkts/Total pkts   : 81177/104845 (77%)
PXL pkts/Total pkts   : 23668/104845 (22%)

or

Accelerated conns/Total conns : 0/43 (0%)
Accelerated pkts/Total pkts   : 0/78349 (0%)
F2Fed pkts/Total pkts   : 77560/78349 (98%)
PXL pkts/Total pkts   : 789/78349 (1%)

on both CloudGuard gateways secureXL is up:

fwaccel stat    
Accelerator Status : on
Accept Templates   : enabled
Drop Templates     : disabled
NAT Templates      : disabled by user
NMR Templates      : enabled
NMT Templates      : enabled

My question:

Is this a typical/normal behavior for virtual gateways in the cloud?

Best regards and thank you in advance for the feedback.

Cyrill

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2018-10-26 04:17 PM
Jump to solution

The same optimization rules apply for CloudGuard IaaS as well. 

You might see if any of the following apply: SecureXL Mechanism 

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2018-10-26 04:17 PM
Jump to solution

The same optimization rules apply for CloudGuard IaaS as well. 

You might see if any of the following apply: SecureXL Mechanism 

0 Kudos
Cyrill_Kaspar
Contributor
‎2018-10-29 01:53 AM
Jump to solution

Dear Dameon

Thanx for your reply.
After having read your linked SK, I assume my findings relate to VPN traffic and that not much traffic that could be accelerated is generated yet. Most of the rules relate to AWS Datacenter Objects (tags) anyway.
In our on prem R77.30 environment we started to move all rules using NSX Datacenter Objects to the end of the ruleset.

Wish us luck as we are migrating 38 vSec services and four dual clusters to 80.10...

Best regards

Cyrill

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-08 07:09 AM
In response to Cyrill_Kaspar
Jump to solution

The datacenter objects should accelerate with SecureXL.

However, if you're running R77.30, it's possible the real issue is lack of multi-core VPN support: New Feature in R80.10: Multicore VPN Support with Software Blades

0 Kudos
Cyrill_Kaspar
Contributor
‎2018-11-08 07:24 AM
In response to PhoneBoy
Jump to solution

Hi Dameon

Thanx for the input but we're running on

Product version Check Point Gaia R80.10
OS build 26
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

By the way: 38 CloudGuard instances, 8 HW gateways and 2 SMS successfully migrated to R80.10 over the weekend...

Upcoming Events

    CheckMates Events