This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Parabol
Contributor
‎2024-03-06 06:47 AM

HTTPS Inspection causing slow performance to our web servers

Hi all, recently we had some issue with slow connections to various websites that we host in our environment. We failed over our perimeter firewall cluster, so the standby became primary, which seemed to temporarily restore performance. We open a ticket with TAC, provided them logs and we are waiting further analysis from them.

The issue happened again, this time we set HTTPS inspection to bypass for some of the impacted websites, and we noticed that performance was restored to normal. We will update TAC with this information. But I was wondering if there is anything else we can check in the mean time? Utilization metrics (cpu/memory) seem fine, the perimter firewall isn't overburdened. I wonder if we're hitting a throughput bottleneck perhaps? Interesting that the failover restored performance though.. so seemingly the degraded performance returns over time. Maybe as more connections accumulate? 

The cluster is running on latest R81.20 JHF.

cpview showed:

1,492M Bits/sec

138K packets/sec

97 Connections/sec

2,275 Concurrent connections

Any advice or tips for further tshooting is appreciated, thanks!

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-03-06 07:40 AM

Look into the history using sk101878: CPView Utility, that may give you better insights about the load during the issue!

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-03-06 11:22 AM

Post here also, I have similar issue. But with video hosted on the website. Causes freezes in the video with HTTPS inspection. 

Of course we have to keep in mind HTTPS inspection causes always extra load on the gateway / impact on the inspected flow. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-06 02:18 PM

Which model of gateway and JHF take is installed on it out of interest?

Also how does your SSL inspection policy structure look?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2024-03-06 04:52 PM

I think if you sent us what https inspection policy rules look like, it would help us give you a better idea. Just blur out any sensitive date.

Best,

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-03-06 07:07 PM

The reason performance increased upon failover is that while connections can survive a failover via state sync, streaming inspection cannot.  Therefore after failover by default any existing HTTPS connections will no longer be actively streamed and will go fastpath on the newly-active member; this is also true of existing connections that were passively streamed.  So for as long as the browser speculatively maintains these connections post-failover, the fastpath HTTPS site performance for them will be excellent.  This strange-looking effect caused by failovers is documented in my Gateway Performance Optimization R81.20 class.   When a brand new TCP/443 connection is started on the newly-active gateway, proper active streaming inspection resumes.

When you say bad HTTPS performance, can you please clarify?  Do you mean bad performance for long-running downloads via HTTPS?  Or is HTTPS user site navigation slow: either taking a long time to start loading once a user first visits a brand-new site, or slow loading/response when navigating links on the exact same website?  The answer to these questions will help point towards where we need to look.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top