- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
| Intruduction | 
|---|
In the last weeks I have been asked again and again how I can increase the performance of my Check Point gateway. Now comes my counter-question. What do you want to reach in Performance Tuning?
Therefore, I have created an overview of what the goal is!
| Chapter | 
|---|
Moe interesting articles:
- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)
| Performance Metrics | 
|---|
In principle, there are several performance metrics:
There are standardized test procedures according to RFC for this:
| Throughput | Connection rate | Packet rate | Concurrent connections | Latency | |
| RFC | RFC3511 5.1.4.1 | RFC3511 5.3.1 | RFC3511 5.1.4.1 | RFC3511 5.2.4.2 | RFC2544 26.2 | 
| Units | Bit/s | Connections/s | Packets/s | Absolute number of connections | (m)s | 
| Testing conditions | Large UDP | Small TCP | Small UDP | Small TCP | Small UDP | 
| Bottleneck | Bus, Interfaces | CPU | CPU | Memory | Bus, Interfaces, CPU, Infrastructure | 
| Throughput | 
|---|
Description: RFC3511 – 5.1.4.1
Throughput: Maximum offered load, expressed in either bits per second or packets per second, at which no packet loss is detected. The bits to be counted are in the IP packet (header plus payload); other fields, such as link-layer headers and trailers, MUST NOT be included in the measurement.
Units: Bits per second
Testing conditions for achieving best results: Large UDP
Bottleneck: Bus, interfaces
| Connection Rate | 
|---|
Description: RFC3511 – 5.3.1
To determine the maximum TCP connection establishment rate through or with the DUT/SUT, as defined by RFC 2647 [1]. This test is intended to find the maximum rate the DUT/SUT can update its connection table.
Units: Connections per second
Testing conditions for achieving best results: Small TCP (HTTP 64B)
Bottleneck: CPU
| Packet Rate | 
|---|
Description: RFC3511 – 5.1.4.1
Throughput: Maximum offered load, expressed in either bits per second or packets per second, at which no packet loss is detected. The bits to be counted are in the IP packet (header plus payload); other fields, such as link-layer headers and trailers, MUST NOT be included in the measurement.
Units: Packets per second
Testing conditions for achieving best results: Small UDP
Bottleneck: CPU
| Conncurent Connections | 
|---|
Description: RFC3511 – 5.2.4.2
Maximum concurrent connections: Total number of TCP connections open for the last successful iteration performed in the search algorithm.
Units: Absolute number (amount)
Testing conditions for achieving best results: Small TCP (HTTP 64B)
Bottleneck: Memory
| Latency | 
|---|
Description: RFC2544 – 26.2
The latency is timestamp B minus timestamp A as per the relevant definition from RFC 1242, namely latency as defined for store and forward devices or latency as defined for bit forwarding devices.
Units: (m)seconds
Testing conditions for achieving best results: Small UDP
Bottleneck: Interfaces, Infrastructure, CPU, Bus
| Analysis of metrics | 
|---|
The analysis of the above mentioned parameters is very easy with the command cpview.
# cpview
On 41K, 44K, 61K, 64K or Maestro systems use:
# asg perf -v
Use an opern server and a client.
# iperv3 -s > iperv server
# iperv3 -c <iperv server ip> -n 64 > iperv client for small tcp packets
# iperv3 -c <iperv server ip> -u -n 64 > iperv client for small udp packets
# iperv3 -c <iperv server ip> -u -n 1460 > iperv client for large udp packets
There are tools that you can use to generate traffic to test the performance parameters?
How can I use the iperv tool?
Are there any examples here?
Use an opern server and a client.
# iperv3 -s > iperv server
# iperv3 -c <iperv server ip> -n 64 > iperv client for small tcp packets
# iperv3 -c <iperv server ip> -u -n 64 > iperv client for small udp packets
# iperv3 -c <iperv server ip> -u -n 1460 > iperv client for large udp packets
Great information.
we use 4 servers (2xclient and 2xserver) for performance tests.
But we get only a throughput at 10 GBit/s interface from 3 GBit/s on the firewall on a open server HP DL 380 G9. What could be the problem?
3-4 GBit/s is normal. If you need more throughput, you should enable multi queueing in the first step.
More read here:
R80.x - Performance Tuning Tip - Multi Queue
Or enable more CoreXL instances!
I cannot find the iperv3 tool on the gateway.
Why do you need that on a GW in the first place? You use client to server connections through the GW to test performance.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 18 | |
| 16 | |
| 13 | |
| 11 | |
| 11 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 4 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY