- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
1 Solution
Accepted Solutions
Hi @tniop_kcehc
(nice community name:-)
Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.
AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:
- Site-to-Site VPN
- Remote Access VPN
- Mobile Access
- HTTPS Interception
With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.
Warning notice: If you execute this command you have 100% CPU usage for a long time!
# cpopenssl speed
This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.
I had published an article about this that might help you:
R80.x - Performance Tuning Tip - AES-NI
Hi @tniop_kcehc
(nice community name:-)
Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.
AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:
- Site-to-Site VPN
- Remote Access VPN
- Mobile Access
- HTTPS Interception
With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.
Warning notice: If you execute this command you have 100% CPU usage for a long time!
# cpopenssl speed
This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.
I had published an article about this that might help you:
R80.x - Performance Tuning Tip - AES-NI
Isn't it better to use a higher encryption standard.
I get this question a lot, so I decided to include my opinion on it in the third edition of my book. My recommended settings from the book are below and are primarily geared to improve performance with a reasonable level of security for most organizations. This is most certainly a matter of opinion and I would be surprised if the following does not generate any debate:
Click to Expand
Recommended IPSec VPN Settings
The following sections detail which VPN algorithm settings should be used to provide a reasonable level of IPSec VPN performance without sacrificing security. Please note that these recommendations are made primarily to improve performance, and also provide what I feel is a reasonable level of VPN security for most organizations.
-
IKE Protocol: V2 (Check Point Firewalls), IKE Protocol V1 for third-party VPNs
-
IKE Phase 1 Encryption: AES-256
-
IKE Phase 1 Data Integrity: SHA-256
-
IKE Phase 1 DH Group: 20 (384-bit ECP)
-
IKE Phase 1 SA Lifetime (minutes): 720
-
IKE Phase 2 Encryption: AES-GCM-128 (AES-NI present, otherwise AES-128)
-
IKE Phase 2 Data Integrity: SHA-256
-
IKE Phase 2 SA Lifetime (seconds): 3600
-
PFS: Disabled (Use DH Group 19 if PFS is required)
-
Use Aggressive Mode: Disabled
-
Support IP Compression: Disabled
-
VPN Tunnel Sharing (Domain-based VPN): “One VPN tunnel per subnet pair”
-
VPN Tunnel Sharing (Route-based VPN): “One VPN tunnel per Gateway pair”
-
Permanent Tunnels: (Check Point Firewalls Only) “On all tunnels in the community”
-
Permanent Tunnels in DPD Mode: Enabled for third-party peers, see sk108600: VPN Site-to-Site with 3rd party
| User | Count |
|---|---|
| 41 | |
| 21 | |
| 9 | |
| 7 | |
| 7 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 |
Wed 26 Nov 2025 @ 12:00 PM (COT)
Panama City: Risk Management a la Parrilla: ERM, TEM & Meat LunchWed 03 Dec 2025 @ 10:00 AM (COT)
Última Sesión del Año – CheckMates LATAM: ERM & TEM con ExpertosThu 04 Dec 2025 @ 12:30 PM (SGT)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - APACThu 04 Dec 2025 @ 03:00 PM (CET)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - EMEAThu 04 Dec 2025 @ 02:00 PM (EST)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - AmericasWed 03 Dec 2025 @ 10:00 AM (COT)
Última Sesión del Año – CheckMates LATAM: ERM & TEM con ExpertosThu 04 Dec 2025 @ 12:30 PM (SGT)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - APACThu 04 Dec 2025 @ 03:00 PM (CET)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - EMEAThu 04 Dec 2025 @ 02:00 PM (EST)
End-of-Year Event: Securing AI Transformation in a Hyperconnected World - AmericasWed 26 Nov 2025 @ 12:00 PM (COT)
Panama City: Risk Management a la Parrilla: ERM, TEM & Meat Lunch