Hi @tniop_kcehc
(nice community name:-)
Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.
AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:
With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.
Warning notice: If you execute this command you have 100% CPU usage for a long time!
# cpopenssl speed
This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.
I had published an article about this that might help you:
R80.x - Performance Tuning Tip - AES-NI
Hi @tniop_kcehc
(nice community name:-)
Tip!
I'd turn on AES-NI in BIOS on Open Server. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers.
AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for:
With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.
Warning notice: If you execute this command you have 100% CPU usage for a long time!
# cpopenssl speed
This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL.
I had published an article about this that might help you:
R80.x - Performance Tuning Tip - AES-NI
Isn't it better to use a higher encryption standard.
I get this question a lot, so I decided to include my opinion on it in the third edition of my book. My recommended settings from the book are below and are primarily geared to improve performance with a reasonable level of security for most organizations. This is most certainly a matter of opinion and I would be surprised if the following does not generate any debate:
The following sections detail which VPN algorithm settings should be used to provide a reasonable level of IPSec VPN performance without sacrificing security. Please note that these recommendations are made primarily to improve performance, and also provide what I feel is a reasonable level of VPN security for most organizations.
IKE Protocol: V2 (Check Point Firewalls), IKE Protocol V1 for third-party VPNs
IKE Phase 1 Encryption: AES-256
IKE Phase 1 Data Integrity: SHA-256
IKE Phase 1 DH Group: 20 (384-bit ECP)
IKE Phase 1 SA Lifetime (minutes): 720
IKE Phase 2 Encryption: AES-GCM-128 (AES-NI present, otherwise AES-128)
IKE Phase 2 Data Integrity: SHA-256
IKE Phase 2 SA Lifetime (seconds): 3600
PFS: Disabled (Use DH Group 19 if PFS is required)
Use Aggressive Mode: Disabled
Support IP Compression: Disabled
VPN Tunnel Sharing (Domain-based VPN): “One VPN tunnel per subnet pair”
VPN Tunnel Sharing (Route-based VPN): “One VPN tunnel per Gateway pair”
Permanent Tunnels: (Check Point Firewalls Only) “On all tunnels in the community”
Permanent Tunnels in DPD Mode: Enabled for third-party peers, see sk108600: VPN Site-to-Site with 3rd party
| User | Count |
|---|---|
| 8 | |
| 7 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)Fri 10 Jan 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 32: Infinity External Risk Management (CyberInt)
.png "Wolfgang"){kind=avatar}
