Create a Post
Showing results for 
Search instead for 
Did you mean: 

What is the best approach to troubleshoot "slow connections"?

Hello fellow Check Point admins,

to keep it short - how do you troubleshoot slow connections?

Every now and then I receive requests from users/sys admins who complain that their backup jobs or all different kinds of traffic appears to be really slow once they have to pass a firewall in our environment. In most cases I am pretty sure that this is not the case, at least not related to the firewall. But as we all know - it always has to be the firewalls fault. Smiley Happy

So that leads to the before mentioned questions. Currently I do several things to verify if I have some issues on the fw side, like:

- checking the related interfaces and error counters

- enable accounting in the logging of a related rule to see the transmitted data size

- check for possible TCP out of state logs, which could be related to timeouts and therefore throttle the connection due to reconnect attempts

But to be honest, I am pretty sure that there are other, better, approaches to determine if the firewall is the cause of slow downs or not. So please, tell me about your recommendations. Smiley Happy



3 Replies

This document here: sk98348: Best Practices - Security Gateway Performance !


Hello Günther,

Thanks for your reply. I am familiar with this document but I do not think that it is helping me in this case.

Maybe my description of the initial question was kinda bad worded.

I have users who have to run their backup service [TSM backup] via a firewall after a specific network migration. Now they complain that the backup takes 16 minutes instead of 4 minutes as before. A report of the backup from before shows a throughput of about 160MB/s while the current status only shows only about 50 MB/s. The related security gateway is a 64k appliance which has no trouble regarding the actual CPU and interface load. I'm basically struggeling to find a way to prove that the firewall is not the cause - or if it should be, to change that.

There are ways to caluclate the throughput based on the window size and round trip time - but is here any way to show the actual throughput of a specific session / between two hosts?

Maybe has an idea? Smiley Happy



Legend Legend

A good start is always running the "Super Seven" on the firewall to check its overall health and state as described here:

TechTalk: Security Gateway Performance Optimization with Tim Hall 

These commands should more or less work on a 64k but that box is not one of my major areas of expertise.

Beyond that, one of the first things you should try to determine is whether the bad performance is caused by excessive latency (and possibly its evil sidekick jitter), flat-out packet loss, or maybe even both.  Packet loss can generally be found and fixed, but latency issues are a bit tougher to figure out.  Usually taking a packet capture of the problematic traffic then pulling it  into Wireshark is helpful; look for TCP zero window events and long inter-packet delays.  At a basic level you need to figure out is the client primarily waiting around for the server to do something or is it the other way around; the firewall could potentially be the cause of latency as well.  That will at least give you a place to start looking for resource issues such as congestion or overloaded networks/systems. 

90% of troubleshooting is knowing the right place to look, the remaining 10% of figuring out how to fix it isn't nearly as difficult.

Second Edition of my "Max Power" Firewall Book
Now Available at

Gateway Performance Optimization R81.20 Course
now available at


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events