- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello Checkmates,
this is my first time creating a post here. 🙂 Also, I'm fairly new to CheckPoint firewalls. I'm seeing what I consider slow VPN tunnel speed/throughput between sites. All tests i ran (with OpenSpeedTestServer) yield pretty much the same speeds (around 150 to 175 Mbps download and upload). All sites have 1Gbps Internet speeds (expect 2 of them at 500Mbps and 200Mbps, but I don't bother testing those). There are 6 x Quantum Spark 1600s and 2 x 1535 series (the 1535 are connected to the slower ISPs). Azure Vnet is part of the site-to-site as well. I have most of the blades enabled on these firewalls (App control, Identity, URL filtering, IPS, Anti-Bot & Anti-virus). All these are managed by a on-premise management server and the main site has a cluster of 2 x 1600s where the VPN tunnels run from.
These are all up to date running R81.10.x verisons.
my question is, is this the expected perforcemance (around 150 to 175 Mbps download and upload) from these firewalls in a site to site setup?
I come from Cisco ASA 5500x and they were able to reach near the speeds of internet connections of 1Gbps via a site-to-site connection.
Any guidance is welcome and appreciated. thank you in Advance.
First off, WELCOME :). Secondly, totally valid points. I would refer you to below sk, as it would certainly explain the behaviour.
Andy
https://support.checkpoint.com/results/sk/sk73980
Which encryption algorithms are used?
Is MSS clamping configured?
How is the test being run, are multiple concurrent connections used rather than a single flow?
Hi Chris,
Thank you for the quick response.
1. see attached screenshot of the VPN community with all encryiptions used (not sure which is which). I tried to embed the image, but got a message syaing invalid HTML found in teh message body.
2. I have no clue what MSS clamping is. 🙂 can you tell me what this is and how to do it?
3. I downloaded OpenSpeedTestServer (a web server that I put on a VM taht has a 25Gbps NIC on it) and then open the URL of that web server on the other side of the vpn tunnel in another site. in this case HQ hosting the vpn server (with 1Gbps link and the other is the Datacenter with 1Gbps on a physical sever in the web browser). Not sure if this is using Multiple or single flow. How can I find out?
Thank you!
First off, WELCOME :). Secondly, totally valid points. I would refer you to below sk, as it would certainly explain the behaviour.
Andy
https://support.checkpoint.com/results/sk/sk73980
Thank you! 🙂 I'm seeing the encryption types might be the issue for me. looking at the link you provided and the encryption combination I see in my config (screenshot attached). it seems i have the worst combination for speed. 🙂 is my conclution correct?
Also, If i choose to change it, will this interrupt the VPN Tunnels? thanks for your gudiance, much appreciated.
Technically, it might interrupt the tunnel for few minutes, since it needs policy push and probably resetting the tunnel would not be a bad idea.
Other than that, I would not anticipate any issues.
Andy
Here is one IMPORTANT thing to remember...so, faster algorithms will NOT be as secure as slower ones, so please keep that in mind. We all know how important IT security is 🙂
Andy
Thank you! Yes, I'm willing to take a bit more risk since we only deal with file/print and nothing includes PII data of any sort.
so Question: based on my screenshot, (attached)
If i change Phase 1 Data integrity from SHA256 to SHA1 (or MD5) and Diffie-hellman group from Group 14 to group 2 (1024-bit)
and
in Phase 2, change Data integrity from SHA256 to Sha1 (or MD5) and Group 14 to Group 2 (1024-bit).
Will that work properly and still be secure to some extend?
Thanks.
It would be LESS secure, but in your case, I would give it a go.
Andy
Thank you, I will give that a go during off hours just in case. I'm using SmartConsole to do all this. Just to make sure i'm doing this right...make changes to encryption as noted above, push policy to all firewalls, then test tunnels and test speeds as per before? that sounds about right? 🙂
You got it.
I was thinking you should do policy verification, but no need, since you would not be changing policy itself, so no need, just install.
Andy
As an addition:
- enabled TP blades maketraffic slower
- try to open more than one connection at the same time for testing, as single connections will not get the full speed (so there will be ressources left for other connections)
Thanks, I'm not familiar on how to do this on checkpoint. Can you provide guidance on how to do this please? thank you.
Best practice is to set up a VPN datasheet with most compatible settings at first (example).
Once this is working you can start fine tuning your VPN parameters to more secure values.
Speed tests based on a single file transfer will not show you the full picture, just give you an indication. Try multiple file transfers at the same time in both directions instead.
Thank you! I will give multiple files transfers simultaneously and test. I believe the OpenSpeedTestServer does multi-connection to perform the speedtest.
- make a server accessible on one site (http, ftp...)
- use e.g. a browser on the site on the other side of the tunnel to open up- or downlod connections
- first try one connection and note the thruput (time and size of transfered file), then more at the same time
- compare the possible troughputs according to the number of connections
Thank you all for the guidance and advice! I want to post an update and resutls on the changes I have made.
I updated the Encryption in the VPN community to AES-128, MD5 and 1024 bit. (again, it's a Mesh setup). I also disabled the TP blades.
I'm happy to remote an increase of about 100Mbps for the site-to-sites aftert this change (it went from about 150Mbps to 250+ Mbps down/up). I performed this test with a webserver and also by copying multiple ISOs files (about 5GB in size) on the same server from one site to another (also did a single file copy and the results are the same speed as when using multiple files) . this is true with TP blades on or off. So that's great to see.
What is the realistic expected throughput between these Spark 1600s firewalls for VPN tunnels?
Now, is there anything else I can do improve the connection speed?
Is having a Mesh vs. hub and spoke affects speeds?
These tunnels are set as Permanent as well, does that affect speed? (screenshot)
I"m very thankful for all your support.
Mesh vs. Star topology will not affect speed. Permanent Tunnels send heartbeats through the tunnel, but this is a minuscule amount of data and should have no tangible impact on overall performance.
Normally, I would recommend using a Galois Counter Mode (GCM) AES variant for the IKE Phase 2/IPSec encryption algorithm; GCM combines the encryption and hashing functions into a single, more efficient operation that can be accelerated by the Intel AES-NI processor extension. However, the 1600 uses an ARM processor, which I'm assuming does not support AES-NI or whatever the ARM equivalent is.
Give AES-128-GCM for IKE Phase2/IPSec a try and retest performance, my guess is it will be slower due to the non-Intel processor, but I could be wrong. Other than that, I think you've got about all the speed you are going to get.
Thanks Timothy! I apreciate your input. I will give that a try, and yes, I expect the performance to to be less. If this is the best the 1600s can do, then my search is over.
Thanks. 🙂
THank you @Timothy_Hall I tried this, but it only got a bit slower. 🙂 using AES-128, MD5 and Group 2 1024-bit) seem to yield the best performance in my case. 🙂
Thanks for the followup, that was what I expected.
Hi @rdiaz,
Can you try the following settings and check if it improves the throughput?
1. In SmartConsole, under the community configuration -> Tunnel Management, set separate VPN tunnel per each pair of hosts
2. On the 1600 external interface (the one that receives the encrypted traffic), run: ethtool -N <interface name> rx-flow-hash esp4 sdfn
3. Copy multiple files from separate servers
Thanks.
Thank you Sigal,
1. I will give that a try. Will this take the VPN tunnel down momentarily?
2. What does this command do? Would I do this on all 1600s? (I have about 6 of them in the tunnel).
3. Ok, will do.
Thank you very much for the suggestions.
1. It is probably best to delete the VPN tunnels after making this change and install the policy. This can be achieved using the command: vpn tu del all
2. This command distributes the traffic to CPU cores based on the SPI field. I do not suggest applying it to all gateways before we establish that it actually makes a difference
Thanks Sigal,
1. What does this command do in actuallly? Will this delete the VPN tunnel Community? Will I need to re-create the vpn tunnels after that?
1. It will delete existing VPN tunnels, but those should be automatically recreated when traffic that should be encrypted reaches the gateway
cool, i'll try that @sigal Thanks.
Hey @rdiaz
Just curious, did you ever end up opening TAC case for this, just to see if they have any other suggestions?
Andy
I have not done that, I was hoping it was a quick answer/easy fix. But I will open one up after trying some of the new suggestions. 🙂
thanks.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
4 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY