Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jennifer_Wilson
Contributor

Anyine seeing any R81.20 performance improvements upgrading from R81.10?

Anyone seeing any performance improvements upgrading from R81.10 to R81.20?

Especially for Gateways that are quite heavily loaded? and especially if not using HTTPS/TLS Inspection?

Getting a feel if it is worth doing at the moment.

Regards,

Jen.

0 Kudos
23 Replies
PhoneBoy
Admin
Admin

If you do VPN traffic (site-to-site and/or remote access), performance there should be improved.

Jennifer_Wilson
Contributor

Cheers Phoneboy, but we don't do VPN or remote access on the Gateways.

0 Kudos
the_rock
Legend
Legend

I would say overally, you would see improvements, no matter if you use https inspection.

Andy

0 Kudos
the_rock
Legend
Legend

Here are things I found better from all my testing:

-https inspection

-vpn s2s/ remote access

-updatable objects / geo policy

-memory / cpu handling

-policy install times

Andy

0 Kudos
caw001
Employee Employee
Employee

If you have a gateway that processes a lot of heavy connections and elephant flow traffic, Hyperflow was introduced in R81.20 to process that traffic more efficiently:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

https://support.checkpoint.com/results/sk/sk178070 

https://www.youtube.com/watch?v=JdWbY5IQL9E 

0 Kudos
Jennifer_Wilson
Contributor

Dose this work if you don't have any free cores though?
eg. a heavily loaded gateway running at 60-70% on all cores, would any cores be available to split up the processing of an elephant flow under these conditions?

0 Kudos
Henrik_Noerr1
Advisor

We have seen zero change in cpu or memory in any of our some 20 clusters.

Most are open servers, running VSX with 2-50 VS on and only IPS blade is enabled.

Througput ranging from 0-25gbit

 

/Henrik

the_rock
Legend
Legend

I highly doubt you would see any difference in such a scenario even if you upgrade. Just my personal opinion.

Andy

0 Kudos
Jennifer_Wilson
Contributor

Cheers all, had the feeling that was the case.
Will probably leave off for now then.
Regards,
Jen.

0 Kudos
the_rock
Legend
Legend

If I were you, I would still upgrade, because R81.20 is 100% better version.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Keep in mind, R81.10 is only supported for another ~14.5 months. R81.20 gets another 16 months on top of that. If it takes longer than 3-4 months to upgrade your environment, it may be a good idea to start now to ensure you don't run out of runway.

the_rock
Legend
Legend

I 100% agree with that statement.

Andy

0 Kudos
Henrik_Noerr1
Advisor

I would agree with you - and depending the scope of the install base, I would start planning right away to r81.20. We do however see that support dates were extended with r80.40 and r81.10. I would be very surprised if we will not see the same extension with r81.20

As I see it - when a major is released to GA it takes another half year to get the recommended flag. After this date, any serious enterprise would still wait 3-6 jumbo hotfixes until it gets pushed to production - pushing a serious r82 date well into 2025-2026

/Henrik

0 Kudos
the_rock
Legend
Legend

Totally valid points.

0 Kudos
Bob_Zimmerman
Authority
Authority

I'm firewall team lead at a Fortune 500. We've had a lot of problems in the past with upgrades getting delayed and delayed and delayed until we're years past the end-of-support date for a particular version, but still running it in production. I've pushed us to get extremely aggressive about deploying new versions. We plan to upgrade some of our environment to R82 as soon as it becomes available (even before it's recommended) specifically because it can take so long to get everything upgraded. We need to have systems running it which we can point to later and say "See, we've been running it here for months and it's fine."

We're about 60% upgraded to R81.20 today, but the tail is extremely long.

Henrik_Noerr1
Advisor

Hey Bob,

I am in the exact same position, maybe at a smaller scale with some 500  Virtual Systems which translates to Denmark top 1-3... Ensuring software compliance is tough - but I agree, we are as well jumping on the band wagon on the less critical systems to r82 - simply so we can followup on issues and prepare of any issues

We simply need to progress or stay behind.

 

0 Kudos
the_rock
Legend
Legend

I think its definitely the mentality of most people managing other major fw vendors, sometimes, not so easy to keep up : - (

0 Kudos
AmitShmuel
Employee
Employee

HyperFlow prioritizes total throughput over a single connection, it will only trigger if the overall system utilization is under 60%.

the_rock
Legend
Legend

Thats good to know, was not aware of 60% statement.

Andy

0 Kudos
the_rock
Legend
Legend

That also leads me to somewhat, apologies if it may sound like a silly question, but how do you exactly determine overall system utilization? I never heard of command to check that, unless there is something in cpview Im not aware of...

Best,

Andy

0 Kudos
AmitShmuel
Employee
Employee

Dynamic Balancing controls when HyperFlow is triggered, it already has the averages of FW/SND cores.

Similarly to Dynamic Balancing, CPView also queries each core utilization, and shows the averages of FW/SND cores in the CPU tab. 

the_rock
Legend
Legend

Gotcha. I was more thinking of more cpu/memory/system load average.

Andy

0 Kudos
the_rock
Legend
Legend

I wanted to suggest something one customer told me while back. To me personally, this makes sense, but then again, it may not apply in every situation. He told me that what they always do when it comes to upgrades it always do less important firewalls first, so they can get a feel for the version and if all good, move on to more important ones.

Something to think about...

Have a great weekend!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events