Chris,

What are the performance ratings for each device, this is not published in the device spec sheets and really should be.

I believe we are planning to update datasheets with the metrics based on R81.20 in future.

If you need specific data prior you can engage Solution Centre via your local CP office / SE.

Thanks Chris.  

So in R81.10 there is no way to know how it affects performance?

Oh there is, but Checkpoint does not publish this.  In my option if you look at the current appliances, there is no hardware offload for SSL encryption/decryption, so you know that if an appliance is rated at 4GB throughput with NGTP there are a few assumptions you would potentially need to make:

- The figures quoted are not with TLS inspection on; Therefore what is inspected in NGTP is greatly reduced.
- If TLS inspection was turned on, and depending how your policy is configured (big variable) , take that 4GB and you may as well assume throughput figure is more like 500MB (again an assumption).

In most cases I suspect that Checkpoint would not recommended anything less then a 6600 when TLS inspection is required, and at the cost point this becomes a totally impractical solution for branch offices, which is why allot of companies that are not cash rich are moving away from Checkpoint to vendors that tick all the boxes at a better price point.

What I'm hoping, and again have said this to Checkpoint, that their hardware needs a radical update and all figured, by default should be published with TLS inspection turned on and we need to clear understanding of the testing carried out ie. what is the TLS policy actually inspecting.

Palo and Fortinet both have hardware offload for TLS inspection (Dependent on model and use case). 

Are you looking for an arbitrary % overhead figure and to what end?

Yes there is a performance penalty with multiple inputs/variables that your local SE can help to quantify specific to your environment & requirements. Please work with them to better  understand your scenario & sizing accordingly.

Can I get a clarification on what specific portion of the HTTPS Inspection feature had its performance improved in R81.20, specifically was it:

1) Bulk encryption/decryption speed & efficiency - kind of unlikely there is much to be gained here that hasn't already been

2) HTTPS negotiation, key creation & signing (wstlsd/pkxld), example: PRJ-35986, PMTR-69155; SSL Inspection; UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3 - more likely

3) Active streaming allowing TCP window to increase to far higher values UPDATE: Check Point Active
Streaming (CPAS) TCP Window scale factor is now increased up to 6 or a fix for fragmentation occurring when client MSS and server MSS differ under active streaming - most likely but not directly a performance improvement in the HTTPS Inspection feature itself

Thanks!

Hey @Timothy_Hall I'll attempt to source some feedback for you and revert

Thanks Chris.  Obviously the follow-up question would be are these performance enhancement features unique to R81.20, or can/will they be back-ported into earlier releases via Jumbo HFA.

Enhancements were made throughout the chain from handshake through to blade handover in order to realize the improvement.

I don't have visibility of specifics or portability aspects at this time, those are areas for R&D.