Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Itzel_Gtz26
Participant

HTTPS Inspection Performance

I'm thinking of enabling HTTPS Inspection, but I want to know:

* How it affects the performance of my devices
* Is an extra blade necessary?
* Can the certificate generated by the device be generated without any problem?

0 Kudos
11 Replies
Chris_Atkinson
Employee Employee
Employee

HTTPS inspection will have a performance impact relative to the traffic mix seen in the environment. To assist offset this R81.20 provides the best HTTPS inspection performance relative to other versions. 

Typically you would import a certificate from your organisation's CA and this should be trusted by clients in favour of using one generated from the Management itself.

Most other blades depend on HTTPS inspection for better visibility / enforcement of encrypted traffic.

 

CCSM R77/R80/ELITE
0 Kudos
genisis__
Leader Leader
Leader

Chris,

What are the performance ratings for each device, this is not published in the device spec sheets and really should be.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

I believe we are planning to update datasheets with the metrics based on R81.20 in future.

If you need specific data prior you can engage Solution Centre via your local CP office / SE.

CCSM R77/R80/ELITE
0 Kudos
genisis__
Leader Leader
Leader

Thanks Chris.  

0 Kudos
Itzel_Gtz26
Participant

So in R81.10 there is no way to know how it affects performance?

0 Kudos
genisis__
Leader Leader
Leader

Oh there is, but Checkpoint does not publish this.  In my option if you look at the current appliances, there is no hardware offload for SSL encryption/decryption, so you know that if an appliance is rated at 4GB throughput with NGTP there are a few assumptions you would potentially need to make:

- The figures quoted are not with TLS inspection on; Therefore what is inspected in NGTP is greatly reduced.
- If TLS inspection was turned on, and depending how your policy is configured (big variable) , take that 4GB and you may as well assume throughput figure is more like 500MB (again an assumption).

In most cases I suspect that Checkpoint would not recommended anything less then a 6600 when TLS inspection is required, and at the cost point this becomes a totally impractical solution for branch offices, which is why allot of companies that are not cash rich are moving away from Checkpoint to vendors that tick all the boxes at a better price point.

What I'm hoping, and again have said this to Checkpoint, that their hardware needs a radical update and all figured, by default should be published with TLS inspection turned on and we need to clear understanding of the testing carried out ie. what is the TLS policy actually inspecting.

Palo and Fortinet both have hardware offload for TLS inspection (Dependent on model and use case). 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Are you looking for an arbitrary % overhead figure and to what end?

Yes there is a performance penalty with multiple inputs/variables that your local SE can help to quantify specific to your environment & requirements. Please work with them to better  understand your scenario & sizing accordingly.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend

Can I get a clarification on what specific portion of the HTTPS Inspection feature had its performance improved in R81.20, specifically was it:

1) Bulk encryption/decryption speed & efficiency - kind of unlikely there is much to be gained here that hasn't already been

2) HTTPS negotiation, key creation & signing (wstlsd/pkxld), example: PRJ-35986, PMTR-69155; SSL Inspection; UPDATE: Major performance improvement in HTTPS Inspection of TLS 1.3 - more likely

3) Active streaming allowing TCP window to increase to far higher values UPDATE: Check Point Active
Streaming (CPAS) TCP Window scale factor is now increased up to 6 or a fix for fragmentation occurring when client MSS and server MSS differ under active streaming - most likely but not directly a performance improvement in the HTTPS Inspection feature itself

Thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Hey @Timothy_Hall I'll attempt to source some feedback for you and revert

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend

Thanks Chris.  Obviously the follow-up question would be are these performance enhancement features unique to R81.20, or can/will they be back-ported into earlier releases via Jumbo HFA.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Enhancements were made throughout the chain from handshake through to blade handover in order to realize the improvement.

I don't have visibility of specifics or portability aspects at this time, those are areas for R&D. 

 

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events