I have, and the speed still doesn't exceed 100Mbps.

Hello,

Q: Which version are you running? 

A: R77.30.

Q: Which blades are you running?

A: 

Q: Please post output of fwaccel stats -s (or stat, don't remember right now)

A:

Q: From expert (#) run ifconfig -a . Do you see errors on the interfaces? 

A: I only see 22 errors on the trunked interface...

Q: Did you tried to connect your host directly to the firewall to perform the speed test?

A: No.

Regards.

Q: Which version are you running? 

A: R77.30.

--> having support for eleven more days, so what about the future ?

Hello!

Super Seven output:

fwaccel stat

fwaccel stats -s

grep -c ^processor /proc/cpuinfo

fw ctl affinity -l -r

netstat -ni

fw ctl multik stat

cpstat os -f multi_cpu -o 1

Cheers.

You are getting frame loss (RX-DRP) rates of between 0.3% and 1.6% on your interfaces due to buffering misses which is probably the main thing slowing you down.  This is almost certainly due to high CPU load on your 2 cores, given the large number blades you have enabled on an old 2-core box like that 4200, 100Mbps top throughput doesn't seem that unreasonable to me.  Currently you have a 2/2 CoreXL split on your box, in some cases disabling CoreXL and going to a 1/1 split helps on a 2-core box but given your high PXL% I don't think doing that will help in this case.

The 4200 only has 4GB of RAM which may not be enough for all you are trying to do.  Please provide output of the free -m command to see if a memory upgrade will help.

You can probably pick up some more speed by tuning your policies, the two major areas in your case are Threat Prevention and APCL/URLF. In order to figure out where to focus your efforts, try this and report back what you see:

1) Run Internet speed test and note throughput

2) On the gateway from expert mode run commands ips off and fw amw unload

3) Wait 60 seconds

4) From a completely new browser instance run an Internet speed test and note throughput.  If throughput has substantially increased you need to tune your IPS & Threat Prevention configuration.

5) Run commands ips on and fw amw fetch local

6) Wait 60 seconds

7) From a completely new browser instance run an Internet speed test and note throughput. (should be about the same as #1)

😎 On gateway object in SmartConsole, uncheck the APCL and URLF blades and reinstall policy to the gateway.

9) Wait 60 seconds

9) From a completely new browser instance run an Internet speed test and note throughput. If throughput has substantially increased you need to tune your APCL/URLF policy, typically this will involve removing the "Any Any Any Accept" rule at the bottom of your APCL/URLF policy (which is not necessary except for logging purposes), and making sure you are using object "Internet" in the Destination column of all APCL/URLF rules and NOT "Any".

10) Recheck the APCL and URLF checkboxes and reinstall policy to the gateway.

11) From a completely new browser instance run an Internet speed test and note throughput. (should be about the same as #1)

Let us know what you find out.

Thanks for the input!

I’ve done the steps you suggested, and I found this:

free -m command:

Throughput tests (peaks - CPview):

Without any changes: 74 Mbps

ips off & fw amw unload: 234 Mbps

Reverted (ips on & fw amw fetch local) 93 Mbps

APCL & URLF blades disabled: 115 Mbps

Reverted (APCL & URLF enabled) 95 Mbps

So it seems like the IPS & Threat Prevention needs tuning. Do you have any suggestions for that?

I will do your suggested tuning for APCL/URLF also.

Looks like your box is not hitting swap at all which is good, no memory upgrade needed.

We'll need to do a few more tests to determine whether it is IPS specifically (more likely) or the rest of Threat Prevention (less likely) that is causing the bulk of the slowdown:

1) Run Internet speed test and note throughput

2) On the gateway from expert mode run commands ips off

3) Wait 60 seconds

4) From a completely new browser instance run an Internet speed test and note throughput.  If throughput has substantially increased you need to tune your IPS configuration.

5) Run command ips on

6) Run command fw amw unload

7) Wait 60 seconds

😎 From a completely new browser instance run an Internet speed test and note throughput.  If throughput has substantially increased you need to tune your TP (AV/ABOT) configuration.

9) Run command fw amw fetch local

You may well see a performance improvement at both steps #4 & #8, I'd suggest focusing on where you get the biggest increase for tuning.  If turning off IPS provides most of the gain, determine which IPS profile is in use by your 4200 gateway and open it for editing.  Sort the IPS protections by the "Performance Impact" rating and disable all IPS Protections with a "Critical" or "High" rating.  That should help a lot.

If turning off Threat Prevention (amw) provided most of the gain, my guess is that Anti-virus is causing most of the overhead as Anti-bot tends to be pretty low impact.  I'll need to see the AV & ABOT settings in the relevant TP profile applied to your gateway to make specific recommendations.