Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
biskit
Advisor

Slow data transfers

Does anyone know a way to determine where a bottleneck is with data transfer speeds?

In my particular scenario I have a 6400 appliance on one site, and a Spark 1570 (locally managed) on the other site.  Both sites have 1Gb ISP circuits.  There's a VPN between the gateways which is used for one machine at each side to communicate.  (Veeam backup replication from site 1 to site 2).  Both firewalls capable of far exceeding the limiting 1Gbps ISP speed.

We started off getting around 200mb transfer rate.

After excluding this traffic from all threat blades on the 6400, and adding the IP's to fw ctl fast_accel, and disabling the treat blades on the Spark, we're now up to around 450mb transfer speeds.  Still a far cry from what we'd expect.  How can I determine what's slowing it down?

0 Kudos
12 Replies
_Val_
Admin
Admin

First and foremost, you need to see which side is causing a bottleneck. 

0 Kudos

Which encryption algorithms are involved and are the transfers multi-threaded?

0 Kudos
biskit
Advisor

At the moment we're using AES256/SHA256 for both phases.

I have no idea whether the transfers are multi-threaded.  How would I tell? 🙄

0 Kudos

i.e. Can you configure Veeam to initiate multiple concurrent connections rather than a single one?

0 Kudos
biskit
Advisor

Ah, I'll ask the Veeam team.  I don't have access to any of the Veeam kit.

0 Kudos
Timothy_Hall
Champion
Champion

On the 1570 run the command top and hit 1 to display individual CPU usage.  Now start the 450Mbps transfer, does one of the CPUs on the 1570 hit 100% while the other one(s) are relatively idle?  If so the transfer is not multithreaded.  It is likely that the 1570 is your bottleneck.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
biskit
Advisor

Thanks, I'll test that when the Veeam guys reply to me.  Am I right in assuming that Spark appliance don't offer the same "fast_accel" options as the enterprise appliances?  So if it is maxing out a CPU on the Spark, it's pretty much tough luck?

0 Kudos

Something similar has recently been introduced with the R81.10.x version so expect to hear more about it once the centrally managed version is GA.

====

Smart Accel – (EA level)

 

Improves gateway performance by accelerating low-risk traffic sources:

Video streaming (Netflix, YouTube, Spotify)

Well known corporate services (Microsoft, Google, Apple, Check Point Services)

Social Media services (Facebook, TikTok)

Web Conferences (Skype, WebEx, Zoom)

 

 

0 Kudos
biskit
Advisor

Great thanks.  This box is locally managed so I'll suggest to the customer giving R81.10 a try on this box.

0 Kudos
Alex-
Advisor

In any case, the 1500 support only MD5 or SHA1 hardware acceleration for integrity checks, regardless of the OS version.

You could try to change the hash to see if it makes a difference.

Supported Hardware Acceleration (checkpoint.com)

0 Kudos
PhoneBoy
Admin
Admin

fw ctl fast_accel does appear to be a functional command on the R81.10.xx code on SMBs.
It might give you more headroom, but I suspect the real issue is this is an elephant flow.

0 Kudos

Yup. Hence the Veeam multi-thread suggestion above 🙂

0 Kudos