This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
biskit
Advisor
‎2022-10-01 01:49 AM

Slow data transfers

Does anyone know a way to determine where a bottleneck is with data transfer speeds?

In my particular scenario I have a 6400 appliance on one site, and a Spark 1570 (locally managed) on the other site.  Both sites have 1Gb ISP circuits.  There's a VPN between the gateways which is used for one machine at each side to communicate.  (Veeam backup replication from site 1 to site 2).  Both firewalls capable of far exceeding the limiting 1Gbps ISP speed.

We started off getting around 200mb transfer rate.

After excluding this traffic from all threat blades on the 6400, and adding the IP's to fw ctl fast_accel, and disabling the treat blades on the Spark, we're now up to around 450mb transfer speeds.  Still a far cry from what we'd expect.  How can I determine what's slowing it down?

0 Kudos
12 Replies
_Val_
Admin
Admin
‎2022-10-01 03:37 AM

First and foremost, you need to see which side is causing a bottleneck. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-01 03:56 AM

Which encryption algorithms are involved and are the transfers multi-threaded?

CCSM R77/R80/ELITE
0 Kudos
biskit
Advisor
‎2022-10-01 04:02 AM
In response to Chris_Atkinson

At the moment we're using AES256/SHA256 for both phases.

I have no idea whether the transfers are multi-threaded.  How would I tell? 🙄

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-01 04:05 AM
In response to biskit

i.e. Can you configure Veeam to initiate multiple concurrent connections rather than a single one?

CCSM R77/R80/ELITE
0 Kudos
biskit
Advisor
‎2022-10-01 04:06 AM
In response to Chris_Atkinson

Ah, I'll ask the Veeam team.  I don't have access to any of the Veeam kit.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-10-01 05:47 AM
In response to biskit

On the 1570 run the command top and hit 1 to display individual CPU usage.  Now start the 450Mbps transfer, does one of the CPUs on the 1570 hit 100% while the other one(s) are relatively idle?  If so the transfer is not multithreaded.  It is likely that the 1570 is your bottleneck.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
biskit
Advisor
‎2022-10-01 07:15 AM
In response to Timothy_Hall

Thanks, I'll test that when the Veeam guys reply to me.  Am I right in assuming that Spark appliance don't offer the same "fast_accel" options as the enterprise appliances?  So if it is maxing out a CPU on the Spark, it's pretty much tough luck?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-01 07:42 AM
In response to biskit

Something similar has recently been introduced with the R81.10.x version so expect to hear more about it once the centrally managed version is GA.

====

Smart Accel – (EA level)

 

Improves gateway performance by accelerating low-risk traffic sources:

Video streaming (Netflix, YouTube, Spotify)

Well known corporate services (Microsoft, Google, Apple, Check Point Services)

Social Media services (Facebook, TikTok)

Web Conferences (Skype, WebEx, Zoom)

 

 

CCSM R77/R80/ELITE
0 Kudos
biskit
Advisor
‎2022-10-01 07:45 AM
In response to Chris_Atkinson

Great thanks.  This box is locally managed so I'll suggest to the customer giving R81.10 a try on this box.

0 Kudos
Alex-
Leader Leader
Leader
‎2022-10-02 07:30 AM
In response to biskit

In any case, the 1500 support only MD5 or SHA1 hardware acceleration for integrity checks, regardless of the OS version.

You could try to change the hash to see if it makes a difference.

Supported Hardware Acceleration (checkpoint.com)

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-02 08:11 AM
In response to Chris_Atkinson

fw ctl fast_accel does appear to be a functional command on the R81.10.xx code on SMBs.
It might give you more headroom, but I suspect the real issue is this is an elephant flow.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-02 08:38 AM
In response to PhoneBoy

Yup. Hence the Veeam multi-thread suggestion above 🙂

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top