Slow data transfers

biskit · ‎2022-10-01

Does anyone know a way to determine where a bottleneck is with data transfer speeds?

In my particular scenario I have a 6400 appliance on one site, and a Spark 1570 (locally managed) on the other site. Both sites have 1Gb ISP circuits. There's a VPN between the gateways which is used for one machine at each side to communicate. (Veeam backup replication from site 1 to site 2). Both firewalls capable of far exceeding the limiting 1Gbps ISP speed.

We started off getting around 200mb transfer rate.

After excluding this traffic from all threat blades on the 6400, and adding the IP's to fw ctl fast_accel, and disabling the treat blades on the Spark, we're now up to around 450mb transfer speeds. Still a far cry from what we'd expect. How can I determine what's slowing it down?

_Val_ · ‎2022-10-01

First and foremost, you need to see which side is causing a bottleneck.

Chris_Atkinson · ‎2022-10-01

Which encryption algorithms are involved and are the transfers multi-threaded?

CCSM R77/R80/ELITE

biskit · ‎2022-10-01

At the moment we're using AES256/SHA256 for both phases.

I have no idea whether the transfers are multi-threaded. How would I tell? 🙄

Chris_Atkinson · ‎2022-10-01

i.e. Can you configure Veeam to initiate multiple concurrent connections rather than a single one?

CCSM R77/R80/ELITE

biskit · ‎2022-10-01

Ah, I'll ask the Veeam team. I don't have access to any of the Veeam kit.

Timothy_Hall · ‎2022-10-01

On the 1570 run the command top and hit 1 to display individual CPU usage. Now start the 450Mbps transfer, does one of the CPUs on the 1570 hit 100% while the other one(s) are relatively idle? If so the transfer is not multithreaded. It is likely that the 1570 is your bottleneck.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

biskit · ‎2022-10-01

Thanks, I'll test that when the Veeam guys reply to me. Am I right in assuming that Spark appliance don't offer the same "fast_accel" options as the enterprise appliances? So if it is maxing out a CPU on the Spark, it's pretty much tough luck?

Chris_Atkinson · ‎2022-10-01

Something similar has recently been introduced with the R81.10.x version so expect to hear more about it once the centrally managed version is GA.

====

Smart Accel – (EA level)

Improves gateway performance by accelerating low-risk traffic sources:

Video streaming (Netflix, YouTube, Spotify)

Well known corporate services (Microsoft, Google, Apple, Check Point Services)

Social Media services (Facebook, TikTok)

Web Conferences (Skype, WebEx, Zoom)

CCSM R77/R80/ELITE

biskit · ‎2022-10-01

Great thanks. This box is locally managed so I'll suggest to the customer giving R81.10 a try on this box.

Alex- · ‎2022-10-02

In any case, the 1500 support only MD5 or SHA1 hardware acceleration for integrity checks, regardless of the OS version.

You could try to change the hash to see if it makes a difference.

Supported Hardware Acceleration (checkpoint.com)

PhoneBoy · ‎2022-10-02

fw ctl fast_accel does appear to be a functional command on the R81.10.xx code on SMBs.
It might give you more headroom, but I suspect the real issue is this is an elephant flow.

Chris_Atkinson · ‎2022-10-02

Yup. Hence the Veeam multi-thread suggestion above 🙂

CCSM R77/R80/ELITE

Are you a member of CheckMates?

Slow data transfers