Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tiago_Marques
Participant

VPN Tunnels Capacity

Hi Masters,

I`m working in important opportunity where I`m offering appliances 730 and 5200 and the customer is requiring the following IPSEC VPN Tunnels capacity:

For 730 appliance, more than 20 IPSec Site-to-Site tunnels and more than 20 IPSec Client to Site Tunnels.

For 5200 appliance, more than 2,500 IPSec Site-to-Site tunnels and more than 2,500 IPSec Client to Site Tunnels.

Please, could some one help me answering if the above appliances support the customer`s requirement ?


Sincerely.
Tiago Marques.

5 Replies
Timothy_Hall
Champion
Champion

At least for the 2200-23000 series of appliances, there is not really a hard limit on the total number of VPN tunnels beyond the amount of available RAM in the system.  In the Optimization section of the firewall object, by default there can be 200 current IKE negotiations (this increased by default to 1000 in R80.10) and 10,000 concurrent VPN tunnels.  Both these values can be increased if needed at the expense of more memory utilization.  So for the 5200 with 8GB of RAM I'd say it can meet your requirements for number of tunnels, although if there are numerous memory-hungry blades enabled in addition to VPN there may be a shortage of memory.  If this is the case upgrading to 16GB of RAM will help.

Embedded Gaia is in its own world to some degree so I can't comment on the 600-1700 series of appliances.

Beyond just the raw number of tunnels though is how much VPN throughput the firewall can handle, in the past this generally tended to be contained by limited Internet bandwidth but this is becoming less prevalent.  The 5200 does not have AES-NI hardware offload (the 5600 does however, which will increase AES throughput 4-10X), but AES should still be utilized instead of 3DES for overall efficiency. 

Also running R80.10 gateway is strongly recommended for that potential amount of VPN traffic, due to the new multicore IPSec VPN capability which is enabled by default in R80.10 (sk118097).  In R77.30 and earlier (except for a special R77.20 hotfix) all IPSec VPN traffic processing could only take place on one firewall worker core, which is a critical bottleneck if the VPN traffic cannot be accelerated by SecureXL.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Danny
Champion Champion
Champion

For the 700 Appliance series there is no hard limit as well, it's more a question of how many Security Associations (SA) that the appliance will have to handle concurrently. The Embedded UTM-1 Edge appliances had a support limit of 100 SA's (= max. 50 VPN Site2Site tunnels) when managed centrally. Instead of using the Embedded 700 appliances I'd recommend using Embedded 1400 appliances and manage them centrally in order provide more performance by using centrally configured VPN communities to initiate SA's per Gateway pair whenever possible.

Benny_Shlesinge
Employee Alumnus
Employee Alumnus

Yes they do support :

  • 730 supports up to 150 tunnels
  • 5200 supports up to 55,000 tunnels

S2C or S2S is the same from a capacity point of view.

Of course there's always the actual throughput in each tunnel to be taken into consideration, but the numbers you are asking for are perfectly feasible.

Good luck!

Benny.

Phil_Atkinson
Employee Alumnus
Employee Alumnus

Benny,

 

Where did you get those stats from?

 

Thanks,

 

Phil

0 Kudos
Pablo_Barriga
Advisor

Hello It's also good to check the VPN throughput of each appliance.

5200 datasheet

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events