This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
Advisor
Advisor
‎2024-07-25 06:38 AM

https uploads 5X slower thru one gateway than another

Hi Mates,

Developers are seeing 1.7 MB/s upload speeds with HTTPS thru one of my gateways with a 10 GB Firbre interface (1 40e driver), while seeing 9.5 MB/s HTTPS upload speeds thru another with a 1 GB interface tg3 driver.  I'm not seeing any rx/tx errors.   Using scp the speeds are similar, which indicates a issue with the application, but they are still blaming the firewall saying they are using the same code.   I'm not seeing any drops.  I'm not doing https inspection.   Let me double check categorization is the same on both.  Yes, it's a global setting categorize https and cached are both checked.   Any ideas are welcome.   This is all internal traffic going thru the internal interface and a VLAN interface.  Neither of these gateways are in a cluster, both are standalone.   I tried turning off fwaccel I tried a TE exception from IPS/AV/AB, no effect either.   I do have the URL filtering blade on the slower one and not the faster one.  

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-07-25 07:17 AM

Are the gateways both the same version/JHF I assume they aren't showing other signs of performance issues / high load?

CCSM R77/R80/ELITE
0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2024-07-25 07:22 AM
In response to Chris_Atkinson

Hi Chris,

The load and memory (resources) all look good on both.   The slower one is on JHF65, whereas the faster has a slightly older JHF.  Same major version though.  I'm adding URL filtering on the faster one to see if that slows it down.   Assuming, URLF will slow it down, can you make an exception for URLF?   I assume you can in the access policy, but I haven't tried it before.

0 Kudos
emmap
Employee
Employee
‎2024-07-25 06:54 PM
In response to Daniel_Kavan

If it's a static IP destination you can 'except' it from URL filtering by adding a rule above all the URLF/APPC rules in the layer to that destination IP with standard logging configured.

Daniel_Kavan
Advisor
Advisor
‎2024-07-26 06:12 AM
In response to emmap

So, once you add the URLF blade on your gw, you have to use the URLF category with the suitcase label in an access rule?   If you aren't using the category tag, then the blade isn't being used?    Do you block or allow on the URL filtering category?   I assume its a block?    I assumed URLF was used in the background for application control categories.

0 Kudos
emmap
Employee
Employee
‎2024-07-29 01:40 AM
In response to Daniel_Kavan

When the URLF blade is enabled on the gateway and inside the policy layer, it is invoked on any rule with URL categories or custom sites in it, or if the logging is set to Detailed logging. A rule that uses standard port based services with normal basic logging does not go through the URLF blade even when it is enabled on that policy layer.

the_rock
Legend
Legend
‎2024-07-25 07:08 PM
In response to Daniel_Kavan

You can absolutely do that, yes.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top