This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rdiaz
Contributor
‎2025-08-04 11:20 AM
Jump to solution

Quantum Spark 1600s site-to-site VPN Tunnel speed/throughput about 150Mbps on 1Gbps link...slow?

Hello Checkmates,

this is my first time creating a post here. 🙂  Also, I'm fairly new to CheckPoint firewalls.  I'm seeing what I consider slow VPN tunnel speed/throughput between sites.  All tests i ran (with OpenSpeedTestServer) yield pretty much the same speeds (around 150 to 175 Mbps download and upload).  All sites have 1Gbps Internet speeds (expect 2 of them at 500Mbps and 200Mbps, but I don't bother testing those).   There are 6 x Quantum Spark 1600s and 2 x 1535 series (the 1535 are connected to the slower ISPs).  Azure Vnet is part of the site-to-site as well.  I have most of the blades enabled on these firewalls (App control, Identity, URL filtering, IPS, Anti-Bot & Anti-virus).  All these are managed by a on-premise management server and the main site has a cluster of 2 x 1600s where the VPN tunnels run from. 

These are all up to date running R81.10.x verisons. 

my question is, is this the expected perforcemance (around 150 to 175 Mbps download and upload) from these firewalls in a site to site setup? 

I come from Cisco ASA 5500x and they were able to reach near the speeds of internet connections of 1Gbps via a site-to-site connection.

Any guidance is welcome and appreciated.  thank you in Advance.

 

41 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-08-11 09:58 AM
In response to rdiaz
Jump to solution

I definitely would, for sure. But, does not hurt to try what was suggested.

Andy

Best,
Andy
"Have a great day and if its not, change it"
rdiaz
Contributor
‎2025-08-11 10:00 AM
In response to the_rock
Jump to solution

cool! I will do that sir.  thank you!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-08-11 10:01 AM
In response to rdiaz
Jump to solution

Andy is fine, sir makes anyone feel too old haha.

Andy

Best,
Andy
"Have a great day and if its not, change it"
rdiaz
Contributor
‎2025-08-11 10:05 AM
In response to the_rock
Jump to solution

haha, gotcha Andy. 🙂

(1)
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-08-05 08:34 AM
In response to rdiaz
Jump to solution

Threath Prevention: Disable the TP blades (only for a very short time!), test and compare thruput

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
rdiaz
Contributor
‎2025-08-05 08:42 AM
In response to G_W_Albrecht
Jump to solution

Thank you, I will try this as well tonight. 🙂

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-08-05 08:56 AM
In response to rdiaz
Jump to solution

 
Best,
Andy
"Have a great day and if its not, change it"
Preview file
39 KB
rdiaz
Contributor
‎2025-08-05 09:00 AM
In response to the_rock
Jump to solution

cool, I will turn it off as in the screenshot.   Side quesiton, for the R82 Clean install and upgrade, that doesn't wipe out my configuration on the Smart-1 server (I have one on-premise) right? 

the words "Clean Install" makes me thing it's wiping everyting and start fresh. lol 

 

the_rock
MVP Diamond
MVP Diamond
‎2025-08-05 09:02 AM
In response to rdiaz
Jump to solution

Correct.

Best,
Andy
"Have a great day and if its not, change it"
rdiaz
Contributor
‎2025-08-15 06:28 AM
Jump to solution

UPDATE (for future people who might run into this issue):  After following @the_rock link regarding the encryption (https://support.checkpoint.com/results/sk/sk73980) I changed my VPN Tunnel Encryption to the fastest based on the link just provdied (AES-128, MD5, Group 2 (1024 bit) respectively.  This yielded an increase from 150Mbps/175Mbps to 250Mbps download/upload.  I was hoping for better, but an improvement, it's better than nothing. 🙂 

A couple of days later I decided to open a TAC as per suggested by @the_rock  in this post.  We spent several hours doing a tcpdump/package capture to see if there's anything amiss, but nothing came out of that, everything was working as expected.  The TAC tech folks said this was pretty good speeds for those SMB firewalls.  So left it alone.  That same evening, decided to update all the firewalls to the latest verison from R81.10.10 to R81.10.17.  

After doing this, to my surprice, I had gain yet another boost.  Now i'm getting consistently 400+ Mbps download/upload!  

What gives?  I'm not sure if it was the reboot of the firewall after the Encryption changes or the update to R81.10.17 (or a combination of both).  the fact is, now i'm getting acceptable speeds in by site-to-sites.  that's about 50% fo the link speed which i'm happy about. 

Thank you all who provided guidance and assisted me in this one, what a great community of folks we have here! 🙂
(screenshot of the resutls below)
Screenshot 2025-08-15 091014.png

the_rock
MVP Diamond
MVP Diamond
‎2025-08-15 06:42 AM
In response to rdiaz
Jump to solution

glad we can help 🙂

Best,
Andy
"Have a great day and if its not, change it"
PhoneBoy
Admin
Admin
‎2025-08-15 01:46 PM
In response to rdiaz
Jump to solution

Possible we've improved the single stream TCP throughput by leveraging additional cores for the same stream.
I don't see it mentioned in the release notes, but given those results, seems possible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events