Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results.

2017-11-02, 16:44
This week I upgraded both sides (work & home) to FIOS gigabit internet. It's supposed to top out around 800 Mbps or so.

My 680's don't use any of the intrusion or AV blades, just Firewall and IPSEC/VPN.

First observation: Speedtest.net and FIOS speed test to internet top out around 450 Mbps in both directions at both locations. Processor pegged and router gui sometimes stops responding til test finish. Specs for 680 say Firewall (Gbps): 1.5, so I'm getting 1/3rd of spec'd speed.

Second Observation: IPSEC/VPN is giving me 112 Mbps between devices. Specs say 220 Mbps so I'm getting 1/2 of spec'd speed.

I've tried setting IPSEC/VPN encryption settings about as low as they can go (AES 128, DH 768) with no real change in speed results.

Third observation: Iperf3 results 2 machines either side of link: 122 Mbps. Was expecting at least 200.


I wasn't expecting a miracle, but this is a bit worse than I expected. Is there anything I should look at or tune? Looking now for devices that would handle the new internet speeds, with the emphasis on IPSEC/VPN throughput. Any suggestions (for a small business on a limited budget).



2017-11-02, 17:18
Nothing new under the sun. Lab numbers you can easily divide with 3 to get somewhere near what appliances can perform.
As long as one comes to terms with that you will keep your sanity ;-)

Real time traffic blend which CP refers to in appliance comparison pdf's is somewhat more accurate, not always though as your traffic blend doesn't necessarily match theirs.

Small office appliances ranging from old Edge's to 600/1100 have always been pure junk, in software and performance perspective. Check Point never learns it seems when it comes to these. 1400's i dont have experience with, but still same junk software, so i wouldn't hope for miracles with those either.

Would never recommend any of those to a customer with a good conscience, but unfortunately low price can be blinding as well as the wrong performance numbers people tend to focus on. Jump to next "real gaia" appliance is huge difference in price. Soho devices when centrally managed are especially fun to work with for people in support/tac.....if you are aiming for a fast track for grey hairline.

2017-11-02, 18:31
Well, All I can add is this.

I Started on VPN-1 edge devices, moved to UTM-1 devices, then on to 680 devices and really wanted to stay with CP, but they are making it pretty damn hard (say impossible) for my small environment and price-point. I think in order to provide the processing power I am asking for I'm in the 12000 series or better and those aint cheap.

Instead I'm going to check out the Ubiquiti ER-4's when they launch this month. Supposed to handle Gig firewall with ease and hopefully have good ipsec/vpn throughput as well. If that fails, then I'm considering pfSense on Xeon processors with AES-NI. One way or another I'm going to see line speed over VPN at some point. That is my mission.