CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: Throughput question VPN-1 Edge vs 640 Series...

  1. #1
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Throughput question VPN-1 Edge vs 640 Series...

    I've currently have 2 VPN-1 Edge devices running on SBox-200 Hardware Version 1.0T FW 8.2.48 I have them set up at 2 different locations with a site to site VPN connecting them. The ISP is verizon FIOS 25/25 service. When I copy large files across I never see anything greater than 2mbp/s for transfer speed. I've been considering upgrading to Checkpoint 640 series but now I have questions.

    The specifications on the old hardware says 150mbp/s at the firewall for the unlimited device and nothing lower than 80mbp/s on the lower rated devices. My 2 devices are both the unlimited (X series).

    Why if I have vpn/routers rated at 80mbp/s-150mbp/s and 25/25mbp/s isp service am I seeing such low transfer speeds? Is it the VPN encryption processing? The sending and receiving computers are connected via 1gbp/s switches (I know the lan/wan ports on these devices are only 100mb/ps (still way faster than the speeds I'm seeing).

    When I do speed tests OOKLA, Speakeasy.net It does rate the connection right at the FIOS limit 25/25.

    Will spending 1,200.00 on new checkpoint equipment likely raise my speed or will I see the same results? I'm only doing this for speed increases, otherwise the equipment I have is working just fine.

    This one is a real mystery to me and I'd love to figure it out.

    Roveer

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Roveer,

    When you say you see 2mbps you probably mean 2MBps (Bytes persec) which is between 18 and 20 Mbps (bits per sec).
    The common misunderstanding with line speeds and transfer rates has always been that the one is mentioned in bit and the other in bytes per second.
    Now you might say that 2 MB would bocome 16Mb however you're not counting in the overhead bits. which averages to 1.5 bit so ending at 9.5 bits for 1 byte and this is for easy calculation mostly rounded up to 10bits per byte.

    We have been able to get 70Mbps backup traffic through a VPN on these Edges NW. However with 100 users we also seen it come to a halt on a 10Mbps internet line.

    Honestly I do not think that you will see much improvement on the speed as 25Mbps is, especially on big filetransfers (large packets little overhead) not a problem for the Edge NW.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Quote Originally Posted by msjouw View Post
    Roveer,

    When you say you see 2mbps you probably mean 2MBps (Bytes persec) which is between 18 and 20 Mbps (bits per sec).
    The common misunderstanding with line speeds and transfer rates has always been that the one is mentioned in bit and the other in bytes per second.
    Now you might say that 2 MB would bocome 16Mb however you're not counting in the overhead bits. which averages to 1.5 bit so ending at 9.5 bits for 1 byte and this is for easy calculation mostly rounded up to 10bits per byte.

    We have been able to get 70Mbps backup traffic through a VPN on these Edges NW. However with 100 users we also seen it come to a halt on a 10Mbps internet line.

    Honestly I do not think that you will see much improvement on the speed as 25Mbps is, especially on big filetransfers (large packets little overhead) not a problem for the Edge NW.
    Your right. I do tend to get those designations confused.

    Here is exactly what I am talking about:

    Click image for larger version. 

Name:	mbps_zps06d3a34b.jpg 
Views:	182 
Size:	39.9 KB 
ID:	837

    So from the little poking around that I did (and can remember from computer math in 1984), 8 bits in a byte. Found this:

    If u want to convert MB to Mb times by 8
    If u want to convert Mb to MB divide by 8

    So is it safe to say that my 2.18 MBp/s needs to be multiplied by 8 to be able to compare it to my rated FIOS speed? If that is true than I'm getting 17.44 Mbps and with overhead it's not that far off from my rated FIOS speed. Considering one side is always doing an upstream transfer and those are the ones that usually rate lower on my bandwitdh tests. Most of my big data goes in the middle of the night so I'm hoping that I would get even better performance.

    I believe FIOS is offering me 35/35 for 6 bucks more a month. Seems like it would make sense to move up to that rate and see if things improve. Looks like I might be able to achieve a 27~28% increase if I were to do that and everything holds true. Make sense?

    But the big question is back to my "older" hardware. At one side I only have 4 users and an email server and at the other side it's 3-5 people with some occasional audio/video streaming. Are we saying that even my old VPN-1 hardware should be plenty robust enough? I have noticed that trying to video stream FIOS On Demand video often results in video break-up. My 640 hardware investment would be 1,200.00 bucks and it just doesn't seem like I'll get very much improvement for the money unless someone tells me that the processor is my bottleneck and I would see a pretty good improvement for the money.
    Last edited by roveer; 2014-09-23 at 17:42.

  4. #4
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    If you are using just FW/NAT then the S-Box should be fine. If you add services then the new platforms will be a lot better.
    It's as much a code thing as a hardware thing.

  5. #5
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,009
    Rep Power
    15

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    If you enable application control / URL filter / IPS on 600 series you will get around 40mbps wired at best. I tested this with single rule on a 6x0 WIFI version and also during that time GUI that can't be used due to cpu usage. Imho these units should be sold at most half the price they go for now.

  6. #6
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Just a simple check to see if your Edges are at the top of their capabilities, check the reports page and see how memory and CPU load are doing while you send the big packets.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  7. #7
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Quote Originally Posted by msjouw View Post
    Just a simple check to see if your Edges are at the top of their capabilities, check the reports page and see how memory and CPU load are doing while you send the big packets.
    Here are some snapshots of my devices while copying a large file. One note. The one device (receiving side, orange picture) is a newer safe@home box running Sbox-200 1.1G while the older one (blue picture) is a VPN-1 Edge running Sbox-200 1.0T


    Click image for larger version. 

Name:	sending side.jpg 
Views:	1266 
Size:	157.5 KB 
ID:	838 Click image for larger version. 

Name:	receiving side.jpg 
Views:	323 
Size:	165.6 KB 
ID:	839


    I was a little surprised to see that I was just about pegging both boxes. I'm guessing it's the vpn processing. Looks like I might benefit from faster processors? The VPN-1 box has got to be almost 10 years old? Would think things have come a long way since then.

    Thoughts?

  8. #8
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    16

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Yeah it looks that way. 10 years you get a lot more CPU than you did.

  9. #9
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Do keep in mind that Check Point has a trade in offer at the moment for the 600 and 1200 series, where you can trade in the old edge devices.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  10. #10
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    So is the opinion that based on the fact that I'm almost pinning these boxes that I would benefit from newer hardware? I've never seen any specs which say exactly what the processors are in these boxes so I really don't know how to evaluate them. What is sbox-200?

    I've also looked into my FIOS and right now I'm at 25/25 but can got to 75/75 for 5 bucks more a month. Sounds like that is a no-brainer.

    Was even thinking of temporarily putting the actiontec routers back on one side and doing some sort of upload testing to see if there is a big difference between those and the vpn-1 edge. From day one I removed the actiontec and only used the checkpoint. Of course Verizon will not support that configuration but it has worked for me for years.

    I think my plan of action will be to first upgrade the FIOS to 75/75 and then look at the Checkpoint hardware.

    Still interested in your opinions.

    Roveer

  11. #11
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    7

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Best place to check specs, actual specs is http://blog.lachmann.org which seems to be down at the moment. He keeps an updated chart or processor specs etc.

  12. #12
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Quote Originally Posted by aweldon View Post
    Best place to check specs, actual specs is http://blog.lachmann.org which seems to be down at the moment. He keeps an updated chart or processor specs etc.
    I was able to get on his site and it looks like he only has hardware specs for the bigger boxes. No mention of the smaller VPN-1/UTM-1 boxes that I could see.

  13. #13
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Quote Originally Posted by roveer View Post
    Here are some snapshots of my devices while copying a large file. One note. The one device (receiving side, orange picture) is a newer safe@home box running Sbox-200 1.1G while the older one (blue picture) is a VPN-1 Edge running Sbox-200 1.0T


    Click image for larger version. 

Name:	sending side.jpg 
Views:	1266 
Size:	157.5 KB 
ID:	838 Click image for larger version. 

Name:	receiving side.jpg 
Views:	323 
Size:	165.6 KB 
ID:	839


    I was a little surprised to see that I was just about pegging both boxes. I'm guessing it's the vpn processing. Looks like I might benefit from faster processors? The VPN-1 box has got to be almost 10 years old? Would think things have come a long way since then.

    Thoughts?
    What encryption algorithm is set for your VPN's IPSEC/Phase2 tunnel? AES-128? 3DES? 3DES is dog slow on commodity processors, AES-128 should be much better.

  14. #14
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    12

    Default Re: Throughput question VPN-1 Edge vs 640 Series...

    Quote Originally Posted by ShadowPeak.com View Post
    What encryption algorithm is set for your VPN's IPSEC/Phase2 tunnel? AES-128? 3DES? 3DES is dog slow on commodity processors, AES-128 should be much better.
    They were set to Automatic for both Phase 1 and Phase 2. Looking in the log it looks like it was 3DES SHA for phase 2. I set it on both sides to AES-128 MD5 but it doesn't seem to be going much faster. Still running high cpu util. I'll keep an eye on it and also look to raise my FIOS speeds.

    Thanks for the tip.

    Roveer

Similar Threads

  1. VPN-1 Edge X series Firmware update hassle
    By brandonjclark in forum Check Point UTM-1 Edge Appliances
    Replies: 14
    Last Post: 2012-07-19, 13:10
  2. Strong points for aquiring EDGE N series vs X series
    By armando.ferreira in forum Check Point UTM-1 Edge Appliances
    Replies: 3
    Last Post: 2010-11-11, 13:14
  3. ADSL2+ throughput on Edge device
    By jimbul in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2007-11-05, 14:46
  4. VPN-1 Edge W series with Smarytcenter R55.
    By bolingoman in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 0
    Last Post: 2007-01-08, 06:43
  5. VPN-1 Edge X-Series - RS-232 Console
    By Izzio in forum Check Point UTM-1 Edge Appliances
    Replies: 3
    Last Post: 2006-05-19, 06:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •