CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 3 of 3

Thread: Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results.

  1. #1
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results.

    This week I upgraded both sides (work & home) to FIOS gigabit internet. It's supposed to top out around 800 Mbps or so.

    My 680's don't use any of the intrusion or AV blades, just Firewall and IPSEC/VPN.

    First observation: Speedtest.net and FIOS speed test to internet top out around 450 Mbps in both directions at both locations. Processor pegged and router gui sometimes stops responding til test finish. Specs for 680 say Firewall (Gbps): 1.5, so I'm getting 1/3rd of spec'd speed.

    Second Observation: IPSEC/VPN is giving me 112 Mbps between devices. Specs say 220 Mbps so I'm getting 1/2 of spec'd speed.

    I've tried setting IPSEC/VPN encryption settings about as low as they can go (AES 128, DH 768) with no real change in speed results.

    Third observation: Iperf3 results 2 machines either side of link: 122 Mbps. Was expecting at least 200.

    Click image for larger version. 

Name:	iperf3.jpg 
Views:	108 
Size:	94.4 KB 
ID:	1347

    I wasn't expecting a miracle, but this is a bit worse than I expected. Is there anything I should look at or tune? Looking now for devices that would handle the new internet speeds, with the emphasis on IPSEC/VPN throughput. Any suggestions (for a small business on a limited budget).

    Thanks,

    Roveer

  2. #2
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,010
    Rep Power
    16

    Default Re: Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results

    Nothing new under the sun. Lab numbers you can easily divide with 3 to get somewhere near what appliances can perform.
    As long as one comes to terms with that you will keep your sanity ;-)

    Real time traffic blend which CP refers to in appliance comparison pdf's is somewhat more accurate, not always though as your traffic blend doesn't necessarily match theirs.

    Small office appliances ranging from old Edge's to 600/1100 have always been pure junk, in software and performance perspective. Check Point never learns it seems when it comes to these. 1400's i dont have experience with, but still same junk software, so i wouldn't hope for miracles with those either.

    Would never recommend any of those to a customer with a good conscience, but unfortunately low price can be blinding as well as the wrong performance numbers people tend to focus on. Jump to next "real gaia" appliance is huge difference in price. Soho devices when centrally managed are especially fun to work with for people in support/tac.....if you are aiming for a fast track for grey hairline.

  3. #3
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: Upgraded both sides of my link to FIOS gigabit. Pretty disappointing 680 results

    Well, All I can add is this.

    I Started on VPN-1 edge devices, moved to UTM-1 devices, then on to 680 devices and really wanted to stay with CP, but they are making it pretty damn hard (say impossible) for my small environment and price-point. I think in order to provide the processing power I am asking for I'm in the 12000 series or better and those aint cheap.

    Instead I'm going to check out the Ubiquiti ER-4's when they launch this month. Supposed to handle Gig firewall with ease and hopefully have good ipsec/vpn throughput as well. If that fails, then I'm considering pfSense on Xeon processors with AES-NI. One way or another I'm going to see line speed over VPN at some point. That is my mission.

Similar Threads

  1. r75 lab and student manual pretty weak
    By netrunner in forum CCSE R75 Exam 156-315.75
    Replies: 0
    Last Post: 2012-07-19, 15:56
  2. Site to Site VPN via a gigabit link
    By boroboy85 in forum Check Point SecurePlatform (SPLAT)
    Replies: 6
    Last Post: 2011-09-21, 03:15
  3. Trying to set up VPN between Astaro and Checkpoint...but both sides have same ip
    By khunkao in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 10
    Last Post: 2011-04-24, 17:04
  4. Not seeing both sides of communication
    By bcarroll in forum SmartView Tracker
    Replies: 3
    Last Post: 2010-10-22, 12:20
  5. Pretty In Pink??
    By PeterGV in forum SmartView Tracker
    Replies: 5
    Last Post: 2009-07-24, 18:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •