Hello again, i thought I might make some further updates to my blog and what has been happening recently. A few months ago I decided that I wanted to replace my Cisco ASA5505 with something newer that offered gigabit ports and somewhat stronger firewall etc. At work we have removed Cisco from the firewall infrastructure and replaced it with Checkpoints, so I thought checkpoint is the way to go. The device I purchased was Check Point 680 + Wi-Fi + ADSL + 3 Yr [CPAP-SG680-NGTP-WDSLA-W-3Y-BUN] with a 3 year support agreement. It costed me about $1515 AUD, and upon talking to the Checkpoint reseller this device would be able to handle 100mbit link as I was going to be upgrading to a 100/40 NBN Fiber Service in Australia, and probably having dual 100/40 links terminating into this device.
Upon opening everything and getting it up and running, it was a breeze and simple and looked very impressive. Upon starting to download my first 5GB speedtest file from a HTTP server, and all the blade modules turned on, with AV, IPS, Firewall, Spam etc, the device severely underperformed and I was only able to achieve 30-40mbit. When checking the CPU on the device it was reaching 100% and everything was so unresponsive. I then turned off all the blades except the firewall and it only managed around 60mbit which again is very poor. The specification sheet shows clearly this device can handle 1.5Gigabits of throughput traffic when firewalled, try about 60mbit instead, quite pathetic from Checkpoint. Even when doing the large file transfer, pinging the checkpoint device itself inside the LAN was slow and unresponsive with pings 500+ ms which was crazy. I complained to the reseller this device is not worth the price I paid for as the speed is awful, and they got me intouch with a local checkpoint engineer. The engineer advised to upgrade the software on the device with a later one, so I did but still performance was bad and certainly nowhere near impressive to a Cisco ASA. He advised to consult with checkpoint directly and see what they can do.
I logged a case with checkpoint directly, telling them this device does perform as per specifications and has severe issues in terms of performance and it cannot handle a 100mb WAN link. This is the conversation I had with them as per below:
2:22 PM Checkpoint : Can you pass the FTP file now?
2:22 PM Customer: ok
2:23 PM Checkpoint : It looks ok
2:23 PM Customer: see the pings to the gateway
2:23 PM Customer: when i login to web interface
2:23 PM Customer: pings go up
2:23 PM Customer: like crazy
2:24 PM Checkpoint : What happens when you ping through the appliance, and not directly to it?
2:25 PM Customer: same thing
2:26 PM Customer: all the pings increase
2:26 PM Customer: i use also cisco asa 5505 dont have such issue
2:26 PM Customer: when i swap
2:27 PM Checkpoint : That’s an expected behavior since the appliance Web UI logging take the most CPU
2:27 PM Customer: yes but it shouldnt affect speeds and latency
2:28 PM Customer: for everyone while im browsing the appliance
2:29 PM Checkpoint : When logging the device Web UI the SFWD process CPU jump and of course it impact latency and performance
2:29 PM Checkpoint : What is the device firmware version ?
2:29 PM Customer: but for a device of this price
2:29 PM Customer: that shoudl not be a problem
2:31 PM Checkpoint : I understand but I can confidently say it’s a normal behavior
2:32 PM Customer: yeah well i disagree with that
2:32 PM Customer: i have a 5 year old asa
2:32 PM Customer: the pings do not jump
2:32 PM Customer: to the gateway
2:33 PM Customer: see im not even touching just transferring files
2:33 PM Customer: and pings increase
2:33 PM Checkpoint : You don’t need too, as long as you connected to the web UI the httpd watchdog eats the CPU
2:33 PM Checkpoint : I know
2:33 PM Customer: and then i turn on all the features
2:33 PM Customer: and initiate my transfer
2:33 PM Checkpoint : I might have workaround that may improve the device performance
2:33 PM Customer: it kills the device
2:34 PM Customer: and doesnt respond
2:34 PM Checkpoint : Want to try it ?
2:34 PM Checkpoint : I can send you a link for the new version that might improve the device’s performance
2:35 PM Customer: ok but the checkpoint engineer said to use this one as its latest
2:35 PM Customer: is there one newer than 77.20
2:36 PM Checkpoint : There is a new version that released two days ego and it contains a fix that might can improve the performance
2:37 PM Checkpoint : And this is the best effort I can do regarding this issue
2:37 PM Checkpoint : Would you like to test it ?
2:37 PM Customer: ok
2:37 PM Customer: whats the changes in the new version
2:38 PM Customer: what does the R&D think about this ?
2:38 PM Checkpoint : Wait a second I need to check few things
2:41 PM Checkpoint : I’m sorry , I just rechecked the device features cannot handle with high speed such you using 100MB
2:41 PM Checkpoint : I doubt if the new version will make any difference
2:42 PM Customer: so what handles 100mb with all the features on?
2:43 PM Checkpoint : A strong Check Point device but not the 600
So there as you see above, proof a Checkpoint 680 cannot handle high speed WAN links, so do not buy one! Luckily I was able to return it and get a refund, as the price for it $1500+ is certainly not worth it.
Checkpoint 680 Firewall