Overview
While having Internet speed drops with Kerio Control, several firewall features might be causing such issues. As a result, users may face Internet outages, connectivity, and ping problems while connecting to the firewall.
As Kerio Control is designed to be functioning as a UTM solution, the speed is limited by functional areas of the product. Apart from the product features, the speed performance might be throttled by external factors.
This article provides details on Speed test results for hardware boxes and how certain functionality is affecting the Download/Upload speed.
Solution
While conducting dozens of speed tests and measurements, Kerio Control team has identified key reasons why you might experience a severe reduction in speed performance. The common ones are listed below.
Important: all the tests were held with a ~1Gb link (ISP contracted speed).
Browser vs App
It's recommended to use speed test applications, instead of Browsers, that might have additional plugins, or security protection/tracking features enabled, etc.
You should perform tests using a modern PC with an appropriate CPU and RAM specs. It's advisable to have at least 4 core CPU and 16 GB of RAM.
WiFi vs Cable
Important: applicable only for NG100W and NG300W boxes.
While measuring the speed, please use a Cable LAN connection to the box. WiFi measuring depends a lot on the environment itself.
General WiFi signal factors
- Old Wifi Band and low Channel values. Using the 5GHz ac band and the highest channel available is advisable. Changing the band from 2.4 to 5 GHz allows improving the speed dramatically in a normal domestic environment.
Note: unless other settings are instructed by the Support team. - Box location and WiFi antenna direction. To cover offices of more than 70-100 square meters with a wireless network (i.e. "punching" thick walls) often require more powerful Wi-Fi equipment. Additionally, wireless boxes need open spaces, away from walls and obstructions. You'll get a better signal if it's surrounded by open-air (which should prevent the router from overheating, too). Keep it away from heavy-duty appliances or electronics as well, since running those in close proximity can impact Wi-Fi performance.
- Interference with other WiFi networks. If there are too many WiFi networks in your area using the same Band settings, the connection might slow down. Please consider using 5 GHz, however, some older client devices (PCs, mobile phones, tablets, etc) might be not capable of supporting this standard.
Hardware box CPU specs
Running speed test is stressing out the hardware processor mostly.
The time period when the tests were held
Depending on your hardware box specs, the speed results may show different results. The important part is playing the client's PC specs as well.
NG100W (Macbook Air with 16 GB RAM and 4-core CPU)
WiFi connection
Cable
NG300W cable (Macbook Pro with 8 GB RAM and 4-core CPU)
NG500 cable with different servers (Windows PC with 8 GB RAM + 8-core CPU)
Note: NG510/NG511 boxes are showing identical results in a 1Gb environment.
NG110 cable connection (Windows PC with 24 GB RAM + 4-core CPU)
9.3.4 version
9.3.5 version
9.3.5 with a better server
NG310 cable with different servers (Windows PC with 8 GB RAM + 8-core CPU)
Important: please consider upgrading to the new equipment, NG110/NG310/NG510/NG511 boxes, as they are using a modern CPU with better specifications.
Server location, Ping and Jitter
An important role plays the speed server you're measuring against. Each server has individual specs, that affect ping, jitter, and traffic percentage loss values.
It's recommended to perform several tests using different servers. The speed tests are artificial ways to identify the real Internet performance. Accessing each website or non-HTTP resource will show different results in most cases.
VM Resource Allocation
It is not uncommon for server virtualizing machines to have more vCPUs allocated than the host provides. In such circumstances, resource weights/shares should be higher for KerioControl for continued optimal speeds.
In Hyper-V, set a higher "Relative Weight" for the VM's setting for Hardware, Processor.
In VMware, set the VM's Resource Settings to "High" to allocate twice as many shares of CPU and Memory.
Kerio Control features
If you require a higher Download/Upload speed, you may consider disabling particular Kerio Control advanced functionality.
IPS and Antivirus
Disabling IPS and Antivirus showed an improvement in 5-10% Download and 20-30% Upload speed. These key features for protecting users against network threats are consuming a major part of Internet speed.
Application Awareness and Content Filter
Disabling Application awareness and Content Filter showed a 15-20% improvement in download speed.
Bandwidth Management
If you have custom Bandwidth management and QoS configured, make sure to not limit the data for Large data transfers option.
If the data is limited to a certain value (i.e. 10 Mbit/s), the speed results will show the appropriate performance.
If you're connecting from the external network through VPN, consider testing with and without "Use rules for VPN tunnels before encrypting" option. Depending on traffic rules, disabling or enabling that checkbox might improve the speed.
IPsec VPN vs Kerio VPN
If you're using an IPsec VPN connection using PSK or certificate, you will notice a significant Speed drop, compared to the Kerio VPN client.
Windows native IPSec with PSK auth (NG500 cable)
Kerio VPN client ("VPN tunnels before encrypting" is disabled)
"VPN tunnels before encrypting" is enabled
System uptime
For continuous network protection, Kerio Control is using database and signatures updates. While performing the speed test straight after the Kerio Control box reboot, you might see better Download/Upload results.
Final considerations
Disabling all the above-mentioned features (together with VPN server) and meeting all the testing criteria might help you to achieve the best speed performance of your Kerio Control box. However, disabling these features is not recommended, as UTM functionality protects from intruders and viruses.
