Is this a firewall problem of something else?

[RegTellis]

Hello all. I just started at a new company as the net admin and they are using a Watchguard III 700 here and apparently it has been a problem or so for the last week before I got here that they are having bandwidth issues. Here is the problem:

If I perfom a bandwidth test inside the firewall, I get some crazy up and down speeds of 673 kps down and 919 kps up. If I plug in outside of the firewall and run the same test, I get 1024 kps down and 994 kps up. Mind you that this is a full T1 we are talking about here. Now, this is where it gets weird. If I disconnect everyone form the lan on the inside and do my test again on the outside, I get my full T1 speed or close to it, 1495 kps down and maybe 1392 kps upload speeds. At this point, I don't know if it is a firewall issue or something with one of the switches internally or what but before I go out and replace this box, I would want to be sure that it was the problem and not something else. Any ideas or help would be greatly appreciated.

 

[dsmithweck]

On the Firebox, are you running an HTTP-Filter or HTTP-Proxy Service for all outgoing HTTP traffic?

 

[RegTellis]

I am not sure what you mean, but it is running the HTTP service as opposed the Proxied HTTP service, however under the properties of the service, it is telling me that the service is proxied. Under the settings tab, I can then manipulate and change the web-blocker settings. I have even tried to disable the web blocker to see if that is where my drag/bottleneck was coming from, but that has not helped at all. As I said, the only time I see my bandwidth come back is when I disconnect everyone from the LAN and in my experience that usually means the firewall is the culprit somehow. As you might have guessed, I don't know a whole lot about the Watchguard. I only know that something is killing my bandwidth.

 

[dsmithweck]

The WG Proxy service will cause some bandwidth lag because the proxy service is cracking open incoming/outgoing http packets to inspect the content type for security. But it looks like you are loosing half your bandwidth from your original post and the proxie shouldnt cause that much latency. Sounds like it could be a duplex issue between the WG and the switch. Is the inside (Trusted) interface (Look inside NIC Configuration) set to Auto (Speed/Duplex) and the same for the port on the Switch? The Switch port and the WG should both be set to identical settings. I have mine set to Auto on both.

 

[RegTellis]

Yes. I have just verified that both the negotiation speed on my external nic for the firebox and the speed on the switch port are identical. 100 mb full duplex and I am still seeing the same horrible bandwidth issues.

 

[dsmithweck]

I know there is a known issue w/ speed test going throught the HTTP-Proxy service on the WG firewalls. Are the end users experiancing the lag issues, or are you preforming tests before you go live with the Watchguard?

You might try eliminating the HTTP-Proxy (backup your config first) and add the HTTP-Filter instead to test. The Filter does not utilize the Web-Blocker or stateful packet inspection.

Are the WG logs showing any kind of strange outbound activity from a particular workstation that would cause the WG to bog down during packet inspection?

Real sorry I'm not getting you a quick solution :S

 

[RegTellis]

No problem at all. I appreciate whatever help or insight that you can give me in that regard. I am rebuilding the .cfg file as we speak and my current plan is to lullaby the box and reset to it factory defaults and then pull my new .cfg file in minus all the overhead and see what I get. As far as the logs, I am pretty much a novice when it comes to examining these logs so I am really not even sure what to look for at this point. Are you talking about looking at the System Manager console and the Bandwidth meter and whatnot?

 

[dsmithweck]

Yes, the WG System Mgr is what I was referring to. There is also a Log Viewer to look at historical logs that are not real-time. There should be a "Log Viewer" Icon in the WGSM tool bar next to Host Watch. I would look for a particular inside IP address or two that might be broadcasting out a lot of packets incase of a Trojan infection or something of that matter just in case.

Rebuilding the config from scratch and creating rules one by one is a good way to trouble-shoot the issue as well.

If anything, you might have to open a case with Watchgaurd Support. If WG Support are able to resolve the issue, please post what the fix is here so we can refer to this thread if this happens to another

 

[RegTellis]

Just out of curiousity, the procedure to reset a watchguard to factory defaults is to connect a cable between the trusted and external and then power cycle the box while depressing the reset button, right? Then the box defaults to 192.168.253.1 with a password of "wg"? Then I just have to put my management station on the same subnet in order to communicate with it, yes? That is the way it worked for the Watchguard 1000, so I am assuming it to be the same?

 

[dsmithweck]

That sounds correct of you are using a LAN cable to connect to the trusted interface. It shouldnt matter if you are using the console cable.

 

[RegTellis]

Thanks. I will be sure to let everybody know if any of this corrects my bandwidth issues.