Announcement

Collapse
No announcement yet.

Watchguard 550e and multiWAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Watchguard 550e and multiWAN

    Hello all, first post here.

    At my place of work, we are wanting to add some bandwidth capacity to our network that services ~200 users and half a dozen servers. We currently have 3 bonded T1's as our primary WAN link.

    We have had a comcast business class broadband service installed that is 100 down 10 up link. It has shown itself to be fairly reliable in multiple tests when directly connected before the firewall (as in, we get 80ish or more download speed consistently).

    We have then connected our new connection to a port on our firewall. We wanted to do some additional testing before we truly enabled multi-WAN on the firewall and let it run. So we created a firewall policy that routed HTTP traffic from a workstation internal IP to use the new external connection. This worked fine; however, now our speed tests are consistently in the 10-20 down range. We have played with different sorts of policy settings for this (HTTP policy, TCP/UDP packet filter and proxy filter), and all of them yield the same results. Obviously, 10-20 is still a decent bit more bandwidth than we had before, but we would prefer to be getting most of what we are paying for

    I have noticed that our firewall consistently uses 50-60% CPU during the daytime, with consistent spikes to 80%+, but I am not familiar enough with troubleshooting firewalls to know if that is a harder consistent load then they should run. I also noticed that we seem to always sit at the maximum number of concurrent sessions that our firewall supports, but I would think that wouldn't effect speed once a connection was made.

    Any suggestions on what I should do to troubleshoot this? I have reviewed the current policies in the machine, and there don't seem to be any crazy policies that might effect anything. Again, I am fairly new to firewalls, and while I understand the concepts of how they work, I don't really have a grasp of how what they do might effect speeds, etc etc.

    Any help would be greatly appreciated.

  • #2
    Re: Watchguard 550e and multiWAN

    We do something similair in some of our remote offices that only have a T1 or a bonded T1. We have a time warner business class cable circuit that we use for web traffic in our remote offices. We use ASA 5505's. I think the issue may be the max throughput on the watchguard. The ASA 5505 has a max throughput of 150mbps (or something very close) This throughput is in both directions so if all traffic was outbound we would get the max throughput on the device (or something close to it).The issue is that throughput is measured in both directions. I would check the throughput on that device. It you want to get closer to your providers SLA you may have to upgrade it. Also do you have a layer 3 switch connected to your firewall? Instead of connecting the watchguard to the firewall I would connect to the switch and use a static route to route your http traffic to the watchguard. This way your not using your firewall as a transit device which should reduce the load on the firewall.
    Last edited by auglan; 11th February 2012, 23:25.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Watchguard 550e and multiWAN

      The watchguard 550e has a max throughput (according to what I have found) of 390 Mbps, which seems to be well in excess of 3 bonded T1's and a 100/10 cable connection.

      Now, if that throughput is like you said, and "one direction", that would still be 195 Mbps up and down (in theory), which is still well in the limits of our setup.

      I am not entirely understanding what you are getting at with your last bit. The watchguard is our firewall, so there is no connecting it to a layer 3 switch and then routing only HTTP traffic to it...

      Can you explain better, or does anyone else have any thoughts?

      Comment


      • #4
        Re: Watchguard 550e and multiWAN

        Sorry I thought you had an additional firewall in place besides the watchguard. If your consistently getting 50-60 percent cpu spikes and some as high as 80 that is definitely an issue. Also if your hitting your max connections as well it may be worth while looking at upgrading the device. Have you gotten with Watchguard tech support? I wonder if there is an updated firmware available. Is it just the cpu that spikes or is it memory utilization as well? Are there any vpn's terminating on this device? Any kind of deep packet inspection is going to increase the load on the cpu as well. Im more familiar with cisco devices but it may be something to look at.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Watchguard 550e and multiWAN

          I attached (I think) a graph of the CPU usage from the last hour (basically 12-1 local time).

          Our memory usage doesn't really seem to flucuate or budge. It says pretty consistently with ~200 meg used, ~300 meg free.

          We are currently exploring potential replacements. I am looking hard at cisco and check point. Before we make any definite moves, I at least want to have a better understanding of what our current problem may be. I appreciate your responses!
          Attached Files

          Comment


          • #6
            Re: Watchguard 550e and multiWAN

            Yeah some of those spikes look like they are over 80 percent at times. Is this device doing anything else like web filtering, virus scanning, spam filtering etc besides packet inspection? From what it looks like is that you need to upgrade your device. I would first give watchguard support a call just to verify that there isnt a hardware issue going on or maybe a bug in a particular firmware.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Watchguard 550e and multiWAN

              Yes, this device does web filtering, spam, and virus.

              We might just upgrade anyway, as we aren't that happy with the watchguard firewall anyway (non related to this).

              Comment

              Working...
              X