Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 5890 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Browsing after enabling security features

ChristianD

Hi!

We are testing a Sophos XG 230 Firewall. Internet access works but when we enable something like HTTPS Scan or Web policy or prevention internet speed extremly slows down. Especially HTTPS websites take 20-30 sec. to load.

I already checked various posts on that topic - they all point to DNS errors, so I checked DNS:

  • Static DNS is configured with 2 IPv4-DNS servers from our ISP.
  • Testing DNS name resolution is not working!

Could it be that something is wrong with our DNS configuration? How can we use all the security features without loss of performance?



This thread was automatically locked due to age.
  • 0 in reply to ChristianD

    Hi Christian,

    I'm having this exact issue. I tried changing DNS server (local, google, opendns). Usually opendns works better but the slow browsing presents randomly.

    I get the same errors when checking the tcpdump for DNS (tcpdump -ni any port 53)

       ethertype Unknown (0x0af7)

       ethertype Unknown (0x0f3e)

       ethertype Unknown (0x0f3c)

     

    Have you got a solution for this? are you using PPPoE?

  • 0 in reply to SRsls

    Do you dump on a specific Interface? 

    ethertype Unknown could be a VLAN Interface and you are dumping on the hardware interface. 

    __________________________________________________________________________________________________________________

  • 0 in reply to SRsls

    Hi sross,

    I'm afraid I can't help you since my originally problem didn't get solved [:^)]

    We are not using PPPoE.

  • 0 in reply to LuCar Toni

    LuCar,

    I have been following this related thread:
    community.sophos.com/.../xg-blocking-dns-lookup---dns-request-timeout-error

    tcpdump for a specific VLAN does not show "ethertype Unknown".

    nslookup from the XG takes long randomly.
    Clients using the XG as DNS server are affected.
    Clients using external DNS servers resolve ok (nslookup). However, browsing randomly fails. Webfiltering is DNS based, right?

     

    I have many devices affected by this.

  • 0 in reply to SRsls

    We have managed to solve this slow random DNS issue. The problem was having more than one WAN interface and only one of them having internet access.

     

    It helped having the weight of the WAN links configured but the problem still happened.

    In our scenario, it was viable to leave only one WAN interface to access the internet and set the other networks as LAN. DNS itself is directly consumed from public server.

    It worries me that XG probes all WAN interfaces to get DNS queries. Firewall rules do not affect the internal XG DNS client behaviour.

  • 0 in reply to SRsls

    Hi,

    did you set p the DNS in the XG and are you using the XG DNS in your search path?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The DNS in the XG are set directly to the public servers.

    Guest clients receive the same DNS servers (public) through the DHCP.

    Only one client has the XG as the DNS server (required as the XG has 1 DNS entry registered).

    Having only one WAN interface solved all DNS problems. It wasn't a DNS problem per se. I get that I should only use WAN zones if the actually have internet access.

    I have not found a way to direct the XG DNS queries through a specific gateway.

Cookie Information Banner