[9.200] Web Protection Speeds

Has anyone else noticed a pretty severe performance decrease on the latest release of UTM 9.2 soft Release?

I've got 3 UTMs, 2 UTM 220 and 1 UTM 320 that have had their Web Protection Speeds significantly reduced. I've done multiple tests with different policies and still come up with the same problem. For instance, Facebook today took 2 Minutes to process through the UTM before it started to display the logon page.

Network Traffic, CPU Usage and Memory Usage are all normal. I've even tried turning off Caching with no success. The only fix for the speed is to turn off Web Protection.

Web Protection is configured on the Default Profile with Transparent and Agent Authentication.

0 William Warren over 11 years ago

dns latency will cause issues true..if hte categorization time is high that adds to it. I'm not confused..[[:)]] if the system is using the new cloud then great..if it is using cff then that's going to cause issues that i ahve identified within cff..[[:)]]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 lferrara over 11 years ago

Hi Michael,

Thank you. Yes, I am using both Utm endpoint and Utm home at the same LAN(home net). What kind of log can I post to understand slowness?I disabled web control on endpoint but it is still active into Sophos endpoint Antivirus .
Luk
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 StephenWeber over 10 years ago

I'm still experiencing a major decrease in performance from 9.1 to 9.2 on Web Protection. I'm running the latest firmware on a New Sophos SG 210 and web pages still take about 30 to 45 seconds to load. Where as with Web Protection disabled the Web Pages load instantly. Switching the database to memory seemed to help a little bit, but not enough.

I deal with a few different Web Filters and the Sophos Web filter is by far the slowest.

Is anyone else seeing this latency in the Web Protection? I see it with all of my Web Protection clients.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 lferrara over 10 years ago

Hi q2, at home I am using 9.2 from beta date and as I said Web surfing is slower than 9.1 version. If I turn off web filtering surfing is fast as before while with web filter on, it takes even 1 minute.

Last week I have installed a 9.2 iso on Hp server and performance with 50/75 users are very good. So there should be something that is causing that delay.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 William Warren over 10 years ago

I'm not seeing issues with latency BUT you have to have things configure properly. 9.x by default uses the slow cff database. What you have to do is set either the endpoint control to on then turn on the endpoint web control to on..that forces the new cloud database. If you use the cff tweaks you are forcing the system back to the cff database and not allowing the new proxy to do it's own caching(which is quite good). I've removed all of my tweaks and now use the new cloud database exclusively.

There was a time i was having odd issues with performance. What i had to do was remove my system tweaks..let the system settle for a day or so..then make a bnackup and reload form scratch. Sometimes the nuke and reload IS the fix..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 William Warren over 10 years ago in reply to StephenWeber

I'm still experiencing a major decrease in performance from 9.1 to 9.2 on Web Protection. I'm running the latest firmware on a New Sophos SG 210 and web pages still take about 30 to 45 seconds to load. Where as with Web Protection disabled the Web Pages load instantly. Switching the database to memory seemed to help a little bit, but not enough.

I deal with a few different Web Filters and the Sophos Web filter is by far the slowest.

Is anyone else seeing this latency in the Web Protection? I see it with all of my Web Protection clients.

if this on machines with sophos endpoint installed as well?

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 StephenWeber over 10 years ago in reply to William Warren

Yes the workstations have Sophos UTM Endpoint installed. Web Control is not enabled.

I only enabled the local CFF Database because the performance has been so bad. Are you leaving Cache Enabled? I turn Cache off as if causes more problems then it is worth. I've had multiple occasions of clients getting cached websites with old data.

if this on machines with sophos endpoint installed as well?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Michael Dunn over 10 years ago

There sounds like there may be more than one issue, everyone who is having any problems with speed is posting in two threads (here and one in the non-beta forums).

I think some people are having general slowness where browsing takes a second or two more then it should.  Other people are having issues where the time goes from 2 seconds to 20 seconds.

Some people have this when using Endpoint Web Control.  Other people are not using Endpoint, or not using Web Control.

From now on, when each persons posts, please state exactly what your configuration is and what exactly you are experiencing (1 second delay or 20 seconds, all computers or some, all the time or occasional).

CFF / CFFS cloud / SXL might make a 200 ms difference in pages loads.  If you find that switching categorizers makes a noticeable user difference I am assuming that you are not experiencing 20 second page loads.

Remember everyone, posting logs helps.

If anyone is experiencing a situation where turning on/off a feature (aside from all of Web Protection) greatly affects the speed, please speak up.

Some of this may require WireShark to get packet logs to find out what is really going on and what the real speed and delays are.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 William Warren over 10 years ago in reply to StephenWeber

Yes the workstations have Sophos UTM Endpoint installed.  Web Control is not enabled.

I only enabled the local CFF Database because the performance has been so bad.  Are you leaving Cache Enabled?  I turn Cache off as if causes more problems then it is worth.  I've had multiple occasions of clients getting cached websites with old data.

nopers no caching either.  I do NOT have any sophos endpoints behind a sophos UTM.  If you want to know why i won't talk about it here..hit me up in PM.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 StephenWeber over 10 years ago

Thanks William for putting me on the right path.

It seems that the issue is related to the Sophos Endpoint through the Sophos UTM Web Protection. The Endpoint is calling the SophosXL Database and this is adding a very big overhead to the Website loading times. Below is he code with the Web Protection Enabled with Sophos Endpoint running.

2014:05:05-22:48:02 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="54.204.255.2" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11" request="0x9277320" url="http.00.s.sophosxl.net/.../" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="55643" device="0" auth="0"

2014:05:05-22:48:02 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="54.204.255.2" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11" request="0x9277320" url="http.00.s.sophosxl.net/.../" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="54207" device="0" auth="0"

2014:05:05-22:48:02 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="54.204.255.2" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11" request="0x9277320" url="http.00.s.sophosxl.net/.../" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="58152" device="0" auth="0"

2014:05:05-22:48:03 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="54.204.255.2" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11" request="0x9277320" url="http.00.s.sophosxl.net/.../" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="55344" device="0" auth="0"

2014:05:05-22:48:03 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="54.204.255.2" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11" request="0x9277320" url="http.00.s.sophosxl.net/.../" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="54195" device="0" auth="0"

Next is the logs with Web Protection running and all Sophos Endpoint Services stopped. Pages load almost instantly.

2014:05:05-22:49:20 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="206.190.36.45" user="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="213" request="0xdb5eaa0" url="yahoo.com/.../html" application="yahoo"

2014:05:05-22:49:41 srwutm httpproxy[23051]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.54" dstip="63.245.217.20" user="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="287" request="0xdb5f980" url="www.firefox.com/.../html" application="http"

This is definitely a bug needs that be fixed ASAP.