I run some pretty heavy database driven websites with nearly all dynamic content. We have thousands of users and average about 2.5mbit of traffic to our site constantly.
After I upgraded our office firewalls to 7.400 we started having problems with customers calling and having pages stop loading, and then refreshing and it just not responding at all. Internally it was fine for our company, just over the firewall having issues. I figured it might be due to this being a physical server instead of an 220. Maybe something was wrong with the network cards and Astaro. So I moved our webservers over to our datacenter firewalls in HA 220s. They are running 7.306 still. This is standard DNAT port 80 and 443 to the servers. No auto packet filter. I setup the packet filter to allow all traffic to both ports on the internal servers.
On the office firewall we are running content filtering, at the datacenter we are not. Same results both places. It isn't a total drop in traffic, only intermittently. I have had people run traceroutes and they are able to reach us just fine. It was so bad that it was costing us business, so I finally decided to put one webserver outside of the firewall with a software firewall in place until I can figure this out. We're back to no problems at all.
We run scheduling systems for hospitals and courts, and this was a lot of stress. Do you guys have any suggestions? I want to make a completely separate network and put our database and webservers onto it and test with different rules over and over. When I get ready to go live again I want to disable the ip on the webserver in front of the firewall and assign it to the firewall and DNAT back into other internal webservers. And then if still having issues hurry and disable the IP on the firewall and put the webserver in front of the firewall back up.
Any better ideas?
-- Edit
I also checked the packet filter and it showed no dropped traffic. Everything was green. To move to the datacenter I changed the DNS and had servers up in both locations until everyone's DNS flushed out.
This thread was automatically locked due to age.
