This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New to UTM

Hi Folks, just got a new job working at a service desk. One of my customers has a recently installed UTM which, in their words, has crippled web browsing performance.

I'd like to find a good way to troubleshoot these issues, any advice would be appreciated.

Is there a good base level configuration to start with. My client would rather go back to limited protection (as they had before the UTM) to regain browsing performance.

I noticed a huge number of web requests to sophosxl.net in the logs, could this be a problem (nearly 40000 requests in a day)

CPU seems to hover at about 20% and RAM 60% of 2GB

Again, any advice appreciated.

Thanks
Andy

This thread was automatically locked due to age.

Parents

0 Crisman over 11 years ago

Hi Fizzer,

Could you describe the specifications of your customer wan connection speed (DL/UP), hardware used (processor, memory, Nics, ...) and number of clients connected to the UTM?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Fizzer over 11 years ago in reply to Crisman

I think the connection speed is 10MB up and 2MB down
25 users

Model is ASG120
2GB ram

Subscriptions: Base Functionality
Email Protection
Network Protection
Web Protection
Webserver Protection
Wireless Protection
Endpoint AntiVirus

Not sure of CPU spec from the dashboard, usage is anywhere between 5 and 20 % with the occasional spike to 40-50%
Cancel
Vote Up 0 Vote Down

Cancel
0 Sascha Paris over 11 years ago in reply to Fizzer

Hi Fizzer

You gave yourself the right answer/assumption

Your customer has UTM Endpoint licenced on the UTM (and most likely installed on the affected clients)

And you see lot of SXL lookups (URL categroization lookups)

Means:
- You have most likely Sophos Endpoint in use at customer site
- Endpoint has the Web in Endpoint Feature (Webfilter) active

Recommendation:
In general I'd activating the Web in Endpoint feature only for mobile clients (Laptops), which also move around outside the UTM secured company network, and disabling this feature for Desktops (Double Filtering...)

However - the sloppy browsing experience comes from the web proxy delay for those lookups...

Create a Webfilter exception for those two URL's (copy and inmport those two lines completely into the exception)
^http://http\.00\.s\.sophosxl\.net/
^http://http\.00\.a\.sophosxl\.net/

where you skip auth, caching, antivirus, extension blocking, mime type blocking and URL filter

This should do the trick.

You will find general UTM tweaks for further tuning here:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/21312

it's not completely up2date anymore, but still a good start for tweaking ;o)

/Sascha
Cancel
Vote Up 0 Vote Down

Cancel
0 Fizzer over 11 years ago in reply to Sascha Paris

Thanks for the advice so far.
Have disabled the web in endpoint for all clients (I'm looking for max performance first, then add security later). requests to sophosxl.net have stopped completely

Other thing I have notice is that we are running version 9.105-9 and that there are 2 updates waiting for update.

I'm inclined to install the updates (out of hours) however I only have remote access and the customer site is 45 minutes away by car. I don't want to risk cutting myself off.

What is the risk of isolating myself from the unit if I do an upgrade remotely?

Is there a way to mitigate that risk by enabling access to administer the UTM from outside? (rather than from a remote session to a computer inside their network)

Again, thanks for the help so far... looking forward to a happy customer!

Andy
Cancel
Vote Up 0 Vote Down

Cancel
0 RFCat_vk_01 over 11 years ago in reply to Fizzer

Remote access, you can limit the address ranges that can access the UTM admin from external, same as internal.

Unless there is something badly wrong with your configuration remote installation works very well. I installed the latest version on my son's UTM using the timed update feature. He lives 45 minutes away from my home.

If you have a number of customers running UTMs, you can build yourself a small SUM (Sophos UTM Manager), the software is free from Sophos. Small VM, 1 cpu, 1 to 2gb ram, 1 NIC and 60 or so gb of disk.
By sharing a secret with the UTMs you can remote into them a WEB interface and have full rights.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Fizzer over 11 years ago in reply to RFCat_vk_01

This is great info, thanks folks. I think direct remote access would be a good safety net.

I've found a big performance boost by disabling web traffic AV scanning.

Using fiddler and yahoo.co.uk as a test site (it's heavy and got a lot of rubbish on it so I think it's a good test):

With AV enabled I can see that the 250KB page has to be downloaded by the UTM and scanned before any of the other page elements will load, this takes at least 1.5 seconds each time (sometimes more) only once the browser has received the full page will the other elements load. The browser takes a long time to render anything.

With AV disabled, the page (the same 250KB) loads in parallel with the elements of the page and the page can be rendered within a couple of seconds (sometimes nearer 1 second) with a few stragglers referenced from other sites coming in at the 3 to 5 second mark .

Have asked the customer to test and have my fingers crossed...
Cancel
Vote Up 0 Vote Down

Cancel
0 Fizzer over 11 years ago in reply to Fizzer

I'm wondering if there's actual problem may be a network config problem

I can see that the SBS server is preferring to use ipv6, I've changed the registry to prefer ipv4 (tested this on a client workstation with an nslookup, it did work)

Server:
C:\Users\admin>nslookup FJS.COM
Server:  UnKnown
Address:  fe80::634:aed2:a3a7:f25c

Name:    fjs.com
Address:  72.167.232.6
Aliases:  FJS.COM

Client (with reg change):
C:\Users\admin>nslookup FJS.COM
Server:  server.mydomain.local
Address:  192.168.10.254

Non-authoritative answer:
Name:    fjs.com
Address:  72.167.232.6
Aliases:  FJS.COM

My theory is all forwarded dns requests from the sbs server go out initially as ipv6 and the utm isn't set up to deal with this. I wonder if this happens that the ipv6 request needs to timeout before ipv4 is used.

Anyway, a reboot of the server is due this weekend which should make the change, fingers crossed - customer is getting V shirty.

As a secondary point, is there any risk in temporarily replacing my ISP DNS forwarders (Network Services>DNS>Forwarders) with public ones (google or other) They are currently set to 217.169.20.20 and 217.169.20.21 which I assume must be the ISP dns servers.

Thanks in advance

Andy
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Fizzer over 11 years ago in reply to Fizzer

I'm wondering if there's actual problem may be a network config problem

I can see that the SBS server is preferring to use ipv6, I've changed the registry to prefer ipv4 (tested this on a client workstation with an nslookup, it did work)

Server:
C:\Users\admin>nslookup FJS.COM
Server:  UnKnown
Address:  fe80::634:aed2:a3a7:f25c

Name:    fjs.com
Address:  72.167.232.6
Aliases:  FJS.COM

Client (with reg change):
C:\Users\admin>nslookup FJS.COM
Server:  server.mydomain.local
Address:  192.168.10.254

Non-authoritative answer:
Name:    fjs.com
Address:  72.167.232.6
Aliases:  FJS.COM

My theory is all forwarded dns requests from the sbs server go out initially as ipv6 and the utm isn't set up to deal with this. I wonder if this happens that the ipv6 request needs to timeout before ipv4 is used.

Anyway, a reboot of the server is due this weekend which should make the change, fingers crossed - customer is getting V shirty.

As a secondary point, is there any risk in temporarily replacing my ISP DNS forwarders (Network Services>DNS>Forwarders) with public ones (google or other) They are currently set to 217.169.20.20 and 217.169.20.21 which I assume must be the ISP dns servers.

Thanks in advance

Andy
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data