Yesterday, I was setting up some servers at a colocation facility. They are all running Windows2k/2k3 with IIS and serving as web servers for our own sites as well as for customers. All servers are configured with dual processors and ample memory, so performance is not an issue in this regards. They are running behind burstable T1 that’s comming into our network via WatchGuard Firewall.
The problem I’m having is slow internet connection and firewall seems to be the culprit. I’m noticing increased latency when I have external connection coming in through the firewall appliance. When I take it out and plug our network directly with T1, the internet speed drastically increases. I anticipate a little performance degredation with firewall, but not this much. When I do Internet speed test, I only get between ~550-800 kbps throughput. But when I take out the firewall appliance, it jumps way up. The network port on the appliance is 10/100 autodetect, and I suspect that it might be that this port is not handling the traffic coming in from Cisco router very well. I’ve heard that Cisco routers don’t like autodetect connection on the other end…don’t know how true that is?
On the other hand, the issue may be improper firewall configuration. Maybe I have overconfigured the firewall, so that’s why it’s taking too much time to hadle incoming and outgoing traffic. I will later post screenshots of configuration for you to take a look at.
Since the security update subscription has just expired on our firewall, I’m looking into other options avalable including evaluating other ones out there. Couple that interests me are Check Point’s Firewall-1 and Cisco’s PIX. Does anyone have any experience with these? Are there any others that you have used at corporate/enterprise level and would reccomend?
If you have any comments, tips or suggestions regarding optimizing firewall configuration to avoid latency, please let me know.
I wouldn't put the appliance at 100 mbps, cuz most cisco routers are only at 10 mbps on the network side.
I'm a big fan of PIX. Firewall-1 is fine but is not as intuitive. With PIX setting up site-to-site VPN's as well as peer VPN is very neat. Plus if you are going to for version 7 lets you have a Active/Active redundancy which makes it an excellent choice for load-balancing.
That's what their network guy told me that its better to havve 10 mbps port attached on the other end because their routers are set at 10. But the firebox automatically connects at 100 and there isn't anything I can do about it.
I know couple of people that are using PIX and they claim it was a bit challenging to install and manage. I'm going to read up on their site and get more info about it. One thing I liked about firebox is that it provides real time monitoring....although there isn't much you can do in real time when you see intrusion going on.
Sure its challenging at first, cuz its got tons of options. But you don't have to use them all. Most of the time you just need basic config and then you build on it as you go on. I can script out the whole basic config for you if you'd like (ofcourse not fi-sabi-lillah), just tell me the IP structure for the servers and what goes where and then you just paste the script in terminal and voila ;)
Well the network at data center is real simple. Basically has 2 servers running IIS. I'm planning to add more once I have everything setup. Just need to configure ports allowed in....and that's pritty much it in terms of firewall config. That load balancing thing sounds real interesting...i've been working towards creating a realtime server redundancy solution but haven't had too much luck so far.
If it works out well here, then I'll do the same for our HQ...it gets a little tricky over there because we have DMZ and private network with NAT. I don't know if you remember my old post but we've got 2 different firewalls at 2 levels going on...firebox for dmz and the private network behind Smoothwall. I think 2 is an overkill, but based on the existing hardware and configuration, that was the only option at the time.
The whole point of reconfiguring existing firewall is the latency in internet speed...hopefully a new solution would take care of it. How has your experience been with PIX? Does it slow down the traffic at all? How is it's performance?
We have several. I have a 501 that I use for testing. I have a 515e with 3 NIC's, another with 4 NIC's, and then a 506 with 2 NICs. These PIXs were configured by someone else (I just started working at this company) and its a little complicated with all kinds of DMZ's and site-to-site VPNs so I'm still trying to decipher the config's. (u guessed it, no documentation).
The 501 that I mentioned above is my own. It might be enuff for what you described. But it doesn't have any redundancy option, lack of multi-NIC configs and I believe can only scale upto 50 PC license. But if you just have incoming then that should be any issue.