4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

Horrible Website Loading Speeds with Content Filtering / IPS enabled

Hi everyone,

I'm posting here as a last-ditch effort before I return my Sophos XG products for a refund and go with
Meraki or Sonicwalls.

Over the last week or so, I have been receiving complaints from my client stating that their internet
speeds are painfully slow. I ran a speedtest from speedtest.net and they were getting 100 down / 10 Up,
so it's not an issue with download speeds. I verified the issue is it can take 6-10 seconds to load a
website. Websites that are especially graphics-heavy or secure, such as banking websites, seem to take
the longest. (HTTPS scanning and HTTP scanning are disabled)

I spent some time troubleshooting the problem and determined that the problem goes away when I turn
off "Default Workplace Policy" and "LAN to WAN" IPS policy. BOTH of these are combining to cause the
slow speeds. For example, if I only turn on Default Workplace Policy (and leave IPS off) what it will do is
take 3-5 seconds to load all of the content on each website. I.E. it will load the content in small chunks,
such as images etc. An interesting thing to note is even when "Allow All" is selected, it still takes this
long. I have to select "none" for the speeds to improve.

When I turn OFF "Default Workplace Policy" and turn on only the IPS, then it takes 3-5 seconds to start
loading the website. It will be stuck at "Establishing Secure Connection" or "Resolving Host" for that
period of time then it will load the page quickly after the initial 3-5 second waiting period. If I turn both
off, the page loads in 0.5 seconds.

I understand there are tweaks I can do to improve the IPS speeds but there seems to be nothing I can do
about the content filtering... except turn it off.

Before I return these Sophos products, I wanted to reach out to the community to see if there was
anything I can do.

Note, this happens on both my Sophos XG125 (serving 12 users), and Sophos XG105 (serving 3 users).
The CPU on both is usually around 10% and memory around 50%. The only option is to turn IPS and
content filtering off.... which is a horrible solution.  This Sophos product has caused me nothing but
problems since I bought it.

Thanks,

Chris

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 1/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

lferrara

Chris,

can you share your policy settings? Also which DNS servers are your client using?

Provide us more information on your configuration.

Thanks

ChrisWestmacott

In reply to lferrara:

Hey Luk,

Screenshots below.  Running a barebones LAN to WAN policy but as soon as I turn either
"Default Workplace Policy" or "LAN to WAN" IPS policy, website loading speeds slow to a crawl.  I
think the Default Workplace Policy causes the biggest hit. 

Workstations use the XG125 as their DNS server, however I have also set it to 8.8.8.8 (Google) to
no avail.  I haven't tried rebooting the XG125 but it's only been online for 4 days... can't imagine it
being a reboot issue.  Even when I set Content Filtering to "Allow All" the problems start... they
only go away when I select "None".

I have tried disabling all policies except LAN to WAN and it did not help.  Is it normal for Content
Filtering / IPS to slow down website loading speeds so darn much?  Ever since I turned it off I've
been getting praises from my client about how fast it is.  As soon as I turn on even one of those
two features, the complaints come rolling in...

Screenshots:

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 2/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 3/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

IvanValentinov

Hi,

try adding 

 - Apply Web Category based Traffic Shaping Policy

hope that helps

sachingurung

Hi Chris, 

Please follow:

Step 1: Verify DoS Settings

One major reason for slow browsing is an ongoing DoS or DDoS attack. It may be possible that
DoS settings are not enabled in XG, hence attack was not detected, or the settings are
inappropriate. Navigate through System> System services > DoS and Spoof prevention.

Step 2: Check DNS Configuration

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 4/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

The following may be the reasons for slow browsing:

Case 1

An Internal DNS server is configured for LAN users and all DNS requests are directed to it. Issues
with the Internal DNS Server or the External DNS Server, to which it forwards requests, may
result in overall slow browsing.

Resolution: To resolve this issue, contact appropriate administrators or Server vendors.

Case 2

Multiple ISP Links are terminated on XG and user systems are configured with a particular ISP’s
DNS. In this case, the outgoing DNS traffic gets load balanced. Hence,Two(2) possibilities occur:

- If a DNS request travels through the ISP Link whose DNS is configured in user’s system, the
request is resolved and turnaround time is good.
- If a DNS request travels through another ISP Link, the request is dropped because the DNS
configured in user’s system does not match ISP’s DNS.

This results in only partial DNS requests in the network to be resolved, which ultimately leads to
slow browsing.

Resolution: Configure a Static Route in XG that forwards all DNS Traffic to the ISP Link whose
DNS is configured in user’s systems. 

Step 3: Check for Packet Loss within the Network

Loss of packets during transmission between network nodes may result in reduced browsing
speeds.

Resolution: To check for Packet Loss, follow instructions given below.

Take SSH to XG and go to option 4. Type console> show network interfaces

Check if you discover any drop and error packets on the interfaces.

Finally, if you still face slow browsing, check what is the bandwidth utilization on XG and if any
QoS is applied to control the web traffic. 

Hope that helps:)

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 5/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

IvanValentinov

In reply to sachingurung:

Hi,

I am sorry but Chris DNS is "Workstations use the XG125 as their DNS server, however I have
also set it to 8.8.8.8 (Google) to no avail." 

and i feel confused with your DNS case 1 and case 2 suggestions...

I dont believe DOS protection will be the case, as its disabled by default.

Packet Loss ? He said removing IPS solves his issues and enabling it back on breaks his www
surfing.

Chris i had a lot of issues with the IPS, and most of them I solved just by moving the rules/
changing their places back and forwd... but before that check your IPS rules and inside
Diagnostics -> IPS -> you should be able to see if thats the root of your problem ?

sachingurung

In reply to IvanValentinov:

Hi,

I missed Chris's later post. I replied to his initial question. But, I will still wait for him to reply.

Thanks

ChrisWestmacott

In reply to sachingurung:

Hi everyone,

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 6/7
4/11/2017 Horrible Website Loading Speeds with Content Filtering / IPS enabled ­ Sophos XG Firewall General Discussion ­ XG Firewall ­ Sophos Community

I resolved the issue; thank you for your suggestions. The problem was under Network -> DNS,
the primary DNS for the Sophos XG was its' internal LAN IP (10.0.0.1). I did a DNS test from
the XG and response times were over 400msec. As soon as I changed the device DNS from
that IP to the ISP's DNS servers, response times went down to 5-50msec. I could then enable
IPS and content filtering with no lag noticed on the workstation end. I'm not sure why no one
suggested this (including Sophos support in a ticket I've had open for weeks about the issue),
which is annoying because I don't feel I can rely on them for support when I need it.

Now to figure out how to get L2TP remote access working... I got PPTP and SSL VPN working
no problem, but am having problem with L2TP even after setting authentication to ANY via
the CLI, ensuring the PSK matches between client and the XG, defining a scope in the L2TP
settings, defining a L2TP connection and clicking "active" to turn it green, and so on... I guess
I'll make another thread about that.

Thanks,

Chris

sachingurung

In reply to ChrisWestmacott:

Hi5!!

Thanks

https://community.sophos.com/products/xg­firewall/f/sophos­xg­firewall­general­discussion/77254/horrible­website­loading­speeds­with­content­filtering­ips­en… 7/7