Upgrade needed???
I'm running a Firebox T10 on my home network. I use one subnet for the house and the second for work. In the past few months I've noticed the house subnet often has issues accessing IPv4-based websites (no problem with IPv6 addresses) and my WiFi is in shambles. However, if I bypass the Firebox, some of the problems go away -- I can reach the Comcast Gateway while I cannot access the WiFi that's behind the Firebox.
I'm running mainly Win10 systems (some game systems for the kids, one Linux laptop plus cell phones) -- about 30 devices in total. I have three questions: Has the T10 simply run out of gas to handle WiFi 5/6 and would an upgrade to the T35 solve the problem? If I upgrade to the T35, can I just copy over my configuration file from the T10 and use that? I'm no network engineer -- I just write about them.
Comments
A T10 has always been a tad underpowered. I'd recommend a trade-up to the T20, not a T35. My T20 is easily as fast as my T35, maybe even faster. What do you use for WiFi? I use Ubiquiti UniFi wireless access points and I have no issues, but I also don't have 30 wireless devices.
You can copy the config to the new Firebox, change the feature key, then save it.
Gregg Hill
A T20 is a much newer device than the T35.
If the T20 specs look good enough, it will have a longer supported lifetime than the T35.
Here is the comparison for a T10, T35 & T20:
https://www.watchguard.com/wgrd-products/appliances-compare?pid1=216&pid2=17846&pid3=42051
Not sure why the comparison tool suggests that the T20 is only good for 5 users... I'm using one wit no issues.
And as Gregg said, the T10 was always under powered.
I have a similar configuration at home, work network, camera vlan, guest vlan, wife work vlan ........ and it was running on a T-10.
It worked but my Internet struggled even though I had the fastest speed I can get at home.
Then I upgraded to a T-20 and boy-howdy did that make a difference. Even with all the scanning and DPI I actually had a speedtest.net result of over 700mb / sec download. Pretty impressed.
It's usually something simple.
IF for some reason you DO want a T35...DON"T buy one! Get a T40 instead for the same price.
Gregg Hill
I have a T35 and T40.. The T40 is light years ahead of the T35 in terms of real world performance.. I don't have a T20, but I have heard nothing but good comments from people that have them..
Adrian from Australia
Thanks, all. Will my T10 config files work with the T20?
Yes.
Move a Configuration to a New Firebox
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/config_file_use_new_model_wsm.html
Then I think I have all I need for now. Thank you all for your great help. Very much appreciated. Hope everyone has a very Happy Thanksgiving and a safe and sane holiday season.
Just to jump in here, I know this is dated but we are getting a ton of issues with clients that have been upgrading to Spectrum 600x60 service. The either have a T10 or T15. Can't get over 80Mbps out of them. How are you guys handling these issues? I have even tried disabling all the UTM services but still no gain. Just put in bigger boxes?
Hi @Larry.
I wouldn't expect anything over ~100Mbps with a T10. For a 600Mbps line I'd suggest at least a T80.
Try the sizing tool here:
https://www.watchguard.com/wgrd-resource-center/watchguard-appliance-sizing-tool
-James Carson
WatchGuard Customer Support
James,
I am confused. I have Spectrum 200 x 10 service, and with my T20, I get about 220 x 11 speeds on a bare packet filter test. I just put my old expired T10 in place as a test using a bare unrestricted packet filter, and it got 96Mbps x 10Mbps.
At a minimum, I expected performance higher than its rated 160Mbps for an IPS Fast Scan because there supposedly is NO scanning taking place.
A T10 has a Gigabit WAN interface, so with all UTM services off and just using a straight packet filter, why does it have sub-100 Mbps speed? With zero scanning, I'd expect to see it max out my 200 Mbps Wan connection.
Gregg Hill
As a reference, I have a T20, with a 300 Mbps cable connection.
I get 250+ Mbps on download speed test with a 15 ms ping latency, using a packet filter and connected with Ethernet.
No idea what the real max throughput is for a packet filter speed test for a T20.
The IPS values is 271 Mbps
https://www.watchguard.com/wgrd-products/appliances-compare?pid1=42051&pid2=42056&pid3=42061
Hi @Greggmh123
IPS is most like, it won't match. Speeds will vary based on what you're doing (your testing methodology, and load on the firewall.)
The T10 is a rather old device, and the measured speeds on it would be back with its released firmware (11.8.5.) We've added quite a few features since.
If you're not seeing expected throughput, I'd suggest opening a case with WatchGuard support so they can test with you and go over the results you're seeing.
Both your and Bruce's tests are about what I'd expect to see for those respective devices.
-James Carson
WatchGuard Customer Support
James,
Regarding "IPS is most like, it won't match", I don't expect a packet filter to match IPS Fast Scan speeds; I expect it to EXCEED that old rated 160Mbps IPS Fast Scan speed. After all, with an expired UTM and just a bare packet filter, there shouldn't be anything to slow it down by half the connection's rated 200Mbps speed.
My question to you is WHY you would expect just a bare packet filter to be at 100Mpbs or slower when the T10's 1000Mbps port is connected to 200Mbps service. If it's not filtering anything, why would it drop the speed by over 100Mbps?
I'll test again tomorrow to see what its actual connection is and verify if it was at 1000Mbps to begin with. The T10 was a testing unit, so there is some chance I have a restriction on it somewhere.
Gregg Hill
Hi @Greggmh123
If you're not seeing the speeds you expect, please open a support case. There's not nearly enough information to troubleshoot this here.
The addition of security services running on the device as well as software updates could potentially be causing the issue. Depending on when the T10 expired its feature key may also have a line that needs to be changed. Testing process also plays a role. None of this is going to be shareable in the forums due to PII potentially being shared.
-James Carson
WatchGuard Customer Support
My T10 feature key expired April 26, 2018, and it has Fireware 12.2.1 on it. Testing was through a plain packet filter with Any as the protocol and Any as the target, using speedtest.net servers.
What line are you talking about? No PII below!
Serial Number:
License ID:
Name: 11-01-2018_07:57
Model: T10
Version: 2
Feature: APP_CONTROL@Apr-26-2018
Feature: AUTHENTICATED_USER#200
Feature: AV@Apr-26-2018
Feature: BOVPN_TUNNEL#5
Feature: FIREWARE_XTM
Feature: FW_RULE#0
Feature: FW_SPEED#400
Feature: FW_USERS#0
Feature: IPS@Apr-26-2018
Feature: L2TP_USER#5
Feature: LIVESECURITY@Apr-26-2018
Feature: MUVPN_USER#5
Feature: NETWORK_DISCOVERY@Apr-26-2018
Feature: RED@Apr-26-2018
Feature: SESSION#100000
Feature: SPAMBLOCKER@Apr-26-2018;UC1xxxxxxxxxxxx
Feature: SSLVPN_USER#5
Feature: VLAN#10
Feature: VPN_SPEED#100
Feature: WEBBLOCKER@Apr-26-2018
Expiration: never
Signature: xxxxxxxxxxxxxxxxxxx
Gregg Hill
@Greggmh123 Did you have any time to test?
@Larry
Yes. See my December 15th post.
EDIT: Hmm, I think you were referring to testing its connection, either 100 or 1000, not the download speed. No, I have not checked that yet.
Gregg Hill
Larry,
If you were referring to testing my T10's connection, meaning either 100 or 1000, not the download speed, then I just reconnected the T10 and confirmed it is connecting at 1000Mbps to my cable modem.
With expired UTM and a plain packet filter doing no scanning, I just got 95 x 11 on my Spectrum 200 x 10 service. On my T20, I get over 200 down and 10 to 12 up going through the same packet filter.
Gregg Hill