Webblocker - Browsing performance really bad
Hi,
I've been asked to restrict a single user from accessing specific sites during office hours. I couldn't see a simple way of doing this (single user) through the WebBlocker GUI so I've done the following (please let me know if this is correct or not).
I've created a WebBlocker action called UserRestricted and gone through the list and check the categories that these sites fall under. Next I've created 2 Firewall policies, one for HTTP and one for HTTPS, in the proxy actions sections I've specified the UserRestricted action as previously created. The "FROM" is the IP address of the PC that the user resides. All other settings are default. Finally I've installed the root certificate on the users PC for the HTTPS traffic.
Everything seems to work i.e. the user can't get to the sites I've blocked but the browsing performance is really bad, sites like Google etc are timing out on first load and only loading on a second try. I've tried removing all the logging from the WebBlocker action which I thought might help but it hasn't.
Just to prove it's the policies if I disable them the browsing performance returns.
The unit is T30 with version 12.5.7.B640389, the CPU looks to be OK however memory is running at about 90%.
Any help/pointers gratefully received.
Rob
Comments
Where in the world are you located?
Perhaps something in this can help:
Optimize WebBlocker performance
https://techsearch.watchguard.com/KB/?type=KBArticle&SFDCID=kA2F00000000LRpKAM&lang=en_US
Thanks for the reply Bruce. I'm based in the UK. I've had a read through the article you posted, everything appears to be in line with the article i.e. DNS etc. It is a bit of an odd one.
Consider opening a support incident on this.
Are you using webblocker for your other users at all?
The delay smells of a DNS issue with the webblocker cloud.
Have you tried an on-prem webblocker server instead?
You don't get the number of categories or the granularity as with the cloud based version, but the response time should be improved.
It's usually something simple.
@shaazaminator
"You don't get the number of categories or the granularity as with the cloud based version"
Are you sure about this?
That was true for the old SurfControl WB server for Fireware v12.1.x or lower, but I don't believe that this is the case for the new Websense Cloud based local server.
Set Up a WebBlocker Server
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/services/webblocker/wb_server_manage_c.html
I reached out to support in the end, they suggested disabling the traffic management in Global settings, this improved the performance noticeably, it still isn't perfect but I think that might also be down to the spec of the T30 not having enough horsepower.
Nope Bruce, not entirely certain, but I don't configure FB's with webblocker everyday. If the on prem WB server is able to utilize the Cloud and contain the same categories and granularity of the Cloud based server than that is awesome. More people may use the on prem option especially if their Internet connection is limited.
Thanks for pointing this out.
It's usually something simple.
@shaazaminator
The current webblocker server is effectively a copy of the ones the fireboxes query that's pulled down every day. The category list is the same.
There used to be a differentiation between SurfControl and WebSense, but SurfControl was sunset several years ago. Everything was migrated to WebSense on supported firewalls.
-James Carson
WatchGuard Customer Support