X1250e Underperforming at ~390-400Mbps

Firstly, I appreciate our Firebox x1250e is old and out of support now but we have an issue that somebody can hopefully provide assistance with.

We have recently upgraded our WAN line to 1Gbps (100Mbps before). From the documentation, our X1250e should be able to pass ~1.5Gbps.

We are running a simple firewall in routed mode with no proxy/VPN or anything and have an issue where the x1250e is only able to achieve around ~390-400Mbps.

It seems to be behaving like an X550e even though it has a full license for X1250e.

We are running Fireware XTM v11.3.8.B451218 and managing with WSM v11.10.4.

Is this a configuration issue? Is there any way to resolve this?

Thank you for your help in advance.

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @ianstephens

    Thanks for writing,

    The firewall throughput number you're referencing is a figure that expresses how much data the firewall can move in total across all interfaces under very specific tests, and won't be a realistic number that for moving data from (for instance) a trusted to external interface.

    For most circumstances, moving data between two interfaces on a x1250e will see something along 350ish Mbps. Please keep in mind that those tests were run many years ago, with hardware and loads from the time the firewall was supported.

    For a firewall of that era, you'd likely need one of the Firebox Peak x8500e, and that still may not pass a full gig.

    Current hardware that is designed to handle gigabit traffic at speed would be the T70 or M270 firewalls.

    (WatchGuard Firebox T70)
    https://www.watchguard.com/wgrd-products/tabletop/firebox-t70

    (WatchGuard Firebox M270 & M370)
    https://www.watchguard.com/wgrd-products/rack-mount/firebox-m270-m370

    We have a sizing tool that might be helpful here:
    https://www.watchguard.com/wgrd-resource-center/watchguard-appliance-sizing-tool

    With the above in mind, the entire Firebox X series hasn't seen a software security update since 2015. I would not recommend running a firewall that is that old, as there have been many updates to Fireware since that cover software vulnerabilities.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • James:
    Where can prospective Firebox purchasers find out 2 interface (ie. trusted - external) expected throughput values such as you have posted above?

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Bruce_Briggs
    A good place to start is the IPS or UTM figures on a datasheet, as those will be the numbers most customers are actually interested in.

    IPS is the closest figure to a straight packet filter that is tested.
    UTM will show with IPS, GAV, and proxy services on.

    Unfortunately, current tests aren't run on the end-of-life firewalls, so aside from the tests that were run on the firewalls at the time, attainable speed will be a bit of a guess.

    The WatchGuard Product Matrix page in the partner resources page (in the partner portal) is a good quick reference, otherwise the appliance sizing tool in my previous post will get you those numbers based off the data you put in.
    https://watchguard.force.com/customers/resourcecenter

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • This is becoming a real issue with the ISP's actually delivering 500+Mbps circuits over coax. Really starting to feel the smaller WG FB limitations.

  • edited December 2020

    I just looked at that sizing tool (21 year WG admin and never seen it) and from what it shows we shouldn't be selling anything smaller than a T80? Wow, this is really eye opening.

  • As a reference, I have a T20, with a 300 Mbps cable connection.
    I get 250+ Mbps on download speed test with a 15 ms ping latency, using a packet filter and connected with Ethernet.
    No idea what the real max throughput is for a packet filter speed test for a T20.
    The IPS values is 271 Mbps
    https://www.watchguard.com/wgrd-products/appliances-compare?pid1=42051&pid2=42056&pid3=42061

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Larry

    The sizing tool is really handy because it takes a lot of the guesswork out of figuring out what to get -- but also keep in mind that it's just a guess at what might fit best. If it runs into a situation where it's between two firewalls it'll always err up to the next model. It's mostly looking at the UTM (full scan) number on the firewall datasheet for throughput itself.

    The IPS figure (which is going to most closely match what a straight packet filter will perform at for the T40 is 510Mbps, so if you wanted just straight packet filters and no security services -- that could be a better choice.

    https://www.watchguard.com/wgrd-resource-center/docs/firebox-t40

    -James Carson
    WatchGuard Customer Support

  • Ok, so I am getting conflicting information on all this it seems. My rep says to look at the UTM speed. Now, you are saying the IPS speed.

    All I know is, I have many T15's out there now that clients are upgrading and I can't get more than 80-90Mpbs out of them even when I disable all the security features.

    The T15 throughput specs say UTM (fast/full scan) 90Mbps/52Mbps and IPS (fast/full scan) 160Mbps/80Mbps. Again, not sure what fast vs full scan is.

    Not sure why there isn't a doc that explains all these. What is IMIX?? No idea.

    Very frustrating and feel like an idiot trying to explain to clients.

    I won't even talk about the XTM 25 clients that didn't want to upgrade coming out of the woodwork. They are easy I guess, upgrade.

  • Notice that James said IF

  • @Larry

    Per https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/ips/ips_config_c.html?Highlight=ips fast scan


    IPS has two scan modes

    Full Scan — Scan all packets for policies that have IPS enabled.
    Fast Scan — Scan fewer packets within each connection to improve performance.

    Full scan mode inspects a larger portion of the file and requires more time and resources to complete. Fast scan mode inspects a smaller portion of each file that in most cases is enough to identify all threats, and provides much better IPS performance. WatchGuard recommends you use the Fast scan mode in most environments.


    Now my point to James has been that if the IPS Fast Scan speed is 160Mbps, then why does he expect sub-100Mpbs with NO scanning? Shouldn't a packet filter with ZERO scanning be FASTER than a filter doing IPS of any kind?

    Gregg Hill

Sign In to comment.