Is Content Inspection on an XTM25 unrealistic

We are testing full Content Inspection on an XTM 25 with firmware 12.1.3.

I know this box is aging so is it unreasonable to expect this to work well? The page load times went from 1 second to over 10 seconds. This is on XTM 25 with pretty light usage.

The LOAD indicator lights quickly go to all yellow and even dance in the RED.

When I turn off CI, everything moves very fast.

Or could I be missing something?

Thank you,

HRM

Comments

  • I didn't have this issue with my XTM 25w - for at least 2 years.
    Now using a T35w.
    Do you have GAV and RED enabled on the HTTP proxy action selected in your HTTPS proxy action ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Hmorris,

    XTM 2 series should be able to handle content inspection, but the performance will have a lot to do with the actual traffic on your network. If the traffic was previously going out a packet filter (or a https proxy without inspection turned on,) it might end up being too much for that device to handle in a timely manner.

    If you continue to have issues with the device, I'd suggest opening a case with one of WatchGuard's support reps so that they can help take a look at it.

    You can log into your support portal online, or call +1.877.232.3531 option 2.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • No. GAV and both RED options are not enabled.
    Should I enabled the RED options ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Hmorris,
    I'd suggest turning on RED as it'll bypass some scanning for websites with good reputation

    In this case, it probably won't make much of an impact, but it's certainly worth giving a try.

    -James Carson
    WatchGuard Customer Support

  • My experience with my XTM 25 was that with GAV not enabled and RED enabled, HTTP/HTTPS response time was slower.
    RED's primary value IMHO is to no do GAV scans on "good" sites.
    However, a RED lookup does incur a delay for a web site which is not in the RED cache.

  • I tried making some of these changes. It didn't help much. With Content Inspection it is just so slow. Not unusable but almost. What bothers me is even in the early morning when usage is almost nothing it's still slow.

    It is definitely is the Content Inspection piece. As soon as I change it to allow, everything speeds up quick.

    I even created a support ticket. The Watchguard agent said it was because of an older XTM25... per his quote.

    "Unfortunately, this is an issue with the Firebox not being able to handle the content inspection for traffic. This is a process heavy service and can severely impact network performance on the older Fireboxes.
    Here is a link to our appliance sizing tool...."

    That tool wasn't much help.

    Bummer. I have about 15 of these to upgrade.

    HMorris

  • How many users do you have at a typical XTM 25 site ?
    WG specs for the XTM 25:
    UTM Throughput = 80 Mbps
    The only other thing that comes to mind is that there is an unpublished max concurrent sessions for various proxies - which one might possible hit.
    Are you seeing log messages about Connection table full ? If so, then it looks like you are hitting this limit.
    You can set a custom idle timeout on your HTTPS proxy action to 5 minutes and see if that helps.

  • It varies for each site but this site only has 5 users with some wireless users on the Optional network. But when I test in the morning it is usually one 1 or two users. It's crazy light. The LOAD lights are all off before I test and quickly move to yellow/red

    No errors I see about Concurrent Connections. Even the Connections on the FSM console are only showing about 200.

    UTM Throughput @ 80Mbps ... is just no way with CI turned on.

    Maybe the Watchguard agent knows something we don't. He didn't even really try to look at anything he just gave the blanket statement above.

  • For a small number of users - Inspect should work OK. It did for me.
    Request more help from support on this.

  • As an update. I did get better a support agent from Watchguard and this agent confirmed that full HTTPS inspection will not work on an XTM25. He gave specifics but essentially said you really need a dual CPU core of a T35. Even a T15 with a single core would have some issues. And the XTM 25 just ain't gonna work well.

    Of course I could cut it down and only inspect certain categories as a work around. But across the board CI is not possible on an XTM25. Unless you like waiting.

    HMorris

  • hi i use https proxy action configuration on my 25w to whitelist https addresses and it has been ok.

Sign In to comment.