Here in this article we will discuss how to troubleshoot when user is not getting full speed to PC behind XG firewall
Before start troubleshooting, first we need to understand how much speed we were actually receiving from the ISP to XG firewall. Login to the sophos XG firewall CLI enter advanced shell and type this command
“wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py –no-check-certificate“
The above command will download python script from the github page and type this command “python speedtest.py” to run the script. The result will be as shown below:
I have explained in this article more detailed steps to test speed from XG firewall:
Once you confirm you were getting proper speed to the XG firewall, then connect one test machine directly to sophos firewall and check the speed (this is to isolate the issue). In case if you were getting the correct speed then issue lies in your internal network. If its still low, follow the below methods.
If there are multiple ISP’s terminating on the firewall, and if user systems are configured with a particular DNS.
In this case, the outgoing DNS traffic gets load balanced. Hence two possibilities might occur
- If a DNS request travels through the ISP ink whose DNS is configured in users system, the request is resolved and turn around time is good.
- If a DNS request travels through another ISP link, the request is dropped because the DNS configured in user’s system does not match ISP’s DNS.
This result in only partial DNS requests in the network to be resolved, which ultimately leads to slow browsing.
To resolve this issue configure a static route in XG that forwards all DNS traffic to the ISP link whose DNS is configured on user’s system. You can configure static routes from Network > static routes >unicast
In case if XG LAN IP is configured as DNS in user system. Issues with DNS configuration in XG may lead to slow browsing.
Go to System Services >> Services and ensure DNS server process is running.
If its stopped, restart the DNS server.
Check specific WAN port and LAN port for any drop packets. If there are lot of drop packets it will result in slow speed. To check drop packets in specific interface type “ifconfig <interface-name>“. Here in my case Port1 is the LAN port and Port2 is the WAN port.
In case if you have any drop packets, the following instructions need to be followed:
1.change the cable that connected on specific interface.
2.On the “Hardware” tab in “Interfaces and Routing” >> Interfaces, experiment with different settings of fixed speed and duplex. Make the same settings on the router/switch/modem to which the interface connects. Before testing the change, reboot both devices to force them to renegotiate their connection speed.
Firewall acceleration is a feature in sophos XG firewall which will offload the trusted traffic to increase the speed of processing. But sometimes this feature will use heavy load which results in slow speed.
To check if firewall acceleration is enabled in sophos XG firewall, login to sophos XG firewall and enter console and type this command “system firewall-acceleration show“. If its enabled, type this command “system firewall-acceleration disable” to disable the acceleration.
It is very normal that, if we add IPS policy in firewall rule, IPS will perform deep packet inspection on each packet and it will reduce the speed. To isolate the speed issue from the IPS, create plain LAN to WAN firewall with no policies enabled as shown in below image.
Once you create this plain firewall rule test the speed again.
Check if there is any traffic shaping policy applied to concerned firewall rules. If the traffic shaping policy has limit, then traffic will not cross that bandwidth. Click on specific firewall rule and scroll down to the bottom and keep traffic shapping policy to none, if there was any traffic shaping policy applied.
Note: In every mentioned method, try to connect one test machine directly to firewall and perform the tests to isolate network issues.
Speed Issue is little complicated, sometimes we will not be able to pin point the issue correctly. In case if the above resolutions does not work. I will suggest you to raise one technical support case with sophos.
Hope this article helps you.