Anyone else get bad results behind WatchGuard firewalls when running speed tests? I’m using things like Ookla speedtest to gauge throughput. Our M390 on a 1 Gbps Fiber link usually benches around 700/700, but the service tech can move the cable over to his device and basically come in at max. Elsewhere I have a T70 with only a firmware service subscription and that comes in a lot closer to 1000/40 service it is behind. I know it doesn’t have any of the extra features like IPS, but an M390 shouldn’t be impacted like that, should it?
Any suggestions for a firewall rule or rule to bench the actual service received?
Bypass proxying and inspection on your testing to get real results. I have a policy setup for ookla so that I can see real speeds.
I’d recommend using whatever speed test your ISP has setup. Using someone else’s tends to introduce a lot of additional variables. If you’re not sure what speed test your ISP has, just do a search for it, like “comcast speed test” or “lumen speed test” or whatever.
Also, when you’re doing your speed test from behind your firewall, do you have the rest of your network plugged into the firewall as well? If so, unplug everything else from your firewall, plug your testing device directly into it, and run the test.
Any extra features you’re running like IPS will absolutely impact throughput, but per the M390 specs, it should still be able to do full gig with IPS turned on. One thing you could do, is one by one, disable additional features like IPS and test the throughput. I forget which combination of features it was, but at one client, a specific set to features being enabled would absolutely kill the throughput of their sonicwall, but turning any one of them off it’d give them full gig throughput. If you run into that, at least that will give you a decent starting point to talk with watchguard support.
Bypass IDP to scanner site. Known issue with many firewall vendors
Also using an M390, and several 1Gb fibres. Speedtest has never given me a good result, my home connection also 1Gb fibre gives not only better latency but pings. Never ever found a cause of it. I could understand the firewall performing packet inspections etc, but not so much that I struggle to even hit 500Mbps up and down. Just this second I have dont a test id getting 337/424 thats shite!
M290 throughput with IPS and HTTPS Content inspection should hit 696 Mbps and the M390 should hit 1.32 Gbps according to the Datasheet, but that probably depends on what else it is doing at the time and things like device uptime might play a part too. If I were lucky enough to have a client with a 1 Gbps connection, an M390 would have been the device I’d have recommended myself due to the figures on the datasheet.
It might be worth speaking to your VAR and / or WatchGuard Support to get their input.
Just for another flavour of testing, I also use https://fast.com
I usually only read topics here but had to chime in. I have an M390 on a 1Gbps fiber as well, I get about 800 on speed test. Mine has roughly 60 users behind it doing office work, 2 site to site vpn tunnels, Client VPN, and I’m running the old wireless gateway controller and about 20 APs with three total Vlans. That all being said, I always figure whatever throughput they claim is under a best case scenario and I felt pretty good about the tests throughput given all my firewall has to juggle.
Http vs https traffic, and it really depends on the number of rules and their configuration. The more you make any NGFW inspect traffic, the more you make it work, and potentially slow throughput.
Remember WG has a hardware comparison table, and indicative speeds for different services.
Ookla is a shite speed test. Generally uses port 8080 instead of 443. Fast.com is good and speedof.me is better. I run smaller (T70) device and wired or wireless I can achieve 850Mbps-1250Mbps synchronous depending on time of day and who is home. Mind this is through a packet filter with all services disabled.
This isn’t WG specific but most people don’t time their firewalls the their WANs. I know that in theory the firewall and autoMTU settings should take care of it, but I’ve seen clients with a lot of internet services that test well below what you’d expect for a decent MTU that doesn’t need to fragment.
Part of my yearly maintenance cycle is to recheck the MTUs on a given ISP, and reconfigure the MTU on the WAN port of the firewall to account for it. Fixes a lot of gremlin issues, often fixes speed tests that show lower than expected performance, house with certain void configurations, and to be honest it just takes away extra work from the firewall that it doesn’t really need to be doing
Watchguard throughput depends also on how many CPU cores each specific model has.
Usually it peaks closer to white paper specs when doing multiple connections/sessions and by matching different policies, allowing the device to spread all traffic between cores.
Its not a known issue, a firewall isnt a switch, its scanning and that slows traffic, advising people to remove the services is exposure… setup a plain packet filter from the testing to the testing then conduct the test, but dont expect ANY firewall to give you the same line speed as a dumb switch
Set IPS to fast scan. That’s the only thing holding you back and I’d put money on it. I use the M290 at the office and easily max out 800mbps service.
Also depends how much security your appliing to the traffic, more security will mean slower traffic, we aint just switching here, IPS / TLS Inspection take effort… if you have a 1GB line and utilise all of it then currently you shouldnt be considering anything lower than an M390 or M590… if you have something lower than that and want security yet see all your 1GB line then you have underprovisioned your box and not done your job properly… either than or accounts MGMT got in the way and wanted the cheaper yet wrong box for your estate
you have no idea what you are talking about. You white list speed test website in AV scan and IDP. Been doing firewall for years and this is a very known thing. Good firewall will not even allow you to run a speed test.
I’ll give it a try, thanks!
This, seen it effect speed tests multiple times.