Slow page loads & performance

There are many posts concerning this same symptom however nearly all have centered on proper DNS settings and ensuring the the Web Polices are configured properly.  The issue I am experiencing does not appear to relate to any of those I have found because my testing utilizes: (1) The recommended DNS settings; and (2) Bare bones config that does not filter anything.

This issue makes the XG unusable in my particular environment and if left unresolved, the XG will be pulled from service.


  • Sophos XG:  SFVH (SFOS 17.0.0 GA); tested in both bridge and routed modes.
  • CPU:  Intel Core 2 6400 dual-core @ 2.13GHz.; based on Diagnostics --> System Graphs, CPU Usage never goes above 50% and even then, it is for less than 2s.
  • RAM:  4GB; based on Diagnostics --> System Graphs, Memory Usage never goes above 2.8GB.
  • HDD:  > 140GB; less than 20% occupied.
  • NICs:  Dual Broadcom BCM5721 based GE
  • Internet connections:  I employ dual Internet connections to different providers as follows:
    • DOCSIS D3.0 4DSx4US - i.e. 140Mbps down; 13-20Mbps up. (Comcast)
    • VSDL - 30Mbps down; 12 Mbps up. (AT&T)
  • NOTE:  All of the metrics mentioned above were taken during the period when I had IPS, Web Policies, and several FW rules in service.


  • Very poor page load times (i.e. minimum of 20s; often times 30s or more).
  • Occurs most often for the first time page load OR a page reload after some period of elapsed time (i.e. likely due to the DNS entry timing out).
  • The XG is the only common element in all testing meaning the issue exists despite which machine or Internet connection is used.


As mentioned above, I ensured that my testing included the fixes I was able to find in the other posts discussing this symptom.  A summary of the pertinent points follows:

  • DNS set to first use use Google's name-servers (, followed by
  • DNS set to first use followed by Google's name-servers.
  • Despite either of the above arrangements, domain lookup times using the Diagnostics --> Name Lookup tool are always sub-40ms; typically sub-10ms.
  • Set the applicable FW rule to allow all traffic with nothing configured for IPS, Traffic Shaping, Application Filters, NAT, etc.
  • The only filtering enabled is a very basic single rule Web Policy that is set for Anyone --> Allow All thereby allowing all traffic through.
  • I then disabled the Web Policy rule so that the default rule would take over; the default rule is also also set to Allow All thereby allowing all traffic through.
  • Performed all of the relevant test steps in the Cyberoam Troubleshooting Slow Browsing KB article.

Despite all of the above config and testing, the slow page load times persist whenever the Web Policy is set in the FW rule.  Making the single change of removing the Web Policy from the FW rule immediately restores the page load times to what they are as if the XG was not even in the network - i.e. sub 3-5s.

Interesting Point: The actual throughput performance is NOT affected - only web page load times.  I have performed literally hundreds of throughout tests using Speedtest and DSL Reports - all run great once the page loads thereby reinforcing the idea that there is some flow inspection issue going on here.


  • In reply to Gavin Ramm:

    OK - good to know - also, can I ask which XG version you are running?


  • In reply to cyberzeus:

    Hello all,

    this problem was solved?

    Kindly regards.

  • In reply to Bruno Ramos:

    I see this too. Any updates?

  • In reply to Jelle:



    After last update, problem was solved


    Kindly regards.

  • In reply to Bruno Ramos:

    It has been a while since I first reported this issue but I can confirm that this does work much better for me now.

    The SFOS has been upgraded since I initially reported the issue (17.0.6 MR-6 now vs. 17.0.0 GA with the initial report) and while my config is a little different than the initial setup, I can say that I've had Web Policies configured for a while and page loads have been very fast.  Literally no degradation when compared to a no Web Policy config.

    In addition, I moved my DNS into the XG rather than having my endpoints go out to external DNS (i.e. Google).

    So, from my perspective, this is resolved.