Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 41 subscribers
  • Views 5666 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow first response HTTP / HTTPS

Thomas Hommers

Hi,

i am trying to troubleshoot an issue with a XG Firewall SG115 running SFOS 17.5.6 MR-6.

1. When I open a http website e.g. http://google.de the request will be redirected to https://www.google.de and first response is slow when "http scan" in firewall rule is enabled. When open https://www.google.de directly, response time is good.

2. When I set a policy at intrusion prevention inside the firewall rule, both http and https first response is slow, regardless of "http scan" enabled or disabled.

3. When I set sophos as a fixed proxy in the browser the response times are fine.

What could be wrong ? Is this standard behaviour or eventually some configuration mistake ?

 

Thanks in advance for all help.

 

Regards,

Thomas



This thread was automatically locked due to age.
  • 0

    Hi  

    Thank you for contacting us.

    When you try to access http://google.de/, the redirection happened from the server end to https, the server will ask the browser to initiate the traffic over https instead of HTTP and when you directly execute the URL over https redirection would not require and you can see the difference while accessing the website over HTTP and HTTPS.

    If you applied IPS policy/Web/App filter and HTTP/HTTPS scanning, it will capture all the packets passing through that firewall rule and all the described module will scan the traffic to apply optimum security and it will result in bit delay to access the website.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0

    Hi,

    that can also be a DNS issue because e the XG has to download the lookup for the new URLs. Link speed also plays a part.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Keyur

    Hi Keyur,

     

    thanks for your reply. I believe that the delay of several seconds (compared to several ms) I am facing is not the usual "bit delay" you are talking about. How could I further troubleshoot the issue ? Why I don't see the issue when setting the XG as proxy ?

    Thanks and regards,

    Thomas

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

     

    thanks for your reply.

    Where exactly comes DNS into play. The DNS lookup of the client is fine. Does the XG have additional DNS lookups (during IPS / AV scan) that might slow down the response ?

     

    Thanks and regards,

    Thomas

  • 0 in reply to Thomas Hommers

    XG has a Debug Log for all HTTP Traffic.

    Simply put the HTTP Proxy in Debug mode.

    service awarrenhttp:debug -ds nosync 

    (same command to disable Debug).

     

    Reproduce your issue, disable the Debug and take a look at the /log/awarrenhttp_access.log 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Others already gave you a good place to check. DNS. lately 8.8.8.8 is working slow in few countries. I recommend you to go to a workstation and set manual dns 1.1.1.1

    Also change the dns in the wan to your isp or 1.1.1.1

  • 0 in reply to Hayim Caspy

    Hi Hayim,

    as i mentioned before. DNS on the client it not an issue. Unless there might be another problem of DNS with Sophos (separate from client DNS) I don't think it's a DNS issue. DNS in Sophos was set to 1.1.1.1 already. DNS at the client is the local AD / DNS server. (DNS server's forwarding is set to 1.1.1.1 too). I tested speed of local AD/DNS and 1.1.1.1 from client side and did not find any problem.

     

    I will try to debug http proxy in Sophos once I can spare some time.

     

    Thanks and regards,

    Thomas

  • 0 in reply to Thomas Hommers

    I understand. Debug is a good way to check. But trying different ways that are physical is an option I like. I learn a lot from it. If you want to try this small tool http://www.pingplotter.com/download

    It is a ping tool with trace and also tells you the time it takes between the different routers on the way to destination.

    I would try to ping with this tool to 1.1.1.1 once and try to ping www.google.com

  • 0 in reply to Hayim Caspy

    I could be mistaken but I think you should have your DNS set on the firewall for 1.1.1.1 or whatever you like, then your AD DC's to forward to the firewall then your workstations to you AD DC's.

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    The correct way when you have a server with dns server (domain controller) is the way the he configured.

    The server has to have himself as the dns server, and in the dns server properties, you have forwarders, there he can configure any external dns server he wants. the fastest should be your ISP, but sometimes 1.1.1.1 is better. All workstations should have the local DC dns as their dns server.

    The firewall wan should have the same as the forwarders in the Servers DNS. can be the ISP or the 1.1.1.1

    For test case, when you feel it is slow in the first site I always ignore my recommendations and manually configure the workstation and the firewall wan with external DNS server. Just for testing to get the fastest DNS.

Unfiltered HTML