Improvement request - Still updating a firewall requires so much time

Almost 20 seconds elapsed from the instant when you click apply to the instant you get back to Firewall rule page?

Guys, I hope that you track this as a bug and improve the performance.

Thanks

Parents
  • I know this doesn't add any further to your request but the system load of almost 100 percent per core is unsustainable in a production firewall. I was running system load over 3 on my test firewall in a vm with quad cores. Yes throwing newer, faster hardware will bring it down a little but the system load has increased significantly in v18 compared to v17 and my test lab had only one user mostly playing with the GUI.

    Regards.

  • I am the only one with this issue?

    Maybe is my installation? Can someone from forum confirm the behaviour?

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Hi Luk, I tested this with a stopwatch [8-|] . I have a 4GB vm with 2vcpus and memory utilization to 80%. I have web proxy with categorization and av blocking. Also running Application categorization with allow all for pretty graphs (not blocking any apps). I don't have any DPI rules. I am also not using IPS.

    Average time for a rule update is 10.85 seconds. I did the test multiple times with different rules and it is always 10.5 plus seconds. I usually don't play with the firewall once its setup so not a problem after initial setup. I am also getting some inconsistent results with multiple NAT rules as the firewall seems to get confused if you turn on and off too many rules but that is not the topic here.

    Are you running everything on your firewall? Maybe the processor is overwhelmed with everything running? Not saying they don't need to fix this, just wondering why you are getting almost twice the time that I am getting on firewall rule update.

    Regards

  • 10s? This is a "huge" amount of time. Updating a firewall rule should not require more than 4/5 seconds.

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • I think the gui waits for the backend to finish before it says update successful. Its the same behavior if you turn on a service that is not running. Turn off IPS and then turn it back on, you will have to wait forever before the service started message comes up.

    I agree that overall gui is too slow from control center to firewall rules. Was v17 like this? I don't quite remember how the older v16.xx versions acted on rule updates but from memory, they were still slow compared to other firewalls

  • Billybob said:

    ...they were still slow compared to other firewalls

    That's the problem. I lost already 2 customers and 5 are waiting for UI responsiveness in v18, otherwise they will move away. Same behaviour for logging. There is a certain lag between what's happening and log itself (I do not want to say nothing about the logging quality via UI).

    Regards

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • I am currently working with CM as a GUI replacement and it is quite fast. 

    Did you try this approach? 

    __________________________________________________________________________________________________________________

  • No Lucar. Small customers do not need CM. They use XG interface.

    Is CM going to be the new UI even for XG in 18 or 18.5?

    Regards

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • can you ask to some dev like or someone else to look at this issue?

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • The basic question is: Is it slower than V17? 

    __________________________________________________________________________________________________________________

  • No!

    The title of the thread is clear! In v18 no improvements have been done for speed-up Firewall editing UI.

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

Reply Children
  • In Addition, Lucar:

    threads like this should not even been opened. Waiting 10-14 seconds after updating a firewall rule is a shame!

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Sorry for posting. I am just a privat user like you. 

    Just wanted to know, if there is a new issue with the V18 release, because the time to complete a task is kinda the same in V17 to V18, from my experience. 

    Something i looking forward is CM. Central has some powerful UI. You will be fast in configuration and easily push this configuration to your XG. 

     

    __________________________________________________________________________________________________________________

  • Hello All,

    While i have found that the process of rule creation and updates takes 15+ seconds on the XG125 running either V17.5 or on my test V18 box, I know that on several customers XG310 units running V17.5 it is a lot faster.

     

    While a few people have been using CM to make changes and are advising that the rule updates are faster, is this actually the case? is the CM GUI just more responsive because the changes to the actual firewall are being background tasked, and still taking 15+ seconds to complete, but because the CM is not instant access people are just not observing the time requirement.

     

    Personally while my XG125 units in the field are slow at firewall edits and changes, I am not finding the GUI that unreasonable. If I was seeing that delay on the XG310's I think I would be more concerned. I also do not use anything smaller than a 125.

     

    Regards

     

    Gavin

    Regards,

    Gavin Daniels. DipIT(Networking)

     

     
  • Appreciated your opinion Luca. As I said, most smb will use only XG and nothing else.

    Regards

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Just my opinion: I would not agree with you Luk, because i assume, SMB customer would rather use more then one product (XG). Most likely Endpoint, mobile or something like that. So the story to use Central is not new to most customers. 

    Lets stay on topic here: 

    Personally speaking, i use a XG125 at home and rather rarely touch this box. So i did not even notice the UI performance at all.

    Other boxes (XG450 and 230) are quite fast. 

    My lab vmware appliances are quit (Uses the I7 of my workstation). 

     

     

    If you access the webadmin of a CM managed EAP2 appliance, there will be a banner "Please do not change something on the Webadmin". 

    Did you see this change? Did somebody test this and report some feedback about CM to the DEV Guys? They are looking for your Feedback! 

    https://community.sophos.com/products/xg-firewall/sfos-eap/central-management-eap/ 

     

     

    __________________________________________________________________________________________________________________

  • Hi,

    I am running a 50/20mb/s link. If you think the management by the CFR is quick you must have a very fast connection and be close the server network speed wise.

    Using my J1900 XG I decided the GUI was too slow and moved a more powerful box, well the CFR management is slower than the J1900.

    Ian 

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55/c - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Thanks Ian for your feedback.

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Well, I am an SMB customer, so let me share my perspective.

    I absolutely agree with Luk.  As a customer, the last thing I want to be told after buying a product is that I need to buy something else in order to "really use" the product I just bought.  It gives one the impression they have been "bait and switched" and trust me, it is not a positive feeling.   

    So to bring that full circle to the thread topic, the time it takes to update a firewall rule isn't too much of a problem for me personally because I don't do a lot of it; my firewalls are set up and I rarely need to make any large scale changes.  If I had to, I can see where it would be a frustration though, and I can promise you "buy Central" would not be an answer I'd personally be very happy receiving.