WSA Slow Performance

jbown_ironport · ‎02-22-2008

Hi All,

I have recently deployed a single S650 in a customer environment which currently running in pilot mode with a few hundred clients. The box is configured in Forward Proxy Mode (non-inline), and we have URL Category Filtering and WebRoot enabled. (no McAffe). Also have AD Authentication enabled using NTML Realm. DNS is using two internal Windows DNS Servers.

We have received feedback from some end users that the performance of browsing certain websites has slowed down considerably since using the new proxy server (2-3 times slower loading). The sites they are browsing usually have a lot of dynamic content (eg www.bbc.co.uk, www.news.com.au, www.abc.net.au/news). At the moment this is purely subjective feedback, but I have no reason to doubt them.

The previous proxy solution they had been using also had URL Categories blocked (using Surf Control/MS Proxy), and the category list is the same as what we have blocked on the S650.

What I'd like to know is if this type of performance hit is to be expected when all of the security services are enabled ? Can anyone else share their experiences ?

I'm running a late build of AsyncOS 5.2 (build 467 ?).

Regards,

Jeff

jowolfer · ‎02-25-2008

JBrown,

There will be some kind of delay added, being that the WSA has to scan the objects, but as long as you are not over encumbering the WSA, this should be negligable.

Off the top of my head, one issue that can cause this is poorly written regex rules in categories. If you have any categories that use regex, make sure they do not contain unneccessary ".*" entries.

Examples

Bad: .*google.com, .*.yahoo.com
Good: google.com, \.yahoo.com

Since regex is a substring match, you do not need the ".*"s and it lowers performance greatly.

Just a thought. If you have no regex rules like this, I would recommend filing a support ticket so support can take a look at it.

How long are the pages taking to load? Are they loading in one object at at time? Or are is the whole page blank for a while then the entire page displays?

angfeglandagan · ‎05-27-2008

Hi,
I also is experiencing slow performance on the WSA...would it be possible that this is also a firmware issue?

What if i dont use regex...just plain policies...

Kindly enlighten....me...

tia,
kira

khoanguy · ‎05-29-2008

If you don't use regex, then you will need to look at what features are turned on that can affect the performance of the box. If you only have URL filtering on then that should not be a burden on the box.

You can use the 'rate' command from the cli to look at the number of request per second.

You can find the latest release of the firmware on our web portal http://www.ironport.com/support.

Latest for version are either 5.2.1-052 or 5.5.1-104.

angfeglandagan · ‎05-30-2008

Hi, I just recently applied the enhancement version of WSA which is 5.5.1.

Am not sure if the 75 policies on the WSA will speed up.

still testing it...

kira

angfeglandagan · ‎06-24-2008

It worked well on the 75 policies after upgrading to 5.5.1 asyncos..

Cheers,

kira