3 Replies Latest reply on Aug 7, 2012 2:28 PM by mtuma

    Difference in performance between rules using <Any> and <Any v4> network objects?

    PhilM

      I've been working with another customer over the past couple of weeks. They have an S3008 appliance running 8.2.1 which had been spec'd well within requirements, but they were reporting quite lethargic performance - particularly when web browsing.

       

      Initially, we thought it might have had something to do with the fact that after I had completed the initial installation work, they decided to add an application defense group to the "Internet Services" rule which included app defenses to enable IPS, AV and SmartFilter. Reverting back to a default defense group they found that the system was still sluggish and we couldn't put a finger on what the cause might me.

       

      I suggested that they check the internal and external  network infrastructure, ensuring that interfaces and switch ports where negotiating at the correct speeds (and consider fixing them, instead of relying on auto-negotiation) and to check the external MTU to make sure that they weren't suffering from excessive fragmentation.

       

      Following-up with them today they revealed that they made one additional change after I left their site 3 weeks ago. Following my departure they decided to change the "Internet Services" rule, replacing the <Any v4> network object with the <Any> network object.

       

      They have since reverted back to using <Any v4> and have been able to report that their web browsing performance has returned to a more than acceptable level.

       

      Aside from the obvious difference where, I assume, <Any v4> will only look at IPv4 addressed and <Any> would include IPv6 hosts, should this have a significant impact on Firewall performance?

       

      Even when the customer was reporting the problem, the top-level stats on the Firewall didn't suggest for a moment that it was struggling in any way.

        • 1. Re: Difference in performance between rules using <Any> and <Any v4> network objects?

          Hello Phil,

           

          I would not expect changing the object from Any to Any v4 to make any difference in performance.

           

          Do you remember seeing any processes running high in the output of "top"?

           

          Do they have any host objects in their policy? Host objects that dont resolve can sometimes causes issues.

           

          Do you have any "P" patches installed with 821? We now have 821P03 released and it is typically a generic recommendation to get them installed.

           

           

          -Matt

          1 of 1 people found this helpful
          • 2. Re: Difference in performance between rules using <Any> and <Any v4> network objects?
            PhilM

            Thanks Matt,

             

            Do you remember seeing any processes running high in the output of "top"?

             

            No I can't. Nothing stood out as being a clear indication that the system was in any kind of distress.

             

            Do they have any host objects in their policy? Host objects that dont resolve can sometimes causes issues

             

            Policy in general, or that specific rule?

             

            The definitely have a number of host and domain network objects defined, and they are being used, but not in the rule in question (Internet Services rule).

             

            Do you have any "P" patches installed with 821? We now have 821P03 released and it is typically a generic recommendation to get them installed.

             

            Ahem... doesn't look like it. Do they need to be installed in sequence, or can I recommend to the customer that they go straight to P03? - when it appears (as I've just clicked on "Check for Updates" and it has only returned P01 & P02.

             

            -Phil.

             

            on 07/08/12 16:59:35 IST
            • 3. Re: Difference in performance between rules using <Any> and <Any v4> network objects?

              Hello,

               

              Well host objects that don't resolve have caused issues, regardless if they are even in the policy. If you search the audit for "hostd", it will be pretty obvious when a host object is not resolving.

               

              The P03 patch should be available now (as of yesterday I think). You do not need to install them all, just the most recent one (P03).

               

              These are just my thoughts however, I still do not understand why changing the rule from <Any> to <Any v4> helped.

               

              -Matt