[fw-wiz] Watchguard V60 capacity

From: User Scarr (scarr_at_ineocom.com)
Date: 07/22/03

  • Next message: Tony Miedaner: "[fw-wiz] ISPs with more secure networks???"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 22 Jul 2003 11:48:49 -0400
    
    

    Hey all,

            I'm wondering if anyone else on this list actively uses Watchguard
    Vclass units, and has run into some of the same "challenges" we have
    with them. We're using them to firewall a fairly active client with a
    good amount of web and SMTP traffic. We've got two of them in HA.
    What I'm hoping for (more than a rant session) is that someone has
    found some working solutions, or at least has the same issues we do. I
    suspect a fair number of these are Watchguard bugs, but I don't want to
    pay $250 each for the privilege of reporting them...

    Some of the biggies at the tip of the iceberg;

            - Packet loss. I've identified the Watchguard Vclass units as the
    center of between 1% and 10% packet loss on a regular basis (ruling out
    switches and routers and even cables, which has been a bit of a
    process). Watchguard's support has suggested that I lower a connection
    idle timeout setting in debug mode from 3 minutes to 1 minute, which
    sounds reasonable, but I haven't tried it yet (production hours).

            - High availability syncing. I've seen this on other HA devices, but
    never like this. The HA constantly complains that it can't sync, even
    though it does, and manual sync attempts (when editing or adding
    policies) seem to freeze the units, adding to the packet loss. The HA
    is fairly seamless though when it does happen, so they get points there.

            - The built in load balancing. I know I know, I should probably get
    an independent device to handle the LB. The load balancing seems to
    freeze at random, and I end up with error messages in the logs like;
    "The load balancing server 0.0.0.0 is not responding". Of course,
    there's no server specified with that address. I'm using weighted
    least connections between two SMTP servers running Postfix.

            I've used Netscreen, and to a lesser extent PIX devices in the past
    (and a few free software firewalls like IPFW and iptables / ipchains,
    etc), so the number of and severity of recent troubles I've had with
    these is a new experience for me. I have a feeling a lot of the
    problems are due to load, but since Watchguard boasts up to 200Mbps
    throughput (with the units in active/active HA) I can't imagine our
    7Mbps spikes are causing them any heartburn.

    Any thoughts, etc?

    Thanks,

    --
    Simon Carr
    Ineocom Technologies Inc.
    http://www.ineocom.com/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Tony Miedaner: "[fw-wiz] ISPs with more secure networks???"

    Relevant Pages

    • Re: load balancing a php site
      ... >> How i can configure a php site to support load balancing ... >> with apache or IIS server? ... firewall can do this as well, I use an OpenBSD computer as a firewall ...
      (alt.php)
    • Re: Please suggest firewall for IIS ASP.Net/SQL Server 2000 website
      ... > similar to W2K Advanced Server in that it supports load balancing ... > have come to the conclusion that a Cisco PIX 501 is the firewall to ... > PIX can handle 10 megs of second of throughput. ... > Something tells me I also need to get the SQL Server onto a separate ...
      (comp.security.firewalls)
    • HELP: How to configure VPN and Different IP Gateway for Load Balancing
      ... Any need some help how to do DHCP + NAT with Load Balancing at the Firewall ... Server as a gateway to 2 diffrerent WAN Gateway ...
      (SunManagers)
    • Re: CEICW fails at firewall config
      ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
      (microsoft.public.windows.server.sbs)
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
      (microsoft.public.inetserver.iis.security)