1

I'm in charge of maintaining a small network for a client (around 10-15 computers) that has an internet connection to the outside world of 100mbps (ironically, though, I just ran a speedtest bypassing the firewall completely, and got 115mbps).

Behind the Watchguard Firewall are a couple Cisco SG-200's (gigabit switches), and then Ubiquiti Unifi Wireless Access Points.

According to several resources I've read online (including http://www.guardsite.com/XTM-23.asp), this Watchguard XTM 23 (for which I've inherited the responsibility of maintaining) has a firewall throughput of 195mbps.

I also see it has an "XTM" throughput of 40mbps.

This is the first Watchguard I've ever worked with, and I'm trying to figure out the difference between XTM throughput and Firewall throughput.

What's the difference?

My second question... I've never been able to get higher than ~45-50mbps running speed tests from inside the network / behind the Watchguard firewall. I even tried a test without anything else plugged into the firewall, and still couldn't get above 50mbps. If I had to guess, therefore, XTM throughput would be how much bandwidth to the internet (outside world) that this Watchguard can handle, and the Firewall throughput would be how much bandwidth it can handle internally on its gigabit ports between different segments of the network. Is this correct?

The reason I'm on this wild goose chase is two-fold:

  1. People have been complaining of slow internet
  2. We haven't been able to get even close to the speeds that we're supposed to be getting with our current internet connection.

Am I crazy for going ahead and assuming that this Watchguard is the bottleneck in our network? A few things that I've noticed is that Memory Utilization seems to be maxed out (especially when employees are present, and according to graphs I see, it isn't quite as high when they aren't here / during weekends). However, I've read on several websites that its common for the Watchguard to report all of the memory is utilized.

CPU usage has always been fine on the box, as well as average load.

If my haunch is correct, I'm thinking about getting rid of the Watchguard all together, and setting up a new box running pfSense on a SSD.

David W
  • 3,405
  • 5
  • 34
  • 61
  • The only thing I can find on XTM is it may stand for Extinsible Threat Management which is an update of Unified Threat Management. This is most likely the throughput of Intrusion Prevention, A/V scanning, possibly content filtering, depending on how it's bundled on that device. As far as speeds go it really depends on how many of the security services are enabled on the device. The more protections enabled the slower it will be. What other services are enabled besides just the firewall? Here's a link for reference on the XTM: http://www.itpro.co.uk/629527/watchguard-xtm-23-w-review – Mike Naylor Jan 31 '14 at 17:12
  • XTM throughput is the throughput when XTM/UTM services, such as WebBlocker, SpamBlocker, IPS, etc. are active. Firewall throughput is the throughput when those services are not active. I would suspect that the throughput you're seeing is a result of XTM/UTM services being active. – joeqwerty Jan 31 '14 at 17:12
  • We do have WebBlocker and VPN enabled. Not sure about anything else. That makes sense, re: difference between XTM and Firewall. – David W Jan 31 '14 at 20:15
  • What firmware version? In some versions (11.4?), enabling traffic management and QoS features caused a ~20% throughput hit, and there were bugs with memory leaks particularly on XTM 2 series, fixed in verison 11.5.3. Have you checked the basics like network links connecting at 100(0)Mb with full duplex,? And that you don't have a rate limiting policy applied? Are the logging levels turned up high? XTM 23 is a single core 667Mhz chip and 256Mb RAM; small office with 10-15 users yes, 100Mb internet connection and traffic analysis with full reporting logging, possibly it is the bottleneck. – TessellatingHeckler Feb 02 '14 at 01:47
  • @joeqwerty - If you add your comment as an answer, I'll accept it. Otherwise, I'll take credit for it when I answer my own question here. :P After some further research, I'm 95% sure you're correct, re: why we're seeing low throughput. We're upgrading it with pfSense on a beefy machine soon, which I'm happy about (took me almost a year to convince 'em). – David W Mar 29 '14 at 18:28

1 Answers1

4

XTM throughput is the throughput when XTM/UTM services, such as WebBlocker, SpamBlocker, IPS, etc. are active. Firewall throughput is the throughput when those services are not active. I would suspect that the throughput you're seeing is a result of XTM/UTM services being active.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171