Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MontanaMike
Contributor

Slow to All Google Related sites

I've got a pair of 620b's in A-P and ever since upgrading to v5.2.3,build670 things are extremely slow when browsing to Google related sites.  Gmail, Google, Youtube, etc.  The policy is pretty plain jane with no UTM/Security Profiles at all.  Or at least it doesn't matter whether I have Security Policies enabled or not.  If I plug in directly to our ISP and bypass the firewall, the sites and services (such as Hangouts) load and work at their normal speed.  The big problem is we're a Google Apps (Government/Education) customer so all of our email, calendars, etc are all in slow now.

 

Here is the firewall policy that I'm using for my testing purposes.  Port1 is my Internet interface.  I did turn on WebCaching to see if that would help but since all of Google's sites are now encrypted, it does me no good with them.  Speed tests to my ISP and other servers around the net all look normal.

 

edit 394 set srcintf "port8" set dstintf "port1" set srcaddr "Group-NetworkAdmins" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set webcache enable set nat enable set ippool enable set poolname "VIP-Pool-2" next

 

Is anybody else noticing this?  I'm almost at a loss so any help would be much appreciated.

-Mike

-Mike
5 REPLIES 5
emnoc
Esteemed Contributor III

Don't see how a basic firewall policy would be slow, but here's some questions for you

 

 

1: are other websites slow

 

2: do  you have any link or nic errors since the upgrade on any of the 2 interfaces that your crossing

 

3: are you 100% sure GOOG is not restricting you?

 

I say the #3 since I'm currently consulting with a ISP that's outside of the USA and GOOG is blocking our assignments to various GOOG sites and mail-attachments downloads are failing.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MontanaMike

emnoc wrote:

Don't see how a basic firewall policy would be slow, but here's some questions for you

 

 

1: are other websites slow

 

2: do  you have any link or nic errors since the upgrade on any of the 2 interfaces that your crossing

 

3: are you 100% sure GOOG is not restricting you?

 

I say the #3 since I'm currently consulting with a ISP that's outside of the USA and GOOG is blocking our assignments to various GOOG sites and mail-attachments downloads are failing.

 

 

1.) not as far as I can tell.

2.) No issues as far as I can tell.  see the diag hardware deviceinfo nic for the ports (1 and 8)

3.) No idea.  How could I tell?  If login as my Google Apps work account from outside our firewall (same ISP) it all works as it should.

 

# diagnose hardware deviceinfo nic port1 Driver Name: NP2 Version: 0.92 Chip Revision: 2 BoardSN: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ Module Name: 620B-Rev2 DDR Size: 256 MB Bootstrap ID: 15 PCIX-64bit-@133MHz bus: 0f:01.0 Admin: up, num=3, duration=197777881 Current_HWaddr: 00:09:0f:09:00:00 Permanent_HWaddr: 00:09:0f:d9:1f:d0 Link: up, 2 Speed: 1000Mbps Duplex: Full Rx Pkts: 1610766221 Tx Pkts: 1249724164 Rx Bytes: 2424541184 Tx Bytes: 2276530176 MAC0 Rx Errors: 0 MAC0 Rx Dropped: 0 MAC0 Tx Dropped: 0 MAC0 FIFO Overflow: 0 MAC0 IP Error: 0

TAE Entry Used: 0 TSE Entry Used: 0 Host Dropped: 0 Shaper Dropped: 0 EEI0 Dropped: 0 EEI1 Dropped: 0 EEI2 Dropped: 0 EEI3 Dropped: 0 IPSEC QFIFO Dropped: 0 IPSEC DFIFO Dropped: 0 PBA: 123/1019/251 Forwarding Entry Used: 0 Offload IPSEC Antireplay ENC Status: Disable Offload IPSEC Antireplay DEC Status: Enable Offload Host IPSEC Traffic: Disable ses mask: 40027dcb

 

 

# diagnose hardware deviceinfo nic port8 Driver Name: NP2 Version: 0.92 Chip Revision: 2 BoardSN: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ Module Name: 620B-Rev2 DDR Size: 256 MB Bootstrap ID: 15 PCIX-64bit-@133MHz bus: 0f:02.0 Admin: up, num=3, duration=197789184 Current_HWaddr: 00:09:0f:09:00:12 Permanent_HWaddr: 00:09:0f:d9:1f:d7 Link: up, 2 Speed: 1000Mbps Duplex: Full Rx Pkts: 475645666 Tx Pkts: 751528958 Rx Bytes: 3460254720 Tx Bytes: 2393458688 MAC3 Rx Errors: 0 MAC3 Rx Dropped: 0 MAC3 Tx Dropped: 0 MAC3 FIFO Overflow: 0 MAC3 IP Error: 0

TAE Entry Used: 0 TSE Entry Used: 0 Host Dropped: 82 Shaper Dropped: 0 EEI0 Dropped: 0 EEI1 Dropped: 0 EEI2 Dropped: 0 EEI3 Dropped: 0 IPSEC QFIFO Dropped: 0 IPSEC DFIFO Dropped: 0 PBA: 123/1019/251 Forwarding Entry Used: 0 Offload IPSEC Antireplay ENC Status: Disable Offload IPSEC Antireplay DEC Status: Enable Offload Host IPSEC Traffic: Disable ses mask: 40027dcb

fw-cluster1-1 # diagnose hardware deviceinfo nic port1 Driver Name: NP2 Version: 0.92 Chip Revision: 2 BoardSN: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ Module Name: 620B-Rev2 DDR Size: 256 MB Bootstrap ID: 15 PCIX-64bit-@133MHz bus: 0f:01.0 Admin: up, num=3, duration=197790536 Current_HWaddr: 00:09:0f:09:00:00 Permanent_HWaddr: 00:09:0f:d9:1f:d0 Link: up, 2 Speed: 1000Mbps Duplex: Full Rx Pkts: 1611211346 Tx Pkts: 1250068957 Rx Bytes: 2624104448 Tx Bytes: 2348066816 MAC0 Rx Errors: 0 MAC0 Rx Dropped: 0 MAC0 Tx Dropped: 0 MAC0 FIFO Overflow: 0 MAC0 IP Error: 0

TAE Entry Used: 0 TSE Entry Used: 0 Host Dropped: 0 Shaper Dropped: 0 EEI0 Dropped: 0 EEI1 Dropped: 0 EEI2 Dropped: 0 EEI3 Dropped: 0 IPSEC QFIFO Dropped: 0 IPSEC DFIFO Dropped: 0 PBA: 123/1019/251 Forwarding Entry Used: 0 Offload IPSEC Antireplay ENC Status: Disable Offload IPSEC Antireplay DEC Status: Enable Offload Host IPSEC Traffic: Disable ses mask: 40027dcb

 

-Mike

-Mike
Dave_Hall

Mike Romine wrote:

1.) not as far as I can tell.

Do you have logging all traffic on all your fw polices?  Any speed differences if you disabled logging on this policy?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
MontanaMike
Contributor

Disabling/enabling logging makes no difference.

-Mike

-Mike
DanielMarquez

Hi,

 

We have the same problem. All the Google related sites slow down. It only happens with some requests.However,

we have detected that the problem only takes place when the Fortigate Proxy is active. If the navigation is done without any proxy, we don't have this slow-down.

 

Do you still have this problem? Don't you have any solution or idea? We have upgraded the firmware but we still have it.

 

Best Regards,

Daniel M.

 

 

Labels
Top Kudoed Authors