Our Internet connection slows to an unusable crawl on Sunday mornings when our 200+ guest devices get connected. I think it may be the router, but I’m not sure. I’d like any suggestions to troubleshoot our Internet sluggishness to verify if it is in fact the router, and/or suggestions for replacing our SonicWall NSA 250M. I’m leaning toward the Watchguard M370 as it seems to offer a lot more performance at a much lower price than competitors like SonicWall and Fortinet, but there are lots of options and my experience is limited. Thanks!
What speed is your connection? The 250M is quite old and was never really built for today’s super-fast connections. It can definitely crumble under the load. The speed of your connection would be pretty important information in choosing the right firewall.
100 down 20 up. It seems like it should be able to handle it.
I would bet it’s the Sonicwall. Unlikely the links are saturated, but good likelihood that the CPU is getting bogged down if you have lots of security services turned on. It should handle routing and ACLs in hardware but things like IPS and AV usually happen in software on the CPU. I’d log in at your time of highest usage and go to the diagnostics page and check the CPU usage, and maybe the list of processes. https://www.sonicwall.com/en-us/support/knowledge-base/170505343601558
If you need to resolve the issue right away, you could try turning off all services except the firewall: Gateway AV, IPS, DPI, SSL decryption, whatever is turned on. If you’re CPU bound that should significantly improve performance. According to the spec sheet, you can only expect 130mbps throughput with DPI features on, and that’s the best-case laboratory conditions number. Real world could be a good bit slower.
Recently, our old sonicwall at the remote campus dropped the live stream. Upon inspection, it showed we were hitting 10,002 connections when it’s max rating was 10,000
So like Joe, I’d suspect you could just be hammering your SW.
The posts could be right about the processor overload, rather than bandwidth itself. Something to try in the interim is to block OS updates during service times. We have done that and it greatly relieved bandwidth and firewall load. We have an NSA 3600 with 50 x 50 fiber internet, and up to 500 devices combining wired and wireless, and still have good performance.
You could have 100 or more phones start running OS updates when arriving on the network.
Another thing, we installed Sonicwall Analyzer to assess network usage. If your pastors think everyone is sitting there using You Version, I have news for them. Snapchat is our 5th highest user of bandwidth on a typical Sunday morning. We also block proxy servers with firewall app rules to prevent users bypassing our filter. The wireless controller also turns off the wifi during the night, so someone does not get on public wifi during the night and try causing us trouble.
Thank you everyone for your feedback. I made a few changes according to SonicWall’s performance recommendations on their website including disabling all UTM services except for content filtering which is all I think we really need. I also downloaded Speed Test Loggger and had it download a 20MB file every minute from our web host and although the speed wasn’t always great, it didn’t seem all that bad either.
Simple quick solution - implement a Squid proxy onsite. This will off-load much of the 200 user traffic load as they will be accessing much of the same sites and content while on site. Should give you about a 10x performance boost (equivalent to a 1Gbit WAN connection) and will also give you the ability to limit the kind of content accessed if you add-in Dan’s Guardian.
We use Watchguard M300 with 1 Gb internet fibre for one of our locations and works very well.
We had similar issues when we had an NSA240 and it couldn’t handle the increased internet speed. It would get pegged at 100%. We switched to an NSA3500 and the CPU dropped to under 10% with everything on. The pricing does go up quite a bit though but you need what you need. The other option we tried before the upgrade was using two firewalls but that just got difficult.