Solved

Need help to solve why our site is slow behind firewall

Posted on 2007-03-21
17
346 Views
Last Modified: 2013-11-16
Looking for someone to help figure out what a checkpoint firewall does not like about our site.  We have a .Net 2.0 site and people behind certain firewalls are experiencing mega (1.5 minutes) load time.  Can anyone recommend a solution or would be willing to help?

0
Comment
Question by:mcannonmcannon
  • 8
  • 3
  • 2
  • +3
17 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18770221
I don't have any Checkpoint exposure but first of all, are you sure that checkpoint is the one which is causing this? If so, how did you arrive at that conclusion ?

Cheers,
Rajesh
0
 

Author Comment

by:mcannonmcannon
ID: 18770732
We have several customers experiencing the delays and the only thing I have found so far in common is the Checkpoint firewall.  Not saying that is the problem but certianly looks to be a good candidate.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18772281
just for clarification.  You are hosting the web server at your site.  People at outside sites behind checkpoint firewalls are experiencing slow connections.  People outside not behind checkpoint firewalls are ok?

I just want to make sure of this since I've actually never heard of this type of issue before.  The only thing I can think of right away is DNS not resolving correctly so it times out on a couple of servers before it gets to one with an answer it can use.  However, this should only cause a problem the first time as then subsequent loads should be faster as the DNS entry would be cached.

Can you confirm that after the site loads the first page, that navigation goes smoothly or goes slow for every page.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mcannonmcannon
ID: 18774956
The site is hosted at a premium facility and yes so far as we can determine the only commonality is the checkpoint firewall.  Each page is slow when they are behind the firewall.  I have tested from 30+ locations and it is pretty fast 3-5 seconds.

Thought maybe the firewall was doing some type of deep packet inspection and getting hung up on something.  Not sure.  Right now I am attempting to get some of the users to perform Netmon traces.

Any thoughts / ideas / recommendations are helpful
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18777065
One possible reason can be high fragmentation at firewall's side. What is the MTU set on the firewall for both incoming and outgoing interfaces ??

Cheers,
Rajesh
0
 

Author Comment

by:mcannonmcannon
ID: 18779188
A big issue is its not our firewall but rather the customers.  Other sites are fine for them as well and it is just our site having the issue.  Wondering if the firewall could be having an issue with the .net code.
0
 

Expert Comment

by:gatomalaco
ID: 18806256
Some questions (for better understanding ^_^ )

1- Which product and version of Checkpoint are you using?
2- Are you using applieaces like Nokia's IPSO or any other vendor like crossbeam? Or, Are you using a SecurePlatform distro?
3- Have you check if in the rulebase is SmartDefence applied? If you are using SmartDefence, how fast is your firewall MicroProcessor? how much RAM do you have? what is the NIC's brand and model?
4- In the rule base (security policy), which services are you allowing in the rule? (tcp, udp & others? which version of all of them?)
5- have you tried to replicate this problem and scenario on a lab?

0
 

Author Comment

by:mcannonmcannon
ID: 18823108
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
 

Author Comment

by:mcannonmcannon
ID: 18823206
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
 

Author Comment

by:mcannonmcannon
ID: 18908463
Turns out is was an ISAPI filter causing all the issues.  
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18909812
Could you be a bit more precise, on what side what ISAPI filter did reduce the speed.

This site is also a knowledge base, and there will be others facing the same problems too.

Tolomir
0
 

Author Comment

by:mcannonmcannon
ID: 18926645
We had an ISAPI filter loaded on our IIS web server that helped our web analytics package.   We are not sure why it caused problems but removing it fixed the issue for them.  We are looking to see if we can determine what the issue with the ISAPI filter and the handful of our customers that were experiencing the issue was.  For now the solution is to not use the ISAPI fiter.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18931004
That's why I only use Apache, IIS has too many issues  ;)  jk, please don't flame me.

That is really bizarre though.  Just out of curiousity how did you know to look at disabling the ISAPI filter.  Mainly just curious if you were trying random things or you had a reason to check it out (e.g event logs, etc.).
0
 

Author Comment

by:mcannonmcannon
ID: 19684210
Did not realize it was still open. Sorry.  The issue while only with Checkpoint Firewalls turned out to be an ASAPI filter on IIS that was doing a reverse DNS lookup.  Not sure what the issue was but disabling the reverse DNS lookup solved the problem.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19684437
ok, so I was right, dns lookups timing out.  However, I have no clue how the ISAPI reverse dns lookups work. It should still have loaded quicker on subsequent page loads as the dns resolving should have the failures cached as well as the successes.   Still quite odd that it was only Checkpoint firewalls. Either that or an unbelievable coincidence.
0
 

Accepted Solution

by:
AnnieMod earned 0 total points
ID: 19699547
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Checkpoint books 3 85
Outbound Internet Access Firewall Best Practice 8 78
VPN running on Windows 2008 Server 11 82
Which the best UTM recommended ? 2 94
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now