Need help to solve why our site is slow behind firewall

Looking for someone to help figure out what a checkpoint firewall does not like about our site.  We have a .Net 2.0 site and people behind certain firewalls are experiencing mega (1.5 minutes) load time.  Can anyone recommend a solution or would be willing to help?

mcannonmcannonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
I don't have any Checkpoint exposure but first of all, are you sure that checkpoint is the one which is causing this? If so, how did you arrive at that conclusion ?

Cheers,
Rajesh
0
mcannonmcannonAuthor Commented:
We have several customers experiencing the delays and the only thing I have found so far in common is the Checkpoint firewall.  Not saying that is the problem but certianly looks to be a good candidate.
0
Cyclops3590Commented:
just for clarification.  You are hosting the web server at your site.  People at outside sites behind checkpoint firewalls are experiencing slow connections.  People outside not behind checkpoint firewalls are ok?

I just want to make sure of this since I've actually never heard of this type of issue before.  The only thing I can think of right away is DNS not resolving correctly so it times out on a couple of servers before it gets to one with an answer it can use.  However, this should only cause a problem the first time as then subsequent loads should be faster as the DNS entry would be cached.

Can you confirm that after the site loads the first page, that navigation goes smoothly or goes slow for every page.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

mcannonmcannonAuthor Commented:
The site is hosted at a premium facility and yes so far as we can determine the only commonality is the checkpoint firewall.  Each page is slow when they are behind the firewall.  I have tested from 30+ locations and it is pretty fast 3-5 seconds.

Thought maybe the firewall was doing some type of deep packet inspection and getting hung up on something.  Not sure.  Right now I am attempting to get some of the users to perform Netmon traces.

Any thoughts / ideas / recommendations are helpful
0
rsivanandanCommented:
One possible reason can be high fragmentation at firewall's side. What is the MTU set on the firewall for both incoming and outgoing interfaces ??

Cheers,
Rajesh
0
mcannonmcannonAuthor Commented:
A big issue is its not our firewall but rather the customers.  Other sites are fine for them as well and it is just our site having the issue.  Wondering if the firewall could be having an issue with the .net code.
0
gatomalacoCommented:
Some questions (for better understanding ^_^ )

1- Which product and version of Checkpoint are you using?
2- Are you using applieaces like Nokia's IPSO or any other vendor like crossbeam? Or, Are you using a SecurePlatform distro?
3- Have you check if in the rulebase is SmartDefence applied? If you are using SmartDefence, how fast is your firewall MicroProcessor? how much RAM do you have? what is the NIC's brand and model?
4- In the rule base (security policy), which services are you allowing in the rule? (tcp, udp & others? which version of all of them?)
5- have you tried to replicate this problem and scenario on a lab?

0
mcannonmcannonAuthor Commented:
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
mcannonmcannonAuthor Commented:
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
mcannonmcannonAuthor Commented:
Turns out is was an ISAPI filter causing all the issues.  
0
TolomirAdministratorCommented:
Could you be a bit more precise, on what side what ISAPI filter did reduce the speed.

This site is also a knowledge base, and there will be others facing the same problems too.

Tolomir
0
mcannonmcannonAuthor Commented:
We had an ISAPI filter loaded on our IIS web server that helped our web analytics package.   We are not sure why it caused problems but removing it fixed the issue for them.  We are looking to see if we can determine what the issue with the ISAPI filter and the handful of our customers that were experiencing the issue was.  For now the solution is to not use the ISAPI fiter.
0
Cyclops3590Commented:
That's why I only use Apache, IIS has too many issues  ;)  jk, please don't flame me.

That is really bizarre though.  Just out of curiousity how did you know to look at disabling the ISAPI filter.  Mainly just curious if you were trying random things or you had a reason to check it out (e.g event logs, etc.).
0
mcannonmcannonAuthor Commented:
Did not realize it was still open. Sorry.  The issue while only with Checkpoint Firewalls turned out to be an ASAPI filter on IIS that was doing a reverse DNS lookup.  Not sure what the issue was but disabling the reverse DNS lookup solved the problem.
0
Cyclops3590Commented:
ok, so I was right, dns lookups timing out.  However, I have no clue how the ISAPI reverse dns lookups work. It should still have loaded quicker on subsequent page loads as the dns resolving should have the failures cached as well as the successes.   Still quite odd that it was only Checkpoint firewalls. Either that or an unbelievable coincidence.
0
AnnieModCommented:
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.