When going directly to the Internet for uncached content, it seems like it takes longer to download this new content with the ProxySG in place. Why?
Why does the ProxySG not send traffic through at wire speed?
What does WAN security cost me in relation to the performance I receive?
How do I maximize the bandwidth that I have?
In order to understand what kind of performance to expect when the proxy is located inline in your network, you need to look at the big picture as to what the proxy is processing. Even though the proxy may have high speed interfaces, the performance may somewhat decrease than without the proxy inline. The performance can be affected by the following items:
The ProxySG is a security device. It inspects traffic and applies controls based on policies. This additional inspection and processing adds some overhead to the proxy processing and is to be expected as the proxy does things that normal networking hardware does not normally do. Several configuration elements can be set to ensure traffic passes through your ProxySG as quickly as possible. Here are some of those options:
The proxy is a caching appliance. It is important to configure your ProxySG properly to ensure the best performance possible. Because the bulk of traffic flowing through a Proxy Edition-licensed ProxySG is HTTP, we will focus on improving the caching performance. To check your caching configuration, please do the following:
With the above configuration in place, any new connections made through the proxy after saving the change will begin to take advantage of this behavior.
Inline proxy - bypassing processing
If your ProxySG is deployed inline and you have need to pass traffic through it as fast as wire line speed and you are not concerned about caching the content or authenticating the user, you can use the static bypass list to bypass interception of the traffic. This option can trigger based on either the source or destination address of a request. The proxy will ignore the policy engine and pass the traffic.
In the case of explicit or WCCP-based deployments, only forward to the proxy those services that you wish to be intercepted and bypass the ProxySG for all other traffic.
To use the static bypass list:
In environments where only certain IP addresses are granted access to Internet resources, adding client IP addresses to the static bypass list may require firewall rules to be edited to include either the server or client IP address. This is because the source IP address will be passed on to the router or firewall instead of the proxy's IP address when the proxy is intercepting the requests.