What does WAN security cost me from a performance perspective?

book

Article ID: 167221

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When going directly to the Internet for uncached content, it seems like it takes longer to download this new content with the ProxySG in place.  Why?
Why does the ProxySG not send traffic through at wire speed?
What does WAN security cost me in relation to the performance I receive?
How do I maximize the bandwidth that I have?
 

Resolution

In order to understand what kind of performance to expect when the proxy is located inline in your network, you need to look at the big picture as to what the proxy is processing.  Even though the proxy may have high speed interfaces, the performance may somewhat decrease than without the proxy inline.  The performance can be affected by the following items:

  • Current load on the ProxySG:  Higher loads can result in longer processing time of outstanding requests.
  • Services that are enabled for interception:  This depends on what services you have set for interception and the load for each service is.  If you have 10 services enabled, but 90% of your traffic is HTTP, then the additional services may not cause a significant increase in resource consumption.
  • Policy complexity:  Long, elaborate policy can increase processing time and slow the flow of packets through a ProxySG.
  • Off-box resources:  This includes antivirus scanning via ICAP, authentication overhead (IWA, SSO, and so forth), external content filtering to name a few.
  • Cache configuration

 

The ProxySG is a security device.  It inspects traffic and applies controls based on policies.  This additional inspection and processing adds some overhead to the proxy processing and is to be expected as the proxy does things that normal networking hardware does not normally do.  Several configuration elements can be set to ensure traffic passes through your ProxySG as quickly as possible.  Here are some of those options:

Cache Control

The proxy is a caching appliance.  It is important to configure your ProxySG properly to ensure the best performance possible.  Because the bulk of traffic flowing through a Proxy Edition-licensed ProxySG is HTTP, we will focus on improving the caching performance.  To check your caching configuration, please do the following:

  1. Log in to the Management Console (https://<ip.address.of.proxysg>:8082) of your ProxySG.
  2. Access the Configuration tab > Proxy SettingsHTTP Proxy   (For SGOS 4.x, this option is located in Services > HTTP Proxy)
  3. In the Acceleration Profile tab, click the  'Use Bandwidth Gain Profile' button.  Please see the ProxySG's built-in help to elaborate on each of these settings.
  4. If you are concerned about serving stale content, you may want to disable the 'cache expired objects' checkmark.  Enabling this option can cause stale content to be served to users.  If you are not concerned about stale content, you can leave it checked.  If the item is popular, the proxy will proactively keep the content fresh.
  5. Click Apply to save these changes.

 

With the above configuration in place, any new connections made through the proxy after saving the change will begin to take advantage of this behavior.

Inline proxy - bypassing processing

If your ProxySG is deployed inline and you have need to pass traffic through it as fast as wire line speed and you are not concerned about caching the content or authenticating the user, you can use the static bypass list to bypass interception of the traffic.  This option can trigger based on either the source or destination address of a request. The proxy will ignore the policy engine and pass the traffic. 

In the case of explicit or WCCP-based deployments, only forward to the proxy those services that you wish to be intercepted and bypass the ProxySG for all other traffic.

To use the static bypass list:

  1. Log in to the Management Console (https://<ip.address.of.proxysg>:8082) of your ProxySG
  2. Access the Configuration tab > Services > Proxy Services page
  3. Select the Static Bypass List tab at the top of this page
  4. Click new to enter either a source or destination IP address or range, for clients and servers for which you need the ProxySG to not process policy.
  5. Click apply to save these changes.

 

In environments where only certain IP addresses are granted access to Internet resources, adding client IP addresses to the static bypass list may require firewall rules to be edited to include either the server or client IP address.  This is because the source IP address will be passed on to the router or firewall instead of the proxy's IP address when the proxy is intercepting the requests.