01-25-2023 07:29 AM - edited 01-25-2023 07:51 AM
I recently installed a new pair of PA3220s at one of our international remote offices in India to serve as basic Internet Edge Firewalls that are linked to a 300mbps internet circuit. The PA's have 2x Portchannel links each with sub-interfaces that terminate down to 2x C9300 Layer 2 Core switches ( Core A and Core B), and from there, we have about three access switches that each has a leg to Core A and Core B (with Core B leg being blocked due to STP ofc). The issue here is that 4 weeks into the network being deployed, users are just now mentioning that video-streaming, audio-calls, web-browsing, etc. are working just fine with no issues. However,,, when they try to download any file i.e Ubunutu .iso, Wireshark, O365, etc it could take them 3-4 hours to complete via wired or wireless and have to instead go home to complete the install. The mention that it is downloading files is where they have slowness but everything else is completely fine..... the also provided my local speed test that show them getting 230Mbps Down and 250 UP. Originally I thought that maybe my "File-Blocking Profile" could be interfering with this file download issue and had removed it from my "Allow-to-Internet" Security Rule,, but it does not seem that did anything as file downloads are still slow... I also created a Host/32 specific Internet-Allow-Out Security Rule to allow a specific host to go out to the internet with no security profiles attached to the rule and moved that rule all the way to the top (to rule out issues with my other security rules/security profiles), but still, the file downloads were very slow... I am a bit confused about what exactly could make file downloads so slow but allow everything else to run smoothly. My next step would be to test downloads when directly behind the provider's circuit to see if the issue still follows, but I find it hard to believe that the provider's end could cause this very specific issue with just "file downloads".. Any advice?
Regarding Configurations and Specifications on Firewall:
- We are not doing SSL Decryption
- Data Plane if : 0-9% (varies throughout the day)
- We are not doing QoS
- The Office is barely utilizing the network at the moment as everyone is still working from home. Only a few users work inside the office.
EDIT: Just had the user test directly on the provider Internet Circuit and tests were very fast, so there is definitely something going on the Firewall.