Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


TZ570 - BWM performance issues

blublubblublub Newbie ✭
edited March 2022 in Entry Level Firewalls


I am having throughput issues when BWM enabled and I cant solve it.

I want to achieve:

manage my upload speed based on access rules to supply enough bandwidth to certain IPs (VPN Site-2-Site) in high load scenariuos on the WAN interface

I have setup BWM on a TZ570 unit as follows:

  • Defined max throughput of the WAN Interface
  • setup BWM objects
  • added BWM object to access rule policy (VPN to LAN)

WAN Port: 100mbps symmetrical fiber line

HW: TZ570 FW 7.0.1 5050

Test without BWM: I get a download speed of 100mbs - so all good

Test with BWM enabled for that VPN (BWM rule min 60mbs max 100mbs for in and egress): 55-58mbs

During the test there is absolutely no load on the WAN interface, its basically idle at night - but I cannot get a a full speed download or upload with enabled BWM, it just doesnt scale beyond 60mbs even if I set the rule to 100/100 I still get 55-60mbs - clearly that can't be the point of BWM crippling the performance 40% with BWM on

Does anyone have an idea how to fix this? thx a lot for some help here

Category: Entry Level Firewalls


  • Options
    LarryLarry All-Knowing Sage ✭✭✭✭

    One suggestion to check.

    Go to Policy, Security Services, and look under the "Enhanced Security" heading.

    If the value for Enhanced Security is on, turn it off, Accept the change, and re-try your tests.

  • Options
    blublubblublub Newbie ✭


    I just checked and that option was already disabled - so that can't be it.

    Also GAV IPS etc. are disabled for Zone VPN

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    Consider the speed of the connection on the other end of the VPN tunnel and the amount of overhead IPSec adds. If the ISP on the other end only provides 60Mbps, than thats all you'll be able to get over the tunnel no matter how fast your ISP is.

  • Options
    blublubblublub Newbie ✭


    As I wrote in my post I do get the full 100Mbs download speed as long as I do not use BWM/traffic shaping - this is not an issues related to available bandwidth or IPsec processing - I have 100mbs upload at the office and 250mbs download at home wiht a TZ370 and Tz570. Additionally I run the test at night in order to avoid regular traffic.

    The problem is:

    BWM "off": download speed 100Mbs

    BWM "on": download speed 55-60Mbs

    There is no traffic during that time besides the one I produce with my test. The BWM object has a minimum of 60mbs and a maximum of 100mbs and set as "realtime" - and again there is no traffic on either WAN connection. I can start the download with BWM "on" and I get 55-60mbs and while downloading I can remove the BWM rule from the VPN policy and it goes instantly up to 100mbps.

    My guess is that this is a bug

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited March 2022

    You did not mention your home internet was 250 Mbps in your original post but that's beside the point.

    You're thinking of BWM may be a little off. The minimum and maximum values, in my opinion, are incorrectly labeled. Minimum should be named something like 'expected' and Maximum should be 'burst'. 'Minimum' implies that value is the lowest allowed transfer rate (which in theory could be as low as 0 kbps), and 'Maximum' implies that value is the highest allowed transfer rate (in theory the interface rate).

    In practice 'Minimum' is pretty much the highest consistent speed the transfer will achieve, and 'Maximum' is the burst. Try setting 'Minimum' to what you want your expected transfer rate to be and try again.

  • Options
    blublubblublub Newbie ✭

    Hi, yeah I didn't spec my other connection but I thought that by posting the issues it would be obvious that I wouldn't bottleneck myself with he WAN connection on the other side ;-)

    As I wrote in the first post:

    "I set the rule to 100/100 I still get 55-60mbs - clearly that can't be the point of BWM crippling the performance 40% with BWM"

    So setting the minimum at 100mbp also doesn't solve the issue - it drives me NUTS!

    NO GAV, NO IPS, NO Antispam - all turned off - and only 100kbs traffic on my WAN interface (from my RDP session) as soon as I enable traffic shaping the transfer goes down to 60mbs - the moment I remove the traffic shaping from the access rule (VPN to LAN) it goes back to full 100mbps - it just doesn't make any sense....

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    What support would tell you is to factory default the unit, set it up bare minimum connectivity, and try re-implementing BWM.

    I have seen where BWM on Gen7's is hit or miss and support never actually helps.

  • Options
    blublubblublub Newbie ✭
    edited March 2022

    Yikes.... - I mean just for testing this is doable - backup, setup WAN, LAN and 1 VPN - then test, set up BWM and test - if that works however I would have to configure from scratch which will take about 2 weeks and then at the end it is unknown if it will be of any success - I actually hoped for some CLI / Monitoring option to figure out "what the FW is thinking"...

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    You could try the things in the article below but then you'd have to interpret it somehow.

    I know your firewall isn't freezing but its probably the closest thing the figuring out 'what the FW is thinking'.

  • Options
    blublubblublub Newbie ✭

    Ok that looks also complicated.

    For a workaround I now have the following idea:

    Traffic which has no BWM rule applied should autmatically be "medium" priority when I remember it correctly.

    So by classifying all/most other traffic as either "high" or "medium to lower than medium" I should always get the maximum speed on all rules without BWM and all other rules with lower priority will guarantee me a certain minimum or higher priority speed for the rules without BWM as they are medium anyway - kinda stupid workaround but I guess it should do the trick for now

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭

    "Traffic which has no BWM rule applied should autmatically be "medium" priority when I remember it correctly."

    That was true when you could select 'Global' BWM, which is no longer available in Gen7. Gen 7 wants you to classify the traffic you want BWMd. If you do not specifically classify the traffic than the only limitation that gets applied is the Ingress and Egress values set in the interface.

Sign In or Register to comment.