Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 8189 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 105 slowing down throughput

Daan

Recently I purchased an XG 105 firewall to place in my dataroom. The device is installed in bridge mode. 

When I bypass the device, I reach speeds of 30 MB/sec (on a 1 Gbit/sec connection)

When the traffic is going of the XG 105 in bridge mode, speeds are usually between 5 MB/sec and 8 MB/sec.

The traffic that is being generated at that point in time is VEEAM traffic.

I have checked the switchports, but not a single input nor output error is detected, so that seems to be OK.

 

At first I thought it might be due to IPS or application detection, so I created a separate firewall rule that allows the VEEAM traffic and not do any kind of IPS or scanning on this traffic. You can see the amount of GB's increased on this particular firewall rule, so I'm pretty sure the right one is hit. 

But despite this rule, still my speeds are much slower compared to when I don't have the Sophos XG 105 in between.

The CPU is around 30% when the traffic is flowing, and memory usage around 80%, normal values I presume.

 

Is there anybody who could give me some pointers about why traffic is so much slower when passing through the XG firewall?

 

Thank you!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Hi Ian,

    Thanks for your reply.

    Please see a screenshot of the IPS rules

    1. The VPN Bypass rule I created with a certain source and destination range that identifies the IP ranges used for VEEAM replication. As you can see I disabled all features for this rule

    2. Block ports is just blocking certain incoming ports I want blocked for all servers

    3. My Lan to Wan policy which is very standard, allowing every but scanning traffic for virus and allow all applications

    4. My Wan to lan policy which is also standard, allow all applications and having IPS enabled

    Below you can find the overview of all IPS rules that are currently enabled for Wan to lan 

  • 0 in reply to rfcat_vk

    In the meantime I was able to obtain better speeds due to 3 changes in settings I made:

     

    1. My total available wan bandwidth in the traffic shaping settings was still on 100000 KBps, I added a 0 to make it match my 1 Gbit connection

    2. I disabled optimize for realtime VoIP

    3. On the WAN side I disabled all AV scanning by unchecking the Scan HTTP box 

     

  • 0 in reply to Daan

    Hi Daan,

    Thank you for taking the time to post all your details plus the changes you made. Not sure why you would have AV settings on the WAN?

    Realtime VoIP should not have made that much affect.

    What I was looking for is this IPS tab settings

    IAn

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    Already checked this DoS page before, as I read it on the community about TCP floods, but it seems to be OK in my case

     

    About the WAN settings, I currently have it configured as follows, does this come close to best practice?

    Thanks for your help

  • 0 in reply to Daan

    Hi Kaan,

    I am not sure what you are trying to achieve with that rule? Also you do not ned a WAN to LAN rule unless you are running server with external access. The firewall (XG) manages all connections and if you setup an outgoing connection then the firewall is able to relate that when it sees an incoming request as part of a sequence.

    IPS - wan to lan is used for protecting servers, for general use the setting is LAN to WAN and you can tune it because the XG defaults are provided as templates.

    I will post one of mine and they are not perfect but work well for home use.

    the log entries is missing from the bottom of the second screen shot.

    Ian

     

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    Thank you again for your help and fast replies, and I apologize for not being clear enough about my setup.

    In my setup there are no users behind the XG, only servers

    The XG is put in bridge between the default gateway of a public IP range and the rest of the range where the servers are sitting.

    So all the servers behind the XG have a public IP, this is mainly webservers, mailservers, some VPS servers etc

     

    So my goal is as follows:

    1. Protect the webservers with public IP's as good as possible from threats coming from the internet (WAN) through the Wan to Lan policy

    2. Monitor my webservers with public IP's that they are not sending out bad files, make bad requests, are port of a botnet or connect to a C&C server through the Lan to Wan policy

     

    I hope this clarifies my intentions.

    As this is a setup that is apparently found less often, it has proven to be harder for me to find the right settings and information in the sophos community, hence my questions :)

     

     

  • 0 in reply to Daan

    Thank you for the detailed update. I am not sure about bridge mode a bit  of guessing here.

    An incoming rule for each server based on its public IP address (or FQDN), no NAT, IPS -> WAN to LAN Security -> scan at least http and ftp, add services for each server function eg mail server imaps. pops, smtps at least until you are happy with performance. Add a rule for NTP outgoing.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I'm going to let the environment run like this for a few days, with HTTP and FTP scanning disabled on the WAN side, but with IPS enabled, let's see how that works out for me.

    Thank you for the pointers, highly appreciated.