Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 4268 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VEEAM issues with Sophos XG

Daan

Hi all,

 

I have a sophos XG 105 in brigde mode to protect my servers in the datacenter.

 

For some reason VEEAM replication is a nightmare with a sophos XG in place.

First of all, when you enable IPS, it breaks the VEEAM replication, so this is something that I had to disable.

As soon as I did that, at least VEEAM worked again.

 

So based on that I made a firewall rule between both the netwerk, to not scan, no IPS, no filtering, no application control, nothing at all, just allow everything and every service.

 

Now obviously VEEAM works, but I only get speeds of between 4 en 5 MB (megabytes) per second.

Both sides have gigabit uplinks to the internet, so there is no reason to not get higher speeds.

 

How do I start troubleshooting why I'm getting such low speeds?

And yes if I bypass the sophos, I get much much much higher speeds ...



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dan

    You are using the second-smallest Appliance (Which is unusable in most cases because 2GB of Memory is definitely to less for an NGFW in any case) for protecting a Datacenter...
    Sure this is a good idea?

    According your description, you are trying to use Veeam over the Internet from one Datacenter to the other whereas both DCs are provided with 1GBit Internet Speed? Maybe you may provide us some further Informations about that network design. Is XG 105 responsible for IPSec Tunneling etc? 

    Kind Regards
    Christian

     

     

Reply
  • 0

    Hi Dan

    You are using the second-smallest Appliance (Which is unusable in most cases because 2GB of Memory is definitely to less for an NGFW in any case) for protecting a Datacenter...
    Sure this is a good idea?

    According your description, you are trying to use Veeam over the Internet from one Datacenter to the other whereas both DCs are provided with 1GBit Internet Speed? Maybe you may provide us some further Informations about that network design. Is XG 105 responsible for IPSec Tunneling etc? 

    Kind Regards
    Christian

     

     

Children
  • 0 in reply to HuberChristian

    I use the word datacenter, because it's an actual rack in a datacenter. I have no ambition on hosting a google scale datacenter behind this device obviously.

     

    The datacenter is a 48u rack, which is currently half full with servers. Average bandwidth usage is below 50 Mbit / sec

    So looking at the specs of the XG 105, I would say it should be capable of handling this no?

     

    The network design is as simple as it gets.

    Server X => Cisco router X => Gigabit ISP X => Gigabit ISP Y => Cisco router Y => Sophos XG in bridge transparant => Server Y

    So no, there is no IPSEC of tunneling or any VPN at all.

     

    I made a rule in the FW for all traffic from Server X to Server Y, so it will not scan HTTP/HTTPS, IPS, application control, throttling, anything. All checks are OFF.

    And when data is being moved, I do indeed see the counters go up, so the right rule is being hit.

     

    The Specs of this device state clearly: 

     Firewall throughput: 3.5 Gbps

    NGFW Throughput: 480 Mbps

     

    And yes I know marketing teams, so probably this is in and outbound traffic combined, but even then I would think i could still expects speeds over 100 Mbit, especially with all checks disabled no?

    The cpu of the device is not high, usually about 20-30% and memory is not full either.

  • 0 in reply to Daan

    And here you can see the actual rule as requested in the first reply

  • +1 in reply to Daan

    According your Printscreen and your Configuration you should definitely reach more than 3-5Mbps.
    As you stated... All Advanced-Policies like IPS/ATP/AppControl are switched off, so this measure should result approximately
    in "Firewall Troughput Speed".

     

    I'd advise you to check why traffic is dropped. This can be figured out using drop-packet-capture.
    See https://community.sophos.com/kb/en-us/127111
    Maybe you also should have an eye on the MTU... 

     

    PS: What ever Sophos states in their Datasheet about troughput. I wouldn't use an XG 105 even in that scenario you described. XG 105 suits well for a Branch office  up to 5 Users where no advanced Policies should be used. For anything else, it's not suited.  That's my personal mind and I'm not a Sophos Employee.