This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - How to determine performance bottlenecks

Hi,

when using Sophos XG  (HW appliance or virtual machines): How can I determine that my machine is not in performance trouble?

Is there any guideline? When CPU comes over threshold? Or disk usage? Or or or?

Any checklist to walk through?



This thread was automatically locked due to age.
Parents
  • There are system graphs in diagnostics you can look at although I do understand your point on what is max or acceptable limits.  For the most part these thresholds will be determined first my which model you have then by what you have enabled, for example my last SG firewall had much slower throughput with the IPS enabled than without.  This in its own sense makes it hard to have a benchmark of what is acceptable since every config can vary from one to another.  

    What I try to do is get a couple baselines to go off of for my own knowledge, for example come in when no one is around or using the network and check on the utilization, it kinda gives me a baseline to go off of, then compare that against a normal day at work with no issues as well.   I do that on and off a few times so I have an idea of what normal is so if I see it above that then I know something is up.  

Reply Children
  • thanks to both answers.

    I understand that there is no general masterplan for that (if cpu is more than xx percent or something like this).

    So if there is any trouble in my networks I need to check if some of the operating values is suspicious.

  • Hi, 

     

    I think this will help you out the best, you can create alert profiles.

     

    https://community.sophos.com/kb/en-us/123084

     

    Peace

  • Hi, sorry for delayed returning to that thread.

    When I will create an alert profile I need to know about which thresholds I will configure.

    And there I am back at my problems.

    What causes a system to become a bottleneck (and foremost why)?

     

    Best Gernot

  • No one can really know your network but you, is there a time you can have minimal usage and monitor the bandwidth, cpu usage, etc. etc..?

    Baselines-

    If there is, what I would do is watch with nothing going on, get an idea of a baseline (what resources are being used with most systems idling) then transfer some large files or upload some to a cloud share then download them and again check the usage to better understand how much is used with what you are doing.

    Remember testing can be creative, do you have a DMZ? If so have the DMZ computer download a file, while you are transferring a file from that computer to your lan or vice versa, maybe well some other computers are streaming YouTube to get an idea of what traffic would be like from your wan to lan when you have multiple users working.  Then multiple the results by how many actual users you have.  For example, when I test I typically have 5 computers streaming YouTube and a couple file transfers/downloads going on.  If this raises my CPU by 1% then I know that I could multiple that by 10 to get 10%

    5 You Tuber's + 2 Downloads =1%   

    1% * 10 = 10% or 50 You Tuber's + 20 Downloaders

    It is important to note that this is rough math however, actually more users in real time might get me to 13% instead of 10% depending on what the unique systems are actually doing but a 3% to 5% depending on how much you multiplying it by is a good adjuster to be safe. In other words for every 10% you may want to also add a few percent just to cover yourself until you get a better understanding from your baseline, tests and actual network monitoring.

    For more on baseline: https://www.garlandtechnology.com/blog/protect-your-network-know-your-baseline-traffic

    As for Alerts-

    Once you understand your baseline you can understand what would constitute an alert, all be it there are some obvious ones i.e. CPU usage at 85% or higher.  Some might say 80% some might say 90%, again depends on your hardware model and what you may or may not be stuck with.

    For example, I bought one model higher than what I thought I needed in case of growth, so my baseline should really never go above 70%.  

    Now onto bottle necks-

    Bottle necks are tricky and may not always be the firewall, they can include your ISP, Cabling, Switches, Routers, Servers & PC's (PC's are often the NIC or the count of PC's on one particular aspect, be it the switch or interface on the firewall, but again that can involve the PC count against the model of your firewall and its capability or throughput.) 

    One easy way to break down or find bottle necks is testing different areas of your network, basically point A to point B, did the speed look right, was there any other issues, if not you probably don't have one there and you can move on to test another area.  (Think of different areas on the whole path, meaning what switch is this using, are the devices on different sub nets, is this LAN to LAN or DMZ to LAN or LAN to DMZ or WAN to LAN or LAN to WAN to DMZ to WAN or WAN to DMZ?

    But there is a lot more to consider in bottle necks because they can depend on what your setup is and typically that can vary from network to network.

    Bottle Necks: www.garlandtechnology.com/.../protect-your-network-know-your-baseline-traffic