Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 3511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - 17.5.7 MR-7

Kevin Holderbach

Like many people I have seen posting, I am having issues with slow performance with IPS enabled (policy bound to my firewall rule). I recently upgraded my hardware (now running on a Qotom - I7 / dual core) - should be more than adequate to hit 175Mbps!. Without the rule - I get 175Mbps - using several tests (i.e. speedtest.net and a test utility provided by Cox). When I apply the rule, I'm stuck at about 130Mbps. Overall CPU utilization never actually his over 50% on the firewall. I also have 6G of RAM - so memory isn't an issue (only have a few rules defined). 

I do have a custom rule I created which only targets categories and platforms I care about. However, as a test - I actually started deleted them incrementally - to the point where I finally ended up with an empty policy! And even with an empty policy applied - exact same results! As I incrementally removed signature groups, there was no change in performance whatsoever.

I have read all of the posts - I have all of the DOS features and spoof protection features disabled... 

Considering the behavior starts by simply applying the rule - and performance does't change irrespective of how many signatures are included  -  this doesn't seem like a CPU or hardware issue. The CPU is running at 2.7Ghz - and based on specs of higher end Sophos platforms, this should be more than adequate. And based on the way SNORT works, having more than 2 cores wouldn't make a difference either (and this is apparent since I am not seeing excessive CPU utilization on the firewall itself).

Are there any known issues with 17.5.7 MR-7 that could cause this? Any optimizations I can try? I verified the output of "show ips-settings" is consistent with what support said it should be - so not sure what console level changes are relevant. 

Any help appreciated. Thanks! 



This thread was automatically locked due to age.
  • 0

    Hi  

    The provided details of the configuration seem to be correct, there may be a drop of speed when scanning such as HTTPS, IPS is applied over the firewall rule but in your case, it was much difference in ISP speed with and without scanning, I would recommend to contact technical support and open a support case to investigate the issue further.

  • 0

    Hi Kevin,

    you will need to disable and power saving, speed step functions in the BIOS to enable full throughput.

    I have a 100/40Mb/s link which I achieve 100Mb/s downloads on regularly. Yes, I know it is not a 175Mb/s link.

     

    Ian

  • 0 in reply to rfcat_vk

    Thanks but already verified those settings are not the issue. 

  • 0 in reply to Kevin Holderbach

    50% CPU is one core going flat out.

    Ian

  • 0 in reply to rfcat_vk

    Its 50% - no way of knowing how that is spread across which core. Either way.. I find it impossible to believe a dual core I7 7th gen processor can't handle under 200Mbs. In fact, I have worked with several other products - including raw implementations of SNORT and I can 10000% assure you that is enough horsepower to cover that load. Also doesn't explain why with no signatures the performance hit is the same - more signatures should equate to more CPU. Also, I have PFSense running with SNORT - absolutely no slow down at all. I prefer the Sohpos interface, but the performance isn't there. 

  • 0 in reply to Kevin Holderbach

    Hi Kevin,

    Snort on the XG does not seem to benefit from tuning as does the snort on the UTM. I have tuned my IPS and not seen any improvement and that appears to be the consensus from other XG forum members.

    If you look at the GUI when running your tests what does the load icon show, further looking at the diagnostics what do they reports there show when running the test? The diagnostic functions provided on the XG are not good for performing realtime diagnostics.

    If you open console session and run top or similar you will see which application is pegging the CPU.

    Ian

    There is another test you can run and that is to start a second download session and note the total throughput and the  CPU load.

  • 0 in reply to rfcat_vk

    I solved my issue by moving to PFSense. I like the XG interface better, but PFSense is far more robust in terms of giving the user more advanced tuning and configuration options. Additionally, I have no performance issues at all with PFSense running Snort - including the paid subscription giving you more robust access to the signatures. 

    I've been evaluating XG for a while - and have been through several iterations of the code and outstanding issues. My opinion is that it just isn't ready for prime time - I wold never use this in a business / production environment. Supports response regarding my IPS issues "You can expect to see up to an 80% reduction in throughput running IPS". 

  • 0 in reply to Kevin Holderbach

    Hi Kevin,

    Snort is used very extensively in web and application classification as well as the IPS, that is partly why it is so CPU intensive. I am a bit surprised about Supports answer.

    While you are partially correct about the business performance, there are many businesses and schools that make very heavy use of the XG and its functions. 

    I am hoping the mythical v18 will address a lot of the v17 short comings, otherwise there is always the UTM.

    Ian

  • 0

    I’m running Sophos XG MR-7 on a Qotom Q335G4 (Intel Core i5 w/ 4GB RAM). I’m able to achieve 300 Mbps down (max for my ISP plan) with IPS enabled and a fairly extensive ruleset. At my previous house I had a 1GB ISP plan and I remember being able to achieve 600+ Mbps with IPS enabled. As you mentioned, the number of signatures seem to have no impact on the throughput which I find odd. I didn’t change any settings with the Qotom device specifically other than disabling XHCI Mode in the BIOS so it would read my USB drive on boot and setting the power loss option to restart the device after a power loss.

    Here’s the output of ‘show ips-settings’:

    Sophos Firmware Version SFOS 17.5.7 MR-7

    console> show ips-settings

    -------------IPS Settings-------------

           stream on

           lowmem off

           maxsesbytes 0

           maxpkts 8

           enable_appsignatures on

           http_response_scan_limit  65535

           search_method ac-q

           sip_preproc enabled

           sip_ignore_call_channel enabled

    -------------IPS Instances------------

    IPS CPU

    1  0

    2  1

    3  2

    4  3

    Just a theory - have you checked your CPU temps? Only way I know how is in the BIOS but if you’re running pfSense, you should be able to see it there. I wonder if there’s perhaps an issue with how your heatsink is seated and maybe the CPU is throttling when under load?

    Also, I’m fairly certain you’ve checked this but did your ‘Total available WAN bandwidth’ some how get set to a value you didn’t intend? I suppose all of this doesn’t really matter since you’re on pfSense now but just posting this in case anyone else runs into similar issues.

  • 0 in reply to shred

    I assume that Qotom is a dual core like mine (mine is I7 dual core). Why is yours showing 4 cpu cores:

    IPS CPU

    1  0

    2  1

    3  2

    4  3

     

    Mine only shows two. Are you running VMWARE (I am running Vsphere 6.7). If so, what are the CPU settings (CPUs / Sockets) ? Anyway, just curious.