Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 3513 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS - 17.5.7 MR-7

Kevin Holderbach

Like many people I have seen posting, I am having issues with slow performance with IPS enabled (policy bound to my firewall rule). I recently upgraded my hardware (now running on a Qotom - I7 / dual core) - should be more than adequate to hit 175Mbps!. Without the rule - I get 175Mbps - using several tests (i.e. speedtest.net and a test utility provided by Cox). When I apply the rule, I'm stuck at about 130Mbps. Overall CPU utilization never actually his over 50% on the firewall. I also have 6G of RAM - so memory isn't an issue (only have a few rules defined). 

I do have a custom rule I created which only targets categories and platforms I care about. However, as a test - I actually started deleted them incrementally - to the point where I finally ended up with an empty policy! And even with an empty policy applied - exact same results! As I incrementally removed signature groups, there was no change in performance whatsoever.

I have read all of the posts - I have all of the DOS features and spoof protection features disabled... 

Considering the behavior starts by simply applying the rule - and performance does't change irrespective of how many signatures are included  -  this doesn't seem like a CPU or hardware issue. The CPU is running at 2.7Ghz - and based on specs of higher end Sophos platforms, this should be more than adequate. And based on the way SNORT works, having more than 2 cores wouldn't make a difference either (and this is apparent since I am not seeing excessive CPU utilization on the firewall itself).

Are there any known issues with 17.5.7 MR-7 that could cause this? Any optimizations I can try? I verified the output of "show ips-settings" is consistent with what support said it should be - so not sure what console level changes are relevant. 

Any help appreciated. Thanks! 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Its 50% - no way of knowing how that is spread across which core. Either way.. I find it impossible to believe a dual core I7 7th gen processor can't handle under 200Mbs. In fact, I have worked with several other products - including raw implementations of SNORT and I can 10000% assure you that is enough horsepower to cover that load. Also doesn't explain why with no signatures the performance hit is the same - more signatures should equate to more CPU. Also, I have PFSense running with SNORT - absolutely no slow down at all. I prefer the Sohpos interface, but the performance isn't there. 

  • 0 in reply to Kevin Holderbach

    Hi Kevin,

    Snort on the XG does not seem to benefit from tuning as does the snort on the UTM. I have tuned my IPS and not seen any improvement and that appears to be the consensus from other XG forum members.

    If you look at the GUI when running your tests what does the load icon show, further looking at the diagnostics what do they reports there show when running the test? The diagnostic functions provided on the XG are not good for performing realtime diagnostics.

    If you open console session and run top or similar you will see which application is pegging the CPU.

    Ian

    There is another test you can run and that is to start a second download session and note the total throughput and the  CPU load.

  • 0 in reply to rfcat_vk

    I solved my issue by moving to PFSense. I like the XG interface better, but PFSense is far more robust in terms of giving the user more advanced tuning and configuration options. Additionally, I have no performance issues at all with PFSense running Snort - including the paid subscription giving you more robust access to the signatures. 

    I've been evaluating XG for a while - and have been through several iterations of the code and outstanding issues. My opinion is that it just isn't ready for prime time - I wold never use this in a business / production environment. Supports response regarding my IPS issues "You can expect to see up to an 80% reduction in throughput running IPS". 

  • 0 in reply to Kevin Holderbach

    Hi Kevin,

    Snort is used very extensively in web and application classification as well as the IPS, that is partly why it is so CPU intensive. I am a bit surprised about Supports answer.

    While you are partially correct about the business performance, there are many businesses and schools that make very heavy use of the XG and its functions. 

    I am hoping the mythical v18 will address a lot of the v17 short comings, otherwise there is always the UTM.

    Ian