Like many people I have seen posting, I am having issues with slow performance with IPS enabled (policy bound to my firewall rule). I recently upgraded my hardware (now running on a Qotom - I7 / dual core) - should be more than adequate to hit 175Mbps!. Without the rule - I get 175Mbps - using several tests (i.e. speedtest.net and a test utility provided by Cox). When I apply the rule, I'm stuck at about 130Mbps. Overall CPU utilization never actually his over 50% on the firewall. I also have 6G of RAM - so memory isn't an issue (only have a few rules defined).
I do have a custom rule I created which only targets categories and platforms I care about. However, as a test - I actually started deleted them incrementally - to the point where I finally ended up with an empty policy! And even with an empty policy applied - exact same results! As I incrementally removed signature groups, there was no change in performance whatsoever.
I have read all of the posts - I have all of the DOS features and spoof protection features disabled...
Considering the behavior starts by simply applying the rule - and performance does't change irrespective of how many signatures are included - this doesn't seem like a CPU or hardware issue. The CPU is running at 2.7Ghz - and based on specs of higher end Sophos platforms, this should be more than adequate. And based on the way SNORT works, having more than 2 cores wouldn't make a difference either (and this is apparent since I am not seeing excessive CPU utilization on the firewall itself).
Are there any known issues with 17.5.7 MR-7 that could cause this? Any optimizations I can try? I verified the output of "show ips-settings" is consistent with what support said it should be - so not sure what console level changes are relevant.
Any help appreciated. Thanks!
This thread was automatically locked due to age.
