Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Subscribers 31 subscribers
  • Views 5506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow TLS Decryption throughput compared to Web Proxy with KVM on v18 GA.

Prism

I've been converting my XG bare metal setup to a VM one using KVM+QEMU as the hypervisor.

The problem here is, the Web Proxy Decryption is much faster than the new DPI Engine for TLS Decryption, but currently, only on KVM.

 

Some Information about the Setup.

  • I'm using the VirtiO Drivers, which currently doesn't support Fast Path, but still, It's much faster than vmxnet3.
  • The XG VM have full access to all CPU Flags (Also AES-NI), I'm currently using a host-passthrough for the VM.
  • The XG VM have 6C/12GB RAM.
  • Host have 8C/16T / 32GB RAM.
  • M.2 SSD, both VM has been using VirtiO for the Disks.

 

Tested this using curl + nginx, the encrypted connection used TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2.

4GB iso file being transferred over HTTPS.

 

Without TLS Decryption or WebProxy | IPS+AV+ATP =  ~287MB/s
With TLS Inspection | IPS+AV+ATP = ~33.5MB/s
With WebProxy + Decryption | IPS+AV+ATP = ~213MB/s

Using the new DPI engine for TLS Decryption I get hard stuck at ~35MB/s, doesn't matter the TLS traffic being decrypted.

 

I'm doing something wrong? I believe there's something wrong with this.

 

Also XG v18 GA is much faster in raw throughput than v17.5. With IPS Iperf3 has capable of 7.21 Gbits/sec with the XG VM, so CPU isn't the issue here.



This thread was automatically locked due to age.
Parents
  • 0

    Hi prism,

    Currently , V18's feature for TLS decryption seems to be quite unstable and cannot rely on the same .

    In my lab , i have done the same testing and found approximately same output .Also i tried to block Psiphon proxy but No success with DPI engine . The same thing is getting blocked with Web proxy.

    Now in this case What i have done is tweaked some settings in IPS and now have nearly 100 MB/S throughput. Still it is not up to the mark but it has improved .

     

    Thanks ,

    Exion

     

  • 0 in reply to exion eh

    Hi,

    if you read the little notice above the web profile selection in your firewall rule that that has DPI in lieu of web proxy you will see a note advising some things are not blocked.

    Ian

  • 0 in reply to rfcat_vk

    Hello,

    The same thing could have conveyed in a good manner as well. I can smell the sarcasm in your reply.

    If you are not aware or tested it then would suggest you to test it in your environment and then reply.

    Will flag this to community manager as well .

    Regards,

    Exion

Reply
  • 0 in reply to rfcat_vk

    Hello,

    The same thing could have conveyed in a good manner as well. I can smell the sarcasm in your reply.

    If you are not aware or tested it then would suggest you to test it in your environment and then reply.

    Will flag this to community manager as well .

    Regards,

    Exion

Children
  • 0 in reply to exion eh

    Please feel free to refer my post to flosupport, please also remember that this is a community to community forum, if you don't like a post even though it is factual you do not have to accept it.

    Yes, I have tested the features you refer to that is how I am aware of the little icons that I posted out. I read the little icons to see what part of the rule I am setting up will not work and what affect is that missing function likely to have on the protection for the device concerned.

    Ian