Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Subscribers 31 subscribers
  • Views 5519 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow TLS Decryption throughput compared to Web Proxy with KVM on v18 GA.

Prism

I've been converting my XG bare metal setup to a VM one using KVM+QEMU as the hypervisor.

The problem here is, the Web Proxy Decryption is much faster than the new DPI Engine for TLS Decryption, but currently, only on KVM.

 

Some Information about the Setup.

  • I'm using the VirtiO Drivers, which currently doesn't support Fast Path, but still, It's much faster than vmxnet3.
  • The XG VM have full access to all CPU Flags (Also AES-NI), I'm currently using a host-passthrough for the VM.
  • The XG VM have 6C/12GB RAM.
  • Host have 8C/16T / 32GB RAM.
  • M.2 SSD, both VM has been using VirtiO for the Disks.

 

Tested this using curl + nginx, the encrypted connection used TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2.

4GB iso file being transferred over HTTPS.

 

Without TLS Decryption or WebProxy | IPS+AV+ATP =  ~287MB/s
With TLS Inspection | IPS+AV+ATP = ~33.5MB/s
With WebProxy + Decryption | IPS+AV+ATP = ~213MB/s

Using the new DPI engine for TLS Decryption I get hard stuck at ~35MB/s, doesn't matter the TLS traffic being decrypted.

 

I'm doing something wrong? I believe there's something wrong with this.

 

Also XG v18 GA is much faster in raw throughput than v17.5. With IPS Iperf3 has capable of 7.21 Gbits/sec with the XG VM, so CPU isn't the issue here.



This thread was automatically locked due to age.
Parents
  • +1

    In general the Sophos-provided hardware will have the best performance because that is what we test against and code for.  Bare metal customer supplied hardware may be next, with VMs last.  When you get into VMs there are just so many different setups and configurations.

    I don't know if it helps but I recall this thread:

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/118242/questions-about-the-fastpath-feature

     

    I don't think it helps...  but if you are changing from hardware to VM I wonder if there are different defaults/settings that don't copy well when doing a backup/restore.  Would a fresh install and configure of a VM work better than restoring a backup?

  • 0 in reply to Michael Dunn

    Michael Dunn said:
    In general the Sophos-provided hardware will have the best performance because that is what we test against and code for.  Bare metal customer supplied hardware may be next, with VMs last.  When you get into VMs there are just so many different setups and configurations.

    Thanks for the answer, I'm staying bare metal with XG, currently it's not worth to use it on a VM.

    At the same time It's good to have it on a VM, thanks to hypervisor HA, snapshots and so on, It's not worth because of the performance difference against bare metal.

     

    Thanks!

Reply
  • 0 in reply to Michael Dunn

    Michael Dunn said:
    In general the Sophos-provided hardware will have the best performance because that is what we test against and code for.  Bare metal customer supplied hardware may be next, with VMs last.  When you get into VMs there are just so many different setups and configurations.

    Thanks for the answer, I'm staying bare metal with XG, currently it's not worth to use it on a VM.

    At the same time It's good to have it on a VM, thanks to hypervisor HA, snapshots and so on, It's not worth because of the performance difference against bare metal.

     

    Thanks!

Children