Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 5529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 18.0.3 MR-3 - DPI performance

twister5800

Hi,

I have tested a while with DPI engine, but I am a little lost with the perforamance tuning.

With everything off I get 420Mbit

When I enable DPI SSL/TLS inspection with decrypt, IPS Policy LAN TO WAN I can only get 170MBit through.

I have enabled:

console> system firewall-acceleration enable
Firewall Acceleration Enabled Successfully.
console> system firewall-acceleration show
Firewall Acceleration is Enabled.

Any hints on what I made wrong? :-)



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    SG 210 Rev 3 and i do plain speedtest on the net here: https://xn--bredbnd-ixa.dk/hastighedstest

    I know it's not iPerf, but I wondered shy the numbers are so big in difference.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    What about two session at the same time? 

    One in chrome, one in Edge for example? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Wow good point, i am confused (and  embaressed)!

    testing with Firefox gives 377Mbit - Edge only 170?!

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    Would suggest to start a summary. Try incognito mode. Try multiple session at the same time through XG. Write down the results. 

    Stream based DPI always benefits of multiple streams. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Edge In-private 176Mbit

    Firefox Private 413Mbit (Ful speed of ISP)

    Chrome In-Cognito 176Mbit

    So Edge af Chrome same engine, maybe that fools me?

    But why are only Firefox faster?

    I have not uploaded Appliance cert info firefox.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    Does firefox uses the DPI engine and Chrome / Edge not? Both uses the client internet settings. Therefore if you have a standard proxy configured, it will use the direct proxy (port 3128). Check this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to twister5800
    Unknown said:
    I have not uploaded Appliance cert info firefox.

    Firefox doesn't use your system CA store, It has It's own; Since you didn't upload the certificate into Firefox and didn't got any warnings while browsing, It means It is using the Web Proxy without HTTPS Decrypt - hence if It has using DPI and you have the TLS Inspection rules in place, Firefox would give a warning saying that the firewall certificate is not trust-able.

    Unknown said:

    Edge In-private 176Mbit

    Firefox Private 413Mbit (Ful speed of ISP)

    It's hard to measure firewall throughput through HTTP speed-tests. But It shouldn't be that slow for the SG 210 Rev. 3.

    Also, can you take a picture of the CPU usage with "top -d 1" command on the shell while doing a speed test ?

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Prism said:

    Firefox doesn't use your system CA store, It has It's own; Since you didn't upload the certificate into Firefox and didn't got any warnings while browsing, It means It is using the Web Proxy without HTTPS Decrypt - hence if It has using DPI and you have the TLS Inspection rules in place, Firefox would give a warning saying that the firewall certificate is not trust-able.

    I know about the CA, that's why I wondered how it still could access the web?

    I have this only rule, if that is disabled, FF cannot access the web either:

    TLS inspection rule:

    Here is the TOP -D1 screenshot:

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    Also it's shows as being decrypted?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    FF show this when visiting website and the cert is NOT imported into firefox:

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

Cookie Information Banner