SFOS 18.0.3 MR-3 - DPI performance

What hardware do you use? 

And how do you measure the throughput?

Prism can maybe comment on this.

SG 210 Rev 3 and i do plain speedtest on the net here: https://xn--bredbnd-ixa.dk/hastighedstest

I know it's not iPerf, but I wondered shy the numbers are so big in difference.

Would suggest to start a summary. Try incognito mode. Try multiple session at the same time through XG. Write down the results. 

Stream based DPI always benefits of multiple streams. 

Edge In-private 176Mbit

Firefox Private 413Mbit (Ful speed of ISP)

Chrome In-Cognito 176Mbit

So Edge af Chrome same engine, maybe that fools me?

But why are only Firefox faster?

I have not uploaded Appliance cert info firefox.

Does firefox uses the DPI engine and Chrome / Edge not? Both uses the client internet settings. Therefore if you have a standard proxy configured, it will use the direct proxy (port 3128). Check this. 

Unknown said:

I have not uploaded Appliance cert info firefox.

Firefox doesn't use your system CA store, It has It's own; Since you didn't upload the certificate into Firefox and didn't got any warnings while browsing, It means It is using the Web Proxy without HTTPS Decrypt - hence if It has using DPI and you have the TLS Inspection rules in place, Firefox would give a warning saying that the firewall certificate is not trust-able.

Unknown said:

Edge In-private 176Mbit

Firefox Private 413Mbit (Ful speed of ISP)

It's hard to measure firewall throughput through HTTP speed-tests. But It shouldn't be that slow for the SG 210 Rev. 3.

Also, can you take a picture of the CPU usage with "top -d 1" command on the shell while doing a speed test ?

Prism said:

Firefox doesn't use your system CA store, It has It's own; Since you didn't upload the certificate into Firefox and didn't got any warnings while browsing, It means It is using the Web Proxy without HTTPS Decrypt - hence if It has using DPI and you have the TLS Inspection rules in place, Firefox would give a warning saying that the firewall certificate is not trust-able.

I know about the CA, that's why I wondered how it still could access the web?

I have this only rule, if that is disabled, FF cannot access the web either:

TLS inspection rule:

Here is the TOP -D1 screenshot:

Also it's shows as being decrypted?

FF show this when visiting website and the cert is NOT imported into firefox:

The cert is only imported to the machine cert store thorugh GPO.

support.sophos.com/.../KB-000035645

Sounds like your Firefox is: 

A. using the client cert store

B. has the CA imported anywhere.

Your Screenshot just proves, it is decrypted. Do to the second page and check, if it is trusted or not. 

PS: Since Firefox 75, it seems to be possible to do A. 

https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/

Or: https://bugzilla.mozilla.org/show_bug.cgi?id=1120350

Although it doesn't do it by default, here are a few ways to allow Firefox to use Windows CA certificates. The simplest is a Firefox Config setting but there are also registry settings and a setting that can be used in GPO if you use the Firefox ADMX files.

You can read some of the options here: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Looking at your screenshot, you must be using one of those methods if you haven't imported the certificate into Firefox.

Although it doesn't do it by default, here are a few ways to allow Firefox to use Windows CA certificates. The simplest is a Firefox Config setting but there are also registry settings and a setting that can be used in GPO if you use the Firefox ADMX files.

You can read some of the options here: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Looking at your screenshot, you must be using one of those methods if you haven't imported the certificate into Firefox.

Thanks for this, I guess it working because of this:

Prism

Firefox version 52: Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).

But why FF is was faster to do http speed test?! Odd...

Ahh found out something:

FF: https://xn--bredbnd-ixa.dk/hastighedstest 420Mbit

EDGE: https://xn--bredbnd-ixa.dk/hastighedstest 170Mbit

-----

FF: https://www.speedtest.net/ 420Mbit

EDGE: https://www.speedtest.net/ 420Mbit

Guess with DPI it's the best thing to do plain iPerf testing from now on :-O

It's been a few years since I had to do any throughput troubleshooting but I do remember that speedtest.net tests using multiple threads which is not very helpful for troubleshooting this sort of issue as it hides performance issues. If, for example, it uses 6 threads then each thread only has to achieve 70Mbit for you to think you are getting your full 420Mbit overall. You really need to use a test that works with a single thread like iPerf can. There are speedtest websites that offer single thread tests but I can't remember the one I used.

Update: While looking for a single thread website test I found that speedtest.net does offer this as an option but I couldn't find it on its website. You may have to create an account to be able to set that preference.

Thanks, makes perfectly sense :-)