Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 30 subscribers
  • Views 3798 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Slow Upload Speeds with IPS Enabled. Download Speeds are ok.

CMC

System

Sophos home license on an XG 125. Running latest firmware. 

Issue

This is kind of interesting. I recently upgraded to gigabit internet. When the LAN to WAN firewall rule is enabled with nothing other than logging, my downloads are around 925Mbps+- and my Uploads are around 900Mbps+-. Solid results. Run in Safe Mode just to ensure local software isn't causing any problems. 

If I enable IPS however, the upload speed drops to about 155Mbps on the dot each time. Hold on though, there's more to this.

In an attempt to try and track down what signature was causing the slow down, I created a new "LAN to WAN" rule set. Except I left it empty, no signature in place at all. The same issue still persists. How can that be?

To Recap Settings:

  • IPS Policy with no signatures enabled/active
  • No custom IPS signatures
  • DoS & Spoof Protection disabled
  • IPS enabled on Lan to Wan firewall rule 
  • Download = Normal 
  • Upload = Significantly reduced

The reduced upload speed is curiously consistent (150Mbps). It's almost as if IPS is triggering a QOS Rule. I mean I doubt it, but that's what it seems like. 

Thoughts on this issue?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey , Interesting observation!

    Can you quickly run the command in the console, (SSH > Option 4) --> system diag utilities bandwidth-monitor 

    Observe the speeds on LAN and WAN interface with IPS Policy (the one you created with no rule set) and without the Policy. Let me know if there's anything peculiar you notice.

    Also, share the output of commands from the same Device Console (option 4) --> show ips-settings & show ips_conf (both are separate commands)

  • 0 in reply to FormerMember

    Hi Devesh, 

    Thanks for your assistance! Note that Port 1 is LAN and Port 2 is WAN. (They're a little off due to a mapping issue when running a home license). 

    Here are the results: 

    Bandwidth Monitor   

    Here you can see with IPS running and without. Both screenshots were taken at the tail end of the test. The only thing I noticed (and I'm no expert here), is the large decrease in speed on Port 1 with IPS active. But, you'll note, that the WAN port seems to retain roughly the same speed rating. 

    https://ibb.co/gynPKm8

    https://ibb.co/KxKqmyx

    Show IPS Settings (IPS cloned LAN to WAN Enabled, No Signature Active)

    console> show ips-settings                                                      
-------------IPS Settings-------------                                          
        stream on                                                               
        lowmem off                                                              
        maxsesbytes 0                                                           
        maxpkts 8                                                               
        enable_appsignatures on                                                 
        http_response_scan_limit  65535                                         
        search_method ac-bnfa                                                   
        sip_preproc enabled                                                     
        sip_ignore_call_channel enabled                                         
        inspect untrusted-content                                               
                                                                                
-------------IPS Instances------------                                          
IPS CPU                                                                         
 1  0                                                                           
 2  1                                                                           
 3  2                                                                           
 4  3

    Show IPS Conf (IPS cloned LAN to WAN Enabled, No Signature Active)

    console> show ips_conf                                                          
config stream           1                                                       
config maxsesbytes              0                                               
config stdsig           1                                                       
config qnum             10                                                      
config maxpkts          8                                                       
config disable_tcpopt_experimental_drops                0                       
config enable_appsignatures             1                                       
var SIP_STATUS          enabled                                                 
var IGNORE_CALL_CHANNEL         enabled                                         
var TCP_POLICY          windows                                                 
var LOCAL_RULE          local.rules                                             
var DETECT_ANOMALIES            no                                              
var SEARCH_METHOD               ac-bnfa                                         
config failclose                off                                             
config cpulist          0:1:2:3                                                 
var TCP_BLOCK           nblock                                                  
config inspect_content          untrusted                                       
config sacmaxpkts               8                                               
config snaplen          1514                                                    
var FAST_BLOCKING               off                                             
var NORMALIZE_NULLS             off                                             
var SMALL_SEGMENTS              3                                               
var SMALL_SEGMENTS_BYTES                150                                     
var SMALL_SEGMENTS_ACTION               none                                    
var SMALL_SEGMENTS_PKTS         1

    Notes:

    • The machine used to test was running in safe mode and nothing else running on the network. 
    • Machine is hardwired to small unmanaged switch, which is connected to Port 1 (LAN)
    • There are a couple of Wi-Fi networks running which have the default IPS LAN to WAN enabled, but, even if I shut those all down and disabled the firewall rules, results are the same. 
    • When testing was in progress, IPS LAN to WAN 3 (cloned ruled) was enabled with no signatures

  • 0 in reply to LuCar Toni

    Frontier's speed test page uses SpeedTest.net. The results are the same. 

  • 0 in reply to CMC

    Try speedtest as you can do single and multi connection at different tests. Does they show different results? 

  • 0 in reply to LuCar Toni

    See attached images. I'm fairly certain that Frontier uses multi by default. At any rate, the tests are actually worse this time around. Note that when the IPS rule is enabled, there are no active signatures. It's a clone of the LAN to WAN with everything inside deleted. 

    CPU log shows it hasn't gone over 50% memory is fine too as it's just a home network. 

    https://ibb.co/k9VC5j6
    https://ibb.co/8d9G6jd
    https://ibb.co/YyCcvg4
    https://ibb.co/WVND8sD

  • 0 in reply to CMC

    Hi,

    run top when also running you download with IPS enabled to see if the snort instance is running at 100%?

    Ian

  • 0 in reply to rfcat_vk

    Sorry, can you clarify for me a little further. What command is required to see if Snort is running 100% while running the download?

  • 0 in reply to rfcat_vk

    Update, hopefully I did this correctly. I ran PSMON a noticed a few interesting things. 

    When watching Netflix there are three instances of Snort running, they hover around 0.3+-. When I run the speed test however, things change quite a bit. 

    When running the download test, the instances of Snort run around 40. But when the upload test kicks in, that jumps to 98. Which is really odd since again, there are no signatures actually running. 

    Hopefully that helps provide some more insight 

  • +1 in reply to CMC

    Try to move to hyperscan. console> set ips search-method hyperscan

  • 0 in reply to LuCar Toni

    Woah, that made quite the difference. The upload speeds have gone from 150Mbps average (250 at it's highest scan) to about 550-600Mbps average. And that's with the default LAN to WAN rule which has hundreds of signatures not applicable to my network. 

    If you don't mind, a few questions: 

    1. What method was in use before and what, if any downsides should be noted with this new method. 

    2. Why do the amount of signatures not seem to affect the upload / CPU performance? Running both the default LAN to WAN and my custom LAN to WAN with no signatures results in the same upload speeds and CPU usage. 

  • 0 in reply to CMC

    If you start Snort (IPS) it will generally speaking forward the traffic to the engine, which will decrease the performance, even without pattern enabled. More pattern will further decrease the performance.

    Appliances and Azure etc. have hyperscan per default. Software installations have ac as default. 

  • 0 in reply to LuCar Toni

    Thanks, I really appreciate you taking the time to help. 

Reply Children
No Data