Sophos Firewall: v18.5 MR2: Feedback and experiences

We are talking about device performance both to users and the gui performance.

ian

That's all OK. But there is some knowledge only at Sophos high level supporters and Senior Sales Team about this process to take 1-2 days to re-register all endpoints with heartbeat. I have seen 18 hours for multiple servers in my environment.

This time is insane and this should be written in the known issues to the release notes.

Please do that. Hope that others get warned before they decide to upgrade one evening and have trouble the next days with their production.

a positive feedback:

although not mentioned somewhere in the release nodes my own RED 15 gets tunnel up 10 times quicker than with the 18.0 MR6

I talk about 1min vs 8-10 min.

Same RED firmware. I do not have an idea why this is working better but it does and I like it.

LuCar Toni said:

Connection delay or Webadmin responsibility? 

Both, but the most noticeable is the WebUI.

Just navigating over It will use 100% of a single core constantly. (Without changing any settings or rules.)

As an example, the XG115w took 1 minute and 27 seconds to create a new WAF Rule; On my old box with a 3300x It would take around ~6 seconds.

Of course, the Ryzen 3300x is around ~7 times faster, but even then, this should not be the reason on why It is so slow to change an Apache config file and restart the service.

Is the firewall doing anything under the hood to take so much time to do (apparently) simple tasks?

If you're doing nothing but watching the Diagnostics > System Graphs, what kind of utilizations are you seeing? Have you tried doing a `top` to see what the top processes are? It sounds like the web server is slow, but I'm wondering if other processes are kicking in. I've noticed at various times `snort` will decide it wants to do a lot that I think isn't directly related to traffic. Or after an upgrade it seems to be a little busy for some period of time.

(On my XGS87, it does about 15% with various spikes, with a fairly small network.)

To be fair, a WAF Rule reload / creation is more than a apache reload. There is modsecurity, other systems like IPS involved and have to be reconfigure. So a WAF Rule in Firewall tab is one of the more slower task of the webadmin and the XG115 is not the most powerful appliance to begin with. As you state by yourself, you compare a slower CPU, dealing with much more tasks with a next generation CPU like Ryzen. 

(Not that many customers use WAF on a XG115 to begin with). 

So back to the topic: Is there a significant difference of the webadmin between MR1 and MR2? Because i could not observe any. 

No,

the GUI performance is an ongoing issue, not between mr1 and mr2 just general performance. It is slow, very slow when working on the XG115W just doing basic things like creating DHCP static addresses, changing a firewall rule, updating policies. Managing the XG115W using CM is no better.

An XG115W is so underpowered, that is you have a couple of users trying to access the internet at the same time the process drops connections because it appear to loose connections details so you end up with multiple retries. I have reviewed the lgviewer on my XG115W and noted the high number of failed to associate issues even the connections to the GUI which makes it even slower.

Ian

Hi folks,

further testing with my XG115W. One user and it is unusable.

Unable to access CLI, black screen never connects.

Many error in logviewer about failed associations.

The screenshot is after a reboot again with one user..

Ian

Howdy,

I've got an XG 115 v3 with about 35 firewall rules (31 user/network rules + 4 WAF rules), 2 APs and about 40 devices (phones/tablets/game consoles/RasPi/VMs/servers/laptops/desktops). Ticks along quite nicely with minimal latency added and no throughput loss on my 42/13 FTTN connection. Works well for 4-5 concurrent users + whatever devices need access.

I don't do Web Control nor TLS/SSL inspection on the XG 115 - Web control is done on EndPoints using Intercept X, or from the AdGuard Home VMs I run. DNS/DHCP aren't done on the XG, but the XG is acting as an SMTP MTA.

Webadmin's never been quick, but not as slow as you've mentioned. Average weekly load is 0.54, CPU 12%, mem 2.5GB.

I may try TLS/SSL inspection if the exception list management isn't too onerous when I upgrade the XG 115 to an XGS unit.

Hi Chris,

Thank you for the information. Maybe I need a reset and start from scratch?

which version of XG are you using?
ian