I moved from UTM 9 to Sophos XG Firewall Home Edition recently. I really like the new look and feel but seems the new system has worse IPS performance, and this makes me considering rolling back to UTM 9.
I asked a throughput question in another board. I thought the issue is due to my NICs. But it turned out that the bottleneck is on IPS. So I decided to do some tests.
UTM 9's throughput may reduce if I select more IPS rules. But it is surprised me that even I have very limited rules in XG, IPS still runs slowly. top shows snort_inline utilizes 100% of a CPU core if IPS or ATP is enabled, no matter how many rules are enabled.
I understand that snort_inline is not a multi-thread process. But when I used multiple computers, I found that they shared a same snort_line process! My system is installed on a ESXi VM that is assigned 2 cores. I could see only one core was fully loaded.
Is there a way to tune snort_inline? Is it possible to run multiple instances so that multiple core system can have better throughput?
All my tests are based on iperf3 and NFS file copying.
Thanks
This thread was automatically locked due to age.
