Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 9551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Throughput slows if I select "Match known users" in firewall rules. Help Please

Rick Leslie

 Hi,

BACKGROUND...

I have a problem. I have 'upgraded' from a Cyberoam appliance to the Sophos XG Home running on a spare PC. The PC has an i5 CPU, 6Gb ballistix RAM & two Intel Gigabit NIC's. It far exceeds the specs that are recommended.

PROBLEM...

Anyway, the problem is that I discovered that I was getting very slow throughput between the LAN & the WAN. I am getting about 55Mb down and 18Mb upload on my ISP's Router but only around 15Mb in each direction with the Sophos XG box in series.

I spent many hours looking through support forums & Googling before I tried setting a catch-all rule (Placed at the top) in the firewall that was set as Source: LAN, Destination: WAN, MASQ: On.
I tested again and got the full throughput.

Then I started trying the different options for AV scanning and IPS policies. Nothing changed as far as throughput is concerned.

Then I attached the rule to a specific computer (Match known users / Users or Groups)... The throughput dropped to the slower speeds. I tried selecting Any user, same result. Turned off the Match Known Users and got the full throughput again.

I have checked all of the options in the UI relating to Users and Groups but I can't find anything that should cause the slow throughput like that.

SOLUTION???

Any suggestions on what might be causing the problem or how to fix it welcomed?????

 

aTdHvAaNnKcSe

 



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    Check #1.1 in my troubleshooting guide and verify which FW-rule ID forwards the traffic and check the following configurations:

    1. Verify that no traffic shapping policy is defined in the rule.
    2. Remove the IPS policy in the rule and check the throughput.
    3. Check AV pattern are up2date and configure AV scan mode to Single Scan.
    4. What is the firmware version, update to 16.05 MR-5

    If that doesn't help, check #4 in my guide.

    Thanks

  • 0 in reply to sachingurung

    Hi sachingurung,

    Thanks for your response.

    I had already come across your guide.

    Answers to your questions:

    1. There is no traffic shaping police attached to any of the firewall rules.

    2. There is no IPS policy applied either.

    3. The AV is up to date and I have tried with no AV, each of the AV options on their own and with both with no noticeable change.

    4. The firmware is at SFVH (SFOS 16.05.6 MR-6), not MR-5. I was trying to tackle the issue when I found that MR-6 was available and I hoped it would fix the issue. It didn't.

    I have had Cyberoam units for the last 10 years so I am somewhat used to configuring these things though it's the first time I have tried to setup a Sophos XG system.

  • 0 in reply to Rick Leslie

    Hi Rick,

     10 Years! That makes my work of suggestion easier to you, in some way. Did you check #4 my TB guide? If #4 doesn't resolve your issue then take SSH access to the XG and go to option 3. Device Management > 5. Advance Console and execute, 

    wget http://speedtest.ttml.co.in/files/10M.exe

    Compare the outputs of this command and the speed value by manually downloading the file from the same URL on a user system.

    Thanks

  • +1 in reply to sachingurung

    Hi sachingurung,

    I found the issue.

    I had misunderstood the traffic shaping settings as I didn't realise that it would allocate the guaranteed bandwidth to hosts that were not currently in use. It left me with very little bandwidth for each host, other than that hosts guaranteed amount. I have gone back to using DSCP settings on firewall rules for each host now.

    Thanks for your help though. :-)

Reply
  • +1 in reply to sachingurung

    Hi sachingurung,

    I found the issue.

    I had misunderstood the traffic shaping settings as I didn't realise that it would allocate the guaranteed bandwidth to hosts that were not currently in use. It left me with very little bandwidth for each host, other than that hosts guaranteed amount. I have gone back to using DSCP settings on firewall rules for each host now.

    Thanks for your help though. :-)

Children
No Data