Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 7445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upload speeds with Sophos totally crippled

O alias

I just got a symmetric gigabit connection.  When using Sophos XG, I get close to the full download speeds, but the upload is a fraction what I should get.  

Average with sophos

850

150

Average with another router:

901

1039

I am a bit new to Sophos but I don't have any QOS/Traffic shaping enabled as far as I can tell.  I don't think it's CPU related either because even with the top download speed, im only hitting 80% on the CPU.  I have Sophos running in a VM on an i3-4130 with 4 gb of ram.  Version SFOS 17.0.2 MR-2

Any thoughts on what could be limiting only the upload speed?

EDIT It looks like IPS is the culprit here - disabling it gives me normal speeds.  But that's a big sacrifice to make - why does IPS impact performance so much, especially considering it's not even maxing out my resources?  Is there a way to disable IPS per device, like with Web protection or do I have to make separate firewall rules?



This thread was automatically locked due to age.
  • 0

    Our of curiosity, is that Mbps? If so, I’m surprised how fast of a download you can achieve with IPS. I’m running Sophos XG on a Core i5-5250U with 4GB of RAM and I get 900 Mbps down without IPS and 300 Mbps with IPS enabled. Sophos XG uses Snort for its IPS engine which doesn’t support multi cores like Suricata, so the big limitation is how fast your CPU can work on a single core. The really weird thing is having less rules in your IPS Policy doesn’t seem to make a difference either which I don’t understand at all. I created a custom IPS Policy which took me from over 7,000 rules to approximately 1,500 and my bandwidth test results are the same. My upload isn’t affected but it’s limited to 50 Mbps.

    You have to create another firewall rule and just add those devices that you want to bypass IPS. Creating MAC Hosts for your devices is useful for this if you don’t want to create static IPs.

  • 0 in reply to shred

    Thanks for the reply - yes, it is Mbps.  Thanks for confirming I need to adjust FW rules although i'm curious - why does it mainly seem to impact just upload speeds?  Another thing that throws me off is that performance monitor doesn't even top out at 100%, the max I usually see is 80%.  

  • 0 in reply to shred

    shred said:
     Sophos XG uses Snort for its IPS engine which doesn’t support multi cores like Suricata, so the big limitation is how fast your CPU can work on a single core. 

    While snort doesn't run multi-threaded by default, you can run multiple instances of snort and infact xg runs multiple instances by default. To further fine tune your installation, you can add more instances depending on the number of cores by using console and see if it helps your throughput.

    I would fine tune my rules before anything and remove any linux or other software you are not using and then retest and then increase the number of instances to see if it helps.

    More here https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/76978/can-snort_inline-have-multiple-instances/295776#295776