UTM 9 - IPS tweaking?

Question

Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)? We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled.

Amodin · Accepted Answer

With IPS enabled, you will get a bit lower speed. That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately. XG may be different in handling this, and I'm sure it is, but... I don't use that product. 
 Andrew English said: WARNING: normalizations disabled because DAQ can't replace packets. 
 That's a Snort warning, but it can be ignored for the most part, I believe.

alan weir · Answer

This guide will help you improve IPS throughput by increasing the amount of Snort instances. It involves downloading Putty and requires you to SSH into the UTM, but it works. 
 "To ensure that other UTM processes have enough processing power, 1 CPU is set aside and by default not used by the IPS engine. On smaller UTM models with only 2 CPUs the result is that only a single Snort instance is used, which may result in lower than desired throughput when using IPS scanning." 
 Sophos UTM: Low throughput with Intrusion Prevention (IPS) 
 Another thing you can do is make sure "add extra warnings" is not enabled, and limit your IPS rules to <12 months.

UTM 9 - IPS tweaking?

Top Replies