This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which IPS features cause performance loss?

I noticed it in my own network, and have confirmed in the forums that IPS causes some major performance loss. Curious - is it the overall feature being turned on, or particular pieces? Anyone done some testing with this? Example - Can leave anti-portscan and DoS protection on, but turn off all attack patterns?

It just bugs the hell out of me knowing the units I just purchased kill my bandwidth using one of the primary features drawing me to Sophos UTMs.

A number of my sites still run on 1-2 T1s and can't afford to take any hits to their bandwidth.

Thanks!
-Jim

This thread was automatically locked due to age.

Parents

0 William Warren over 11 years ago

The reduction in speed has been reported at all sites where a UTM was installed.

Sites:
3-6 users, UTM 110
3-6 users, UTM 110
50+ users, UTM 320

My configurations are pretty basic. Turned on IPS, enabled relevant features throughout, nothing wild.

Don't these thread somewhat confirm performance loss using IPS?

http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/50922-bandwidth-hit-ips.html

http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/49475-ips-performance-problem-100mbit-fiber.html

-Jim

The to 1/10 should not have a problem stopping a 20 make pipe depending on how you have configured the 320 should be able to stuff a 20 make pipe or higher depending on what are the features you have enabled so give us a full disclosure on all three utmz what features are on what features are off and detailed configurations of each feature on each unit plus your wind speeds that are allocated for each unit on the two smaller ones is it less than 10 bags it shouldn't be a problem the only one that might be SP is the 320 will need detailed specifications as to how you have that setup
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 11 years ago

The reduction in speed has been reported at all sites where a UTM was installed.

Sites:
3-6 users, UTM 110
3-6 users, UTM 110
50+ users, UTM 320

My configurations are pretty basic. Turned on IPS, enabled relevant features throughout, nothing wild.

Don't these thread somewhat confirm performance loss using IPS?

http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/50922-bandwidth-hit-ips.html

http://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/49475-ips-performance-problem-100mbit-fiber.html

-Jim

The to 1/10 should not have a problem stopping a 20 make pipe depending on how you have configured the 320 should be able to stuff a 20 make pipe or higher depending on what are the features you have enabled so give us a full disclosure on all three utmz what features are on what features are off and detailed configurations of each feature on each unit plus your wind speeds that are allocated for each unit on the two smaller ones is it less than 10 bags it shouldn't be a problem the only one that might be SP is the 320 will need detailed specifications as to how you have that setup
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jimstigator over 11 years ago in reply to William Warren

Lol... seeing as how you used the word "Morman", I have a feeling you are on a cell?

Site 1 + 2
- UTM 110 (9.107-33)
- 3-6 users
- Bonded T1's, 3m up/down.  Generally see lower speeds, like 2/2.
- IPS Turned on
    - Operating sys attacks -> windows
    - Attacks against client software -> all
    - Protocol anomoly
    - malware
    - TCP Syn Flood
    - ICMP Flood
    - Anti-portscan - drop traffic

Site 3
- UTM 320 (9.107-33)
- 50+ users, 10 servers, over 200 total devices
- 20m Ethernet over fiber, soon to be upgraded to 50m
- IPS Turned on
    - ALL attack patterns turned on
    - TCP Syn Flood
    - ICMP Flood
    - Anti-portscan - drop traffic
Cancel
Vote Up 0 Vote Down

Cancel
0 Jimstigator over 11 years ago in reply to Jimstigator

So is my interpretation of the performance loss threads incorrect in that it would take a much higher speed pipe before I started to notice loss?
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago in reply to Jimstigator

So is my interpretation of the performance loss threads incorrect in that it would take a much higher speed pipe before I started to notice loss?

Yes.

An older Atom CPU (such as in the 110/120) should be able to handle 15mbps of HTTP traffic PER CORE through the IPS.
HTTP is pretty much the worst-case as it has the most IPS patterns/rules.

A faster CPU can handle much more. I've posted some benchmarks at
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29110

UTM version 9.2 has some improvements including rule aging, etc., which should help somewhat but I haven't benchmarked it yet.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago in reply to Jimstigator

Lol... seeing as how you used the word "Morman", I have a feeling you are on a cell?

Site 1 + 2
- UTM 110 (9.107-33)
- 3-6 users
- Bonded T1's, 3m up/down.  Generally see lower speeds, like 2/2.
- IPS Turned on
    - Operating sys attacks -> windows
    - Attacks against client software -> all
    - Protocol anomoly
    - malware
    - TCP Syn Flood
    - ICMP Flood
    - Anti-portscan - drop traffic

Site 3
- UTM 320 (9.107-33)
- 50+ users, 10 servers, over 200 total devices
- 20m Ethernet over fiber, soon to be upgraded to 50m
- IPS Turned on
    - ALL attack patterns turned on
    - TCP Syn Flood
    - ICMP Flood
    - Anti-portscan - drop traffic

do you have web filtering, application control..etc etc etc on?
Cancel
Vote Up 0 Vote Down

Cancel