Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 13184 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort IPS Throughput Performance Issue - Should I upgrade my CPU or Upgrade to XG Appliance?

SeamasConroy

Hi,

I'm new to the forum, but I've been reading up a bit on the Sophos UTM IPS performance issues - which I am experiencing, and looking for suggestions on how to possibly improve this problem.  I have a 100mbps down/15mpbs up cable connection with 3-4 active users and approximately 20-30 Internet connected devices.  

My Sophos UTM v9.352-6 system specs are below:

  • Jetway Mini-ITX Intel Motherboard ICH9R
  • Intel Atom D525 1.8Ghz Dual Core w/ HT
  • 4GB DDR3 RAM
  • 320GB 5400RPM Hard Drive
  • 2 Intel 82574L PCI-E Gigabit Ethernet Ports (WAN and LAN)
  • 3 Intel AD3INLAN-G  Daughterboard Gigabit Ethernet Ports (only using 1 right now for DMZ)
  • All CAT5E or CAT6 wiring

I'm only using the Firewall, IPS, and Advanced Threat Protection features, nothing else (no Web Protection, etc.) for my 2 Local Networks (DMZ and Internal).  Here are some more details:

  • 10-15 Firewall Rules
  • 8-10 DNAT and SNAT Rules
  • 1923 IPS Attack Patterns Enabled
  • TCP/UDP/ICMP Source & Destination DoS Protection Enabled
  • Anti-Port Scan Enabled

So with this configuration my 100+mbps connection drops down to around 70mbps (just testing with Speedtest.net).  I understand this is probably normal given Snort's nature and single threaded limitations, etc...correct?  Should I look at upgrading my Motherboard/RAM and CPU to something like an Intel i3?  Or will that not make much difference at this point?  One things I noticed in testing with IPS Advanced tab for "Pattern Set Optimization" is that when I enabled "Activate file related patterns" - that really impacted my Speedtest.net throughput much more - dropping speeds down to only 25mbps.  

One other question - since its seems like the root cause is the performance limitations of Snort itself, is it safe to assume that Sophos' new XG platform will not have drastic IPS throughput performance improvements.  

I looked at their product comparison chart, and the entry level XG Desktop appliance claims 510Mbps IPS throughput - but I believe those appliances uses commodity hardware like Intel Atom CPUs.  I'm sure they appliances have other optimizations, but it begs the question how are they getting that much better performance with somewhat similar hardware?  Did they make big improvements in their XG software and/or Snort optimizations?

On a side note, I'll be getting a Palo Alto 200 soon for testing which I don't believe uses Snort.  But I'd like to continue to use Sophos as well since its a great product, minus this Snort performance issue.

Any insight/suggestions are appreciated.

Thanks.



This thread was automatically locked due to age.
  • 0

    Checking back in on this to see if anyone has any advice?  I now have a 300Mbit connection.  Even running IPS with minimal rules drops my connection speed down to less than 100Mbit.

    I've been researching other hardware options such as buying an appliance (the Palo Alto 200 was not nearly powerful enough), or possibly building another mini-ITX or micro-ATX box but it seems even if I throw a more powerful CPU into it, it won't help with the Snort/single thread performance problem.  Will I see a good performance improvement if I switch from UTM 9 to XG on the same hardware as I listed above?

    Thanks.

  • 0 in reply to Seamas

    The throughput problem is presumably a CPU, or perhaps even a memory, issue.   You should be able to monitor hardware resources on the dashboard (in summary) or under Logging and Reporting... Hardware (for more details).   What does it show?

    To reduce the IPS workload, disable some of the options, starting with ones that do not apply to you, using  Network Protection... IPS... Attack Patterns.   If you are running on home hardware, you should not be running a mail server, so uncheck the mail server checks.  Repeat for other features.  If you have a SQL server but the server is not accessible from the internet, you should be able to disable the SQL options also.   Repeat for each category.

    Under IPS... Advanced... Performance Tuning, configure the servers that implement specific features.   This allows IPS to ignore specific attack patterns for any other device.

    Do not choose any of the "Add Extra Warnings" checkboxes.   These are disabled by default because they are believed to generate a lot of false positives, and unwanted overhead.

    I think this is all in the manual.   What have you tried?

     

     

     

  • 0 in reply to DouglasFoster

    Thanks for the recommendations.  I've started experimenting with Sophos UTM 9 on different hardware - Lenovo Thinkserver TS140 running ESXi 6.5:

    • Quad Core Xeon E3-1225v3
    • 16GB ECC RAM
    • 4 Intel NICs:
      • 1 Intel I217-LM
      • 1 Intel Gigabit CT 
      • 2 Intel 82576 

    I gave the Sophos UTM VM 4 Cores, and 4GB RAM.  Each physical NIC is mapped to its own vSwitch and mapped as NICs on the VM (with the exception of the ESX management NIC)

    I've enabled IPS with about only 500 signatures, and the default Web Filtering policies.  So far I've seen much better performance than my Dual Core Atom mini-ITX computer.  I test using Speedtest.net (both IE with Flash, and with Chrome - no Flash).  On my 300mbit connection (which often hits 330-350 without IPS/Web Filtering, I am seeing around 250mbit.  On a side note, the Speedtest speeds using IE with Flash are quite a bit higher than the non-Flash test...closer to 300mbit.

  • 0 in reply to Seamas

    Perhaps the info that I thought was in the manuals was actually in this KB article:

    https://community.sophos.com/kb/en-us/120329

  • 0

    Already checked these tweaking tips ?

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/22429/utm-tweaking-guide-2-0

    or maybe it's time to give XG firewall a try ? XG should be capable even with that low end hardware to give you your 100MBps throughput on a single stream/connection

    /Sascha

Unfiltered HTML