Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 13944 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with throughput - IPS exception do not work

MindaugasBuitvydas

I have a problem with bandwith when IPS is ON and exclusion is used, which do not work, as i get the same speed with or without exeption ON.

Copy from ftp to video IPS off:

Copy from ftp to video IPS on with exception:

IPS exception:

Copy from ftp to video IPS on withOUT exception:

Would be very thankful for any help!



This thread was automatically locked due to age.
  • 0

    With IPS turned on your expected to take a hit on performance - up to 50% from what I've been told from support in the past.  Which appliance is this or is the UTM running as a virtual machine or installed on custom hardware?

    You can also tune IPS using the Attack Patterns tab.  Uncheck the items that don't apply to your network - for example if you don't have Apache running, why enable the IPS scan for it and take up resources?  Go through that list and uncheck all the unrelated items for your environment and test again.  You can also change the Rule age down to 6 months from 12 months and see if that makes a difference.

  • 0 in reply to WayneBoyles

    It is Sophos SG 330 harware unit.

    Isn't it the case, that i have IPS ON, but configure some exceptions (IPS exceptions) and then traffic should not be reduced when using those exceptions?

  • 0 in reply to MindaugasBuitvydas

    Same situation here. Exceptions on IPS has no impact...

    Sophos UTM 9.4

  • 0

    try turning off anti-portscan.  That also routes through the ips and is unaffected by the exceptions settings.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    Tried that - did not help.

    Quote from Sophos maunual  „Exceptions tab you can define source and destination networks that should be excluded from intrusion prevention“.

  • 0 in reply to MindaugasBuitvydas

    I've just started using the UTM home edition and have a similar problem.

    If I enable IPS then my download rate is halved from 200MBits to 100MBits. 

    I realise this is probably caused by Snort maxing out a single CPU core on my lowly HP N40L, however if I deselect ALL the attack patterns it makes no difference. 

    What is the IPS doing when these patterns are all disabled, are there some defaults that cannot be disabled? 

    Turning port scan on/off makes no difference either. 

    If I disable IPS fully then my download rate returns to 200MBits.

    Any ideas how to get some IPS protection and my full download speed back?

    thanks

  • 0 in reply to ianwhite

    Search for me for tons of info on how ips works.

    Short answer is no...your cpu is too weak to run anything more than what you are getting with ips on.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren

    Thanks, I'll search for you.

    I just assumed that if all the patterns were off then the IPS wasn't scanning the packets and there would be very little load on the CPU, I guess not :-(

Cookie Information Banner