If I add an exception in IPS rules to not apply IPS from my internal LAN to ANY am I essentially turning off IPS? I'm not concerned with any device at home attempting malicious activity going outbound so I don't see the need to have IPS from LAN to ANY. I noticed with this exception I get my full Gigabit throughput but if I remove the exception I get cut down to 350-400 Mbps.
Hi Chris,
Disable IPS exception and take SSH to UTM and login as root. Run "wget --no-check-certificate -O - https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py | python". Verify what bandwidth is received on the UTM's interface?
Thanks
Unexpected results to say the least.
Here's without the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.867 ms
Testing download speed........................................
Download: 859.46 Mbit/s
Testing upload speed..................................................
Upload: 102.16 Mbit/s
And here's with the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.825 ms
Testing download speed........................................
Download: 878.05 Mbit/s
Testing upload speed..................................................
Upload: 112.55 Mbit/s
I ran them both a few times and they were all within the margin of error.
Now here's from the site directly using the same AT&T server that the script selected.
With exception
http://www.speedtest.net/my-result/5411309219
Without exception
Hi,
Download a file and capture ips.log. Post it here.
Thanks
Downloading files from techpowerup and filehippo didn't really give me much output aside from the top line you see here (i've trimmed away some of the duplicates).
When i ran a speedtest it caused all the output in the bottom half. This was all with the exception turned off of course. I trimmed away some of the excess but it all looked like this. The long string of pruned sessions started the instant I started the test.
2016:06:17-09:54:14 sophosutm ulogd[4640]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="90:3e:ab:f9:80:d0" dstmac="00:1b:21:a8:b0:33" srcip="74.125.3.90" dstip="162.202.206.67" proto="17" length="1378" tos="0x00" prec="0x00" ttl="54" srcport="443" dstport="64679"
2016:06:17-10:24:16 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051044 bytes (client queue). 162.202.206.67 34838 --> 173.44.34.18 80 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:25:18 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1069576 bytes (client queue). 162.202.206.67 50753 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:15 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049144 bytes (client queue). 162.202.206.67 50898 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0x4e007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049080 bytes (client queue). 192.168.10.100 5692 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1048640 bytes (client queue). 192.168.10.100 5693 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1054280 bytes (client queue). 192.168.10.100 5691 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:28 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1052720 bytes (client queue). 192.168.10.100 5694 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049980 bytes (client queue). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1079744 bytes (memcap/check). 162.202.206.67 50898 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0xe007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 139 scbs remain. memcap: 7334734/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 137 scbs remain. memcap: 8387694/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 132 scbs remain. memcap: 8390705/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 127 scbs remain. memcap: 8393716/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 122 scbs remain. memcap: 8398187/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 117 scbs remain. memcap: 8399738/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 112 scbs remain. memcap: 8404209/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 107 scbs remain. memcap: 8405760/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 102 scbs remain. memcap: 8410231/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 97 scbs remain. memcap: 8411782/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 92 scbs remain. memcap: 8414793/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 87 scbs remain. memcap: 8416344/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 82 scbs remain. memcap: 8403826/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 78 scbs remain. memcap: 8386245/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 77 scbs remain. memcap: 8386431/8388608
Upon enabling the exception i ran speedtest again and this was the entirety of the output (much less but still on it seems).
This really makes me think disabling LAN to ANY/WAN is still leaving IPS working, it's just not wasting CPU on outbound and therefore not limiting my bandwidth. Does this seem right to you?
Live Log: Intrusion Prevention System
Filter:
Autoscroll
Reload
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8296406/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8332801/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049680 bytes (client queue). 192.168.10.100 5697 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 22 scbs remain. memcap: 8119130/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 23 scbs remain. memcap: 8387788/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 3 sessions from cache for memcap. 20 scbs remain. memcap: 8322446/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1063799 bytes (memcap/check). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 17 scbs remain. memcap: 7325894/8388608
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051200 bytes (client queue). 192.168.10.100 5700 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1053840 bytes (client queue). 192.168.10.100 5702 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
My system specs by the way
G3258 @ 4.2Ghz
8GB DDR3 1600
Asus H79 Mini-ITX
Intel E1G42ETBLK server card
