Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 4019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS kills UTM 9 - Model: ASG320

Francois Breugem

Hi to Everyone

I trust that all are well

We have a UTM 9 - Model: ASG320 Firmware Versio 9.408-4

We have  100 MB Fibre link

When The Intrusion Prevention is Enabled we can the following results:

Download 58MB   :    Upload 98MB

When we Disable / Switch the Intrusion prevention Off the results are:

Download 99MB   :   Upload: 101MB

So when IPS is Enabled I loose 40MB Download speed, down from 100MB to around 60MB

Is there a solution for this problem ?

Kind Regards

Francois

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Francois,

    this behaviour has been confirmed by Sophos Support, stating that IPS could consume up to 60% of your Bandwith. I don't find the original thread where this topic has been discussed right now, but you might find it through search. I can reproduce this behaviour on my SG 230 as well with my 200/25 Mbit line. The Problem was identified as the SNORT engine which is used by IPS in UTM, nothing helps a lot, you could try things like reducing IPS ruleset or setting more granular exceptions - didn't do the trick for most ppl though.

    The conclusion on this topic was, that Sophos is most likely going to change the IPS Engine in Sophos XG Firewall OS, but not for UTM anymore.

     

    Regards,

    Martin

  • 0 in reply to MartinDE_01

    Hi Martin

    Thank you very much for your informed Reply.

    I do understand exactly what you said.

    Its sad, but then what can we do.

    Much Appreciated

    Have a nice day

    Kind Regards

    Francois

     

  • 0 in reply to Francois Breugem

    You're welcome, not happy about that either. :-) I think if I can remember right, it had to do something with CPU Core Utilization of the SNORT Engine, which is just using one CPU core of the UTM for scanning the packets of one Client connection. They also said in the discussion, that this only affects one Client at a time. Therefore a second/additional Client connection would be able to get the some of the missing ammount of bandwith available because scanning packets would be utilized by another CPU core. The bigger the appliance (=faster CPU/Core) the less the impact on bandwith has been, they ended up in testing this on VMWare UTM Appliance where they have been able to play with assigned CPUs.

    But as you said, apparently doesn't help us much.

     

    Regards,

    Martin

  • 0 in reply to Francois Breugem

    Francois, if you used one of the standard speed measuring tools, you found the limitation for a single download.  Try running the same test simultaneously from two PCs and watch the dashboard in WebAdmin to see what combined speed is achieved.  Snort is single-threaded per connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Francois Breugem

    Francois, if you used one of the standard speed measuring tools, you found the limitation for a single download.  Try running the same test simultaneously from two PCs and watch the dashboard in WebAdmin to see what combined speed is achieved.  Snort is single-threaded per connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML