I discovered Sophos UTM just a few weeks back and having tested most of the Open Source firewalls out there I immediately tried it out. And now it sits neatly protecting my home network.
I must admit I loved it from the first second and kudos to all dev's for their job on this product. It really both looks, and feels, like a quality product.
Running the latest version (9.201) I do have a question regarding performance issues when having Web Filtering enabled. The setup:
Internet -> Sophos
Nic 1: Local Network SSID (192.168.1.0) (No proxy, no performance issues)
Nic 2: Guest SSID (192.168.5.0) (Transparent proxy, performance issues)
This setup runs virtually on ESX4.1 and both Nics are VMX3 connected to a vswitch which each have a dedicated Nic on the host.
I have implemented a local cat cache to speed things up but that had little effect. I have also tried bypassing the proxy by setting it to standard mode which results in equal performance as with Nic 1. From what I can gather the fullreqtime is extremely high but since the other timings does not reveal anything I don't know where to look.
The first entry is from opening appstore on my Ipad and the second is opening the web page of a Norwegian bank:
2014:04:25-11:55:16 router httpproxy[23075]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.5.109" dstip="2.23.146.217" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="35466" request="0xff36880" url="itunes.apple.com" exceptions="" error="" authtime="0" dnstime="1133" cattime="69" avscantime="0" fullreqtime="36809346" device="0" auth="0" category="112,129" reputation="neutral" categoryname="Entertainment,Media Downloads"
2014:04:25-12:06:14 router httpproxy[23075]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.5.109" dstip="193.88.186.180" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3794" request="0xfb3d320" url="www.nordea.no" exceptions="" error="" authtime="0" dnstime="7" cattime="55" avscantime="0" fullreqtime="30690667" device="0" auth="0" category="114" reputation="trusted" categoryname="Finance/Banking"
The Application Control log does not reveal anything, the IPS log is not logging anything at the above timings and the firewall log does show a lot of RST's and ACK FIN/ACK PSH FIN on port 443. The source being both the internal IP of my mail server, the WAN IP or other external source.
Not sure if this is related.
Any suggestions on how to troubleshoot this further?
Ulf Thomas
This thread was automatically locked due to age.
