CPU recommendations - more Cores or more GHz

Hi,

CPU core and RAM are important. 

The IPS scanning engine can launch multiple processes on multiple CPU cores however only one process is used per IP source and destination pair.
As the speed of the connection increases the demand on the system resources also increases to process the increased packet flow.
When using a fast network connection there will come a point where the available network bandwidth is greater than the speed in which the IPS process can scan
the traffic resulting in the CPU core running the process to reach 100%. There are no exact figures for this impact because it depends on the model of UTM and
what else the system is doing at the time.

As long as any new connections originate from either a different source or go to a different destination then these will pass through
a new IPS process on a separate CPU core. This would therefore allow a simultaneous connection to only have its speed capped when its CPU core reaches 100% or
when the available network bandwidth has become saturated. In real world terms this means the actual impact in network performance as a whole will
not be as dramatic as the results of the speed test shows and the end users will unlikely notice any impact to network performance unless they are transferring
very large files.

Do not enable IPS on hosts, networks or services which are time-sensitive (VoIP etc).
Ensure that you only enable Attack Patterns for hosts, operating systems and services which are actually running on your network.
Add all internal HTTP, DNS, SMTP and SQL Servers to the appropriate dialog box in the 'Advanced' section for IPS configuration.
Add a second UTM for High Availability and activate in "Active/Active" mode for load balancing of IPS processing.

Thanks

Hi,

so in short I understand, that for overall bandwidth more cores are helpful and for faster "single" connections a fast core is important. So the biggest bottleneck is a singelthreded IPS process regarding a fast connection to one system.

Thanks to point that out! regards . Götz

Look for my LOOOOON post about snort...i have thoroughly researched this.  

you need more ghz for snort and more cores for everything else.  How do you balance the two?  at the higher end you get more cores only...so what you then need is enough users to load up each instance of snort in able to reach line speed.  How many users are you talking about, what is your lan/wan speeds?

Hi and thx,

we hava a 10Gbit Internet and lan connection; about 500 Users. We got most time "normal" web surfing traffic, email etc ... the usual load and no complains. But from time to time users transfer a lot and large files and thats when we want the connection to be fast. There is no dedicated destination like an other university for which you may be can configure a special rule.

So I guess the overall better performance will be, new CPUs which are faster in any way, more GHz and some Cores. May be we end up with a dual CPU system again.

Regards.

Dual core will not be enough for your userbase.  You are going to need the fastest 8 cores of intel cpu you can get.  Also i would have no less than 32 gigs of ram to boot.  

So something like dual E3-1585V5.  That would give you 8 cores @ 3.5 ghz.  With enough concurrent users you could get close to 10 gigabits depending on what they were doing.  

Hi Wiliam, you got me wrong regarding the cores. I talkend about dual CPU and n*Cores as well :) 

I'll check on the options regarding cores/multi-cpu.

One more thought regarding the number oc cores: Dose it matter much where the cores "come" from? E.G. if i have a single cpu system with 6 cores and HT that makes 12 Cores in total. Would the UTM benefit and use  them like they where e.g. 2* CPU 4 Core = 8 physical cores?

Thx. /G