Gigabit Internet and Sophos - a losing combination

All I can tell you is that we support hundreds of employees on a SG450 with a single 100Mbs internet connection and satisfactory performance.   CPU load is trivial.

Douglas, thank you for the reply.  The SG UTM can deliver 100 Mbps with all subscriptions enabled in most hardware configurations -- my SG115 can almost pull it off (although the load is only 10 power users).

According to the screenshots I posted, any UTM above the SG/XG 125 will deliver 100 Mbps 'Realworld' IPS.  I need 1000 Mbps.

I am actually impressed that Sophos publishes any "real world" numbers.   Most vendors do not because of these kind of objections.    These are additional things to consider as you look for the right hardware configuration for you.

1) a 1Gbps connection cannot delivery 1Gbps of throughput.   The Ethernet architecture requires interpacket gaps and packet headers, and TCP/IP adds additional headers.   The theoretical limits have doubtless dropped since the transition from baseband to twisted-pair, so I don't know what's realistic with modern switches, but I suspect that 50% max is the most that is realistic even under highly-tuned conditions.   

2) Lots of home connections are asymmetric.   There are some significant problems that can occurs when the upload and download speeds differ significantly.   My simplified understanding is that these configurations have problems because the ACKs are not received fast enough on the slow link.   RFC 3449 has the technical details on this.   I have been burned very badly when trying to connect to sites that both had asymmetric connections.   I would expect that this will limit your effective throughput.   Verizon has a FIOS optimizer tool available as a link from their speed test web page.   It sets some Windows registry settings to minimize the impact of asymmetric connections.  This is actually odd since FIOS is increasingly offered as a symmetric link.  I have seen it have a positive effect, but it does not document its changes.   I don't know how to tune the TCP/IP settings on a Unix-based box like UTM.

3) Sophos has to add latency to do its work.   How much latency will be a function of how much analysis you are asking it to perform on a specific packet flow.   Whatever the latency, it will interfere with your ability to get maximum throughput.

All of these are issues that are likely to be found on competitive configurations as well.   Happy hunting.

Douglas,

I have symmetric gigabit fiber from att.  While they don't deliver 1000 mbps, typical speed tests from geographically near test sites indicate 900-950 mbps in either direction.  Snort testing is disabled for such speed tests.  When enabled, numbers drop to ~220 down/300 up mbps.  UTM is virtualized under esxi.  Box has an i5 5250u cpu, utm gets 4GB of ram and 4 cpus.

Douglas, thank you for the detailed reply. It will be helpful to many people, but I am already aware of the issues you raised.

I have a symmetrical Gbps fiber connection.  The worst iperf test results were 931 down / 940 up.  One of the iperf tests came back at 960/1011.  My target was 940 Mbps, so the circuit is good.

I understand that the UTM has some overhead too, that's why I'm building my own box.

The reason that snort (IPS) will (dramatically) reduce throughput is that it is only a single-core application that is highly dependent on the CPU clock speed. The higher the clockspeed of the CPU the higher the throughput for IPS will be.

Multiple cores can be used however, but not for 1 connection; multiple users using the connnection at the same time will use multiple cores (as far as I am informed correctly), but every user in itself can only use 1 core for their connection.

Also in a far past I have found the following shell tweaks could squeeze out some more speed (I don't know if this is still applicable or necessary, at my current system there is no up_threshold file nomore and my scaling_governor was configured as 'powersafe');

echo "performance" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (better performance replace # respectively by 0, 1, 2, 3 for 4-core CPU)
echo "ondemand" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (standard setting)

echo -n 50 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (better performance)
echo -n 95 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (standard setting)

Hi Doug,

I too am getting similar results from ATT fiber.  However, when I run through a Sophos XG 85 without any packet inspection / SNORT I still only get 350 up and down.  A REAL disappointment! I too commend them for publish stats, but these figures are very unrealistic.  I'd like to drive fast, and still be safe. I seriously doubt that Sophos has done much with real-world testing of fiber connections.  Do you agree?

RK

I have gigabit fiber connection on a XG135 with EntrepriseGuard License, IPS activated, web filter activated, application filter activated and when I test the connection on a website like speedtest.net I really shows between 980 and 1000Mb/s so the hardware can fill a gigabit internet connection without any problem.

I guess I need to contact Sophos to see if this is the limitation of the model XG85 I use versus the XG135. Thanks.

just a FYI: I got a self-built UTM (dual core with ssd) at home with a 500/250 connection and experience logging problems (multiple logging processes / processes crashing) regularly. I am nto sure of the source of the problem, as it was virtualized it might be a problem with the setup.