Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 11477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS cut down my internet speed

Cato Kwok

Hi all,

 

  I am now using Sophos SG310 firewall with  1Gb internet speed connection. The speed is not bad (around 7xx Mbps in speedtest) with services on (Firewall, Web Filtering, POP3 Proxy, Application Control, AntiVirus, AntiSpam, Anti Spyware, ATP). However, when I turned on the IPS, the speed is dropped to 2xx-3xx Mbps.  

  Is it possible to make it run faster when IPS on ? since the spec of this model is  1.2Gbps of IPS throughput. 

 

Thanks a lot.

 

Cato



This thread was automatically locked due to age.
  • +1

    IPS is very processor intesive. The specs are a little optimistic IMHO and you can better consult your reseller for realistic hardware needs.

    That said, you can configure IPS so you may gain a little, but I think it's unlikely that you'll get back your 7xx Mbps speed with IPS enabled.

    Check the following:

    Network protection -> Intrusion Prevention -> Attack patterns: Disable everything you don't have or use and bring back rule age as far as you think is safe (but keep <12 months or less). Then under the Advanced tab lis your HTTP, DNS, SMTP and SQL servers (if any), so the system knows which systems to apply specific rules for.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1

    Try customizing your Attack Patterns on your IPS configuration, depending on your LAN hosts and their requirements. Since you have not said what services your running on your LAN or what IPS settings you have enabled (6 Tabs on IPS page) we have every little to go on.

    Regards Simon

    Sophos XG 17.5.1 MR-1 | Dell 7010 | Intel(R) Core(TM) i5-3550 CPU @ 3.70GHz | 8GB Memory
    Samsung EVO 850 120GB SDD | 1x Intel 82574L / 2x 82571EB Gigabit Ethernet Controller (rev 06)

  • +1

    Hi Cato,

    Refer the KB document here and configure IPS according to the best practice. 

    The IPS scanning engine can launch multiple processes on multiple CPU cores however only one process is used per IP source and destination pair.
    As the speed of the connection increases the demand on the system resources also increases to process the increased packet flow.
    When using a fast network connection there will come a point where the available network bandwidth is greater than the speed in which the IPS process can scan
    the traffic resulting in the CPU core running the process to reach 100%. There are no exact figures for this impact because it depends on the model of UTM and
    what else the system is doing at the time.

    As long as any new connections originate from either a different source or go to a different destination then these will pass through
    a new IPS process on a separate CPU core. This would therefore allow a simultaneous connection to only have its speed capped when its CPU core reaches 100% or
    when the available network bandwidth has become saturated. In real world terms this means the actual impact in network performance as a whole will
    not be as dramatic as the results of the speed test shows and the end users will unlikely notice any impact to network performance unless they are transferring
    very large files.


    Intrusion Prevention Systems inherently have the potential to impact both performance and bandwidth since every single packet traversing the networks defined under
    'Local networks' are being intercepted and evaluated against hundreds or thousands of Attack Patterns. These potential performance and bandwidth effects can be
    mitigated through the following methods:

    1. Do not enable IPS on hosts, networks or services which are time-sensitive (VoIP etc).
    2. Ensure that you only enable Attack Patterns for hosts, operating systems and services which are actually running on your network.
    3. Add all internal HTTP, DNS, SMTP and SQL Servers to the appropriate dialog box in the 'Advanced' section for IPS configuration.
    4. Add a second UTM for High Availability and activate in "Active/Active" mode for load balancing of IPS processing. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Note that 4 in Sachin's list will require you to add a cluster node to your license which will cut its remaining term in half.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML