Performance issues with IPS on SG210

Question

Hi, 
 I have been troubleshooting performance issues on a 300Mbit WAN link, firstly I have customer running in VMWARE as Software edition, but 236Mbit was the max. I then looked at the specs for SG210:

We had one laying around, and we took it to the customer, but sadly same result :-( 
 As I read, the SG210 should handle 500mbit with IPS/AV proxy enabled?! 
 The issue is IPS, when I disable it on SG210 or the software version, we can hit 326Mbit with proxy on or off. 
 I get theese in IPS log: 
 2017:04:02-09:54:16 fw02 snort[26955]: S5: Session exceeded configured max bytes to queue 3257045 using 3259676 bytes (client queue). 192.168.110.55 50474 --> 195.137.194.230 8080 (0) : LWstate 0xf LWFlags 0x406007 
 2017:04:02-09:54:16 fw02 snort[26955]: S5: Session exceeded configured max bytes to queue 3257045 using 3259461 bytes (client queue). 192.168.110.55 50468 --> 195.137.194.230 8080 (0) : LWstate 0xf LWFlags 0x406007 
 
 I have read in the forum and changed max_queued_bytes and used commands " cc set ips snortsettings max_queued_bytes 3257045 " and " cc set ips queue_length 8192 ", but with no luck. 
 
 But I wonder, why can't SG210 out of the box, with no IPS modification, handle this at all? 
 
 IPS patterns are default 12months. 
 
 Help help help :-)

twister5800 · Accepted Answer

Here is the response from the Sophos Network Security Group team leader (Support): 
 ------------------------------------------ 
 Okay so if I understand this: 326Mbps without IPS enabled and 236Mbps with IPS enabled Your line speed is 60Mbps upstream and 300Mbps downstream The Sophos SG sizing guide suggests Firewall, ATP & IPS Realworld (realworld suggests a mixture of packet sizes in other words, normal traffic) throughput of 590 Mbps. Sophos UTM's allocates IPS a processor core to each client IPS session. IPS can be very resource intensive as it must check the contents of packets against a known list of vulnerabilities. The SG210 appliance has two Processor cores. Let's imagine there are no other users on your network and you have a 1Gbps internet connection (so line speed is not a bottleneck). If you run download speed tests from 1 host, you would achieve a throughput of around 295Mbps (absolute maximum) = 590Mbps / two CPU cores as only one core is being used for the session. However if you were to run speed tests simultaneously with four machines - you would achieve a COMBINED throughput of 590Mbps. So why are you getting 236Mbps and not 295Mbps when using a single host? Well the sizing guide follows an industry standard for sizing guides. Within this standard, vendors can state performance figures as long as they can be achieved in a lab environment. Vendors therefore use every trick in the book (utilise jumbo frames where possible, use Link aggregation over multiple links etc etc etc). Sophos do not agree with this as it does not represent "true real world performance", but if we published realistic figures we would look inferior to our competitors. So in summary - in your case, you only have a 300Mbps circuit, I am confident that if you had two or three PC's running parallel speed tests, the aggregate speed would show that you are utilising all of your line bandwidth. 
 -------------------------- 
 Makes sense now :-)

twister5800 · Answer

Hi All, 
 I finally build an Intel NUC i7 with 7th generation processor. 
 I have VMWARE ontop as on the other experiments and IPS, web etc. enabled, as I use the same config. 
 This I what happened with and 3,5 GHz i7 :-)