Performance issues with IPS on SG210

Hi Martin, 

Try this, SSH to the UTM as super user and execute.

cc set ips queue_length 8192

Increasing queue_lenth will result in higher value for memcap eventually, more packets can be scanned through it. Also, refer the document here.

Hope that helps.

Hi saching,

Thanks for replying :-)

I already did that and also wrote it in my first post (a little to hidden maybe), but it did not change anything.

Hi Martin,

did you check the speed with only one dowload? Please try with more downloads at the same time. With just one download, you never reach the maximum download rate with IPS on a SG 210.

regards

mod

Hi mod ;)

Yes I have tried to different speedtest site, each capable of giving me 300+ mbit with IPs of, but when eI turn IPS on, the on takes it all and the other stays at 7-8Mbit until first test is done, then it increases.

Why can't SG210 handle this with dual core cpu?

because one core for ips, and only 236Mbit each and the other core for os/services?

Hi Martin,

of course you are right. I have not thought that the sg210 has only a dual core cpu.

I've no experience with SG 210 and 500Mbit WAN Speed. Did you have tested some iso downloads with ips turned on? I never use speedtest sites for such tests.

I've experience with ASG 320, SG 330 and SG 430 with a 500Mbit WAN uplink and IPS turned on.

The ASG 320 is absolutly to small for 500 Mbit with optimized IPS.

An optimized SG 330 loads with about 350 Mbit up to 400 Mbit. (different ISO downloads at the same time)

And finally the SG 430 loads with about 450 Mbit with optimized IPS. (different ISO downloads at the same time)

regards

mod

Interesting question, Martin.  Because of this, I've been recently been tempted to favor the SG 135 over the 210.  The 210 has more raw computing power, but it's dual-core whereas the 135 has a quad-core CPU.  Has anyone tested both devices to see if four simultaneous ISO downloads are faster on a 135 than on a 210?

Cheers - Bob

Bob, I tried question :-)

Took a SG210 and SG135 from work, using same config to both devices and running 9.411:

Downloading Win 2012 R2 and Win Srv 2016 ISO from MS VLSC simultaniously:

SG210:

SG135:

Look at the different throughput on both devices, SG210 one fast and one slow download, SG135 both fast downloads and more throughput.

Speedtest SG210: 236Mbit

Speedtest SG135: 180Mbit

So there is really "Something about Mary" with the CPU/Cores when IPS is doing it's job :-)

Thanks, Martin!  I would have expected the 210 to be faster with just two downloads - does a second trial produce the same results?

What about four simultaneous downloads on each? - That's where I expect (guess) the 135 will really beat the 230.

Cheers - Bob

4 downloads:

SG210:

SG135:

Interesting! ;)

That was my guess - more total throughput with the quad-core.  Thanks, Martin!

Cheers - Bob

Here is the response from the Sophos Network Security Group team leader (Support):

------------------------------------------

Okay so if I understand this:
326Mbps without IPS enabled and 236Mbps with IPS enabled
Your line speed is 60Mbps upstream and 300Mbps downstream

The Sophos SG sizing guide suggests Firewall, ATP & IPS Realworld (realworld suggests a mixture of packet sizes in other words, normal traffic) throughput of 590 Mbps. Sophos UTM's allocates IPS a processor core to each client IPS session. IPS can be very resource intensive as it must check the contents of packets against a known list of vulnerabilities.

The SG210 appliance has two Processor cores. Let's imagine there are no other users on your network and you have a 1Gbps internet connection (so line speed is not a bottleneck). If you run download speed tests from 1 host, you would achieve a throughput of around 295Mbps (absolute maximum) = 590Mbps / two CPU cores as only one core is being used for the session. However if you were to run speed tests simultaneously with four machines - you would achieve a COMBINED throughput of 590Mbps.

So why are you getting 236Mbps and not 295Mbps when using a single host? Well the sizing guide follows an industry standard for sizing guides. Within this standard, vendors can state performance figures as long as they can be achieved in a lab environment. Vendors therefore use every trick in the book (utilise jumbo frames where possible, use Link aggregation over multiple links etc etc etc). Sophos do not agree with this as it does not represent "true real world performance", but if we published realistic figures we would look inferior to our competitors.

So in summary - in your case, you only have a 300Mbps circuit, I am confident that if you had two or three PC's running parallel speed tests, the aggregate speed would show that you are utilising all of your line bandwidth.

--------------------------

Makes sense now :-)

Hi All,

I finally build an Intel NUC i7 with 7th generation processor.

I have VMWARE ontop as on the other experiments and IPS, web etc. enabled, as I use the same config.

This I what happened with and 3,5 GHz i7 :-)

Hi All,

I finally build an Intel NUC i7 with 7th generation processor.

I have VMWARE ontop as on the other experiments and IPS, web etc. enabled, as I use the same config.

This I what happened with and 3,5 GHz i7 :-)