Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 11139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 - ASG320 Maximum throughput with IPS / SNORT limitation

Francois Breugem

Hi Everyone

Trust that all are well

I know that the SNORT engine which is used by IPS in the UTM is limiting your download speed.

What is the maximum Download and Upload speed / throughput I will achieve on a 200MB Fibre link ?

Thank you in advance

Kind Regards

Francois



This thread was automatically locked due to age.
  • 0

    Hi Francois,

    That depends on the hardware capability, it is a tricky one to answer. The Sophos UTM uses the Snort Inline engine for IPS functionality, and by design, the Snort engine uses only a single CPU even on systems with multiple CPUs installed. The IPS scanning engine can launch multiple processes on multiple CPU cores however only one process is used per IP source and destination pair. As the speed of the connection increases the demand on the system resources also increases to process the increased packet flow. When using a fast network connection there will come a point where the available network bandwidth is greater than the speed in which the IPS process can scan the traffic resulting in the CPU core running the process to reach 100%. There are no exact figures for this impact because it depends on the model of UTM and what else the system is doing at the time.Thanks

    To get around the Snort limitation the Sophos UTM creates multiple IPS instances which work in parallel with each instance using a different CPU. To ensure that other UTM processes have enough processing power, 1 CPU is set aside and by default not used by the IPS engine. On smaller UTM models with only 2 CPUs the result is that only a single Snort instance is used, which may result in lower than the desired throughput when using IPS scanning.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Also, Francois, based on what Sachin told you, realize that that means you will need to test by doing simultaneous speed tests from several devices using different test servers.  Alternatively, you can open several putty sessions on your UTM and run different tests from there.

    In the first session you start, download the tool and list the servers that interest you:

    cd /home
    wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py --no-check-certificate
    python speedtest.py --list|grep 'South Africa'

    If you chose server 5203, for example, you would run the following in one of the sessions:

    python speedtest.py --server 5203

    And likewise from the /home directory for the other sessions with the different target servers you chose.  What result did you obtain using four simultaneous sessions?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to sachingurung

    Thank you for the explanation Sachin

    Kind Regards

    Francois

  • 0 in reply to BAlfson

    Thank you Bob, much appreciated

Unfiltered HTML