Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

Sophos XG 105: hardware ISO performs betters than software ISO with home license on XG hardware? Is sophos limiting speeds when using home licenses on Sophos hardware?

Dear community,

I am testdriving a XG105 that I got from a friend who works at an IT company to test out the performance. I currently have a 200/200 fiber internet connection.

After installing the hardware ISO (HW-17.5.1_MR-1-347) and running the installation wizard, I got a speed result of 160Mbps with all protections enabled in the wizard.

However: after installing the software ISO (SW-17.1.4_MR-4-254) with a Home license and running the installation wizard with exactly the same protections enabled, I got a speed result of 30 Mbps.

How is this possible?

Has Sophos limited the speed of XG home installations on Sophos XG hardware?

(I remember that on an older UTM120 device there was NO speed difference between software and hardware installations of UTM and XG.)

 

Confused

  • Depends solely on the hardware. On a test server (2x Xeon, 32gb RAM, SAS drives) I got with Home license the throughtput is dead on 200/200 as the line is.

    Probably the Software ISO doesn't fully utilise the hardware on the XG and that's the reason there's a hardware ISO and a software ISO. If the hardware ISO works well, stick to it.

  • In reply to Panagiotis Vakerlis:

    But I cannot use a home license on the hardware XG installation isnt it?

  • In reply to MKR74:

    Whoops, sorry about that! I misread your topic!

    AFAIK the hardware ISO doesn't accept home keys, so you're stuck with the software ISO. 

    Are you sure you did the same setup as with the hardware one? I would assume a 20-30% loss ok with that, but 30mbit performance is way too low. I've got 17.5 on a asg 110/120 that performs better!

    Upgrade the Software XG to latest version and retest

  • In reply to Panagiotis Vakerlis:

    Panagiotis Vakerlis

    Whoops, sorry about that! I misread your topic!

    AFAIK the hardware ISO doesn't accept home keys, so you're stuck with the software ISO. 

    Are you sure you did the same setup as with the hardware one? I would assume a 20-30% loss ok with that, but 30mbit performance is way too low. I've got 17.5 on a asg 110/120 that performs better!

    Upgrade the Software XG to latest version and retest

     

     

    Hi Panagiotis,

    I reinstalled the software version of XG 17.5.1 and did the installation wizard again.

    I compared the firewall rules with the earlier installed hardware version of XG 17.5.1 and I got the following results again:

    XG105

    • Installed with hardware version of XG 17.5.1: 160-190 Mbps download speed
    • Installed with software version of XG 17.5.1: 30-40 Mbps download speed

    So I really suspect that Sophos is downthrottling the network speeds of software XG installs on XG hardware.

    Or would this be also the case for ANY other software XG installation on NON-Sophos hardware?

  • How much ram does the XG105 have? The home license is limited to 6GB so that could be the problem if you have everything enabled especially the intrusion prevention.

  • In reply to alan weir:

    The XG105 has 2Gb of RAM.

    The hardware XG  installation and software XG installation took place on the same device.

  • In reply to MKR74:

    Ok, let's put this right. It's just the opposite way. Sophos does not artifically slow down Softwareversions of the XG (why should they ???), but they do highly optimize the hardwareimages to the according appliances based on their specs (Mem, CPU cores etc.).

    There are lot of settings under the hood that affects performance and memory usage. Some of the noteworthy are surely the IPS settings for snort.

    While the hardware images have specially tested and optimized settings as for the search method (hyperscan, ac-bnfa etc.) and also other tweaks in place, the software image is quite generic and has to run on a wide variety of possible hardwares the customers might have. So for example the IPS settings should fit well for a midsized or high-end hardware, but might not too run well untweaked on a low end hardware as a 105 is.

    You find most of such settings in the CLI guide, there's also a section for ips

    http://docs.sophos.com/nsg/sophos-firewall/v17.0.5/PDF/SF%20OS%20Command%20Reference%20Guide.pdf

     

    If I compare a software installation running on a old UTM120 (Dual Core / 2GB Mem) hardware with a native XG125 (Dual Core / 4 GB Mem) is see for example:

     

    XG125 native Hardware

    console> show ips_conf
    config stream               1
    config maxsesbytes              0
    config stdsig               1
    config qnum                 10
    config disable_tcpopt_experimental_drops                0
    config enable_appsignatures     1
    config mmap                    0
    config mmapfilepath             1
    config memmode              0
    config failclose                off
    config maxpkts              8
    var SEARCH_METHOD               hyperscan
    var SIP_STATUS              enabled
    var IGNORE_CALL_CHANNEL         enabled
    var TCP_POLICY              windows
    var DETECT_ANOMALIES            no
    var TCP_BLOCK               nblock
    var LOCAL_RULE              local.rules
    config cpulist              0:1

    ips-settings  ips_conf
    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            mmap off
            enable_appsignatures on
            mmapfilepath var
            http_response_scan_limit  65535
            search_method hyperscan
            sip_preproc enabled
            sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
     1  0
     2  1

    UTM120 Appliance running Software SFOS

    console> show ips_conf
    config stream           1
    config maxsesbytes      0
    config stdsig           1
    config qnum             10
    config disable_tcpopt_experimental_drops                0
    config enable_appsignatures             1
    config mmap             0
    config memmode          0
    config failclose        off
    config maxpkts          8
    config cpulist          0:1
    var SIP_STATUS          enabled
    var IGNORE_CALL_CHANNEL enabled
    var SEARCH_METHOD       ac-bnfa
    var TCP_POLICY          windows
    var LOCAL_RULE          local.rules
    var DETECT_ANOMALIES    no
    var TCP_BLOCK           nblock

    console> show ips-settings
    -------------IPS Settings-------------
            stream on
            lowmem off
            maxsesbytes 0
            maxpkts 8
            mmap off
            enable_appsignatures on
            http_response_scan_limit  65535
            search_method ac-bnfa
            sip_preproc enabled
            sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
     1  0
     2  1

    So there's surely place to fiddle within your ips and other base settings to get most out of you hardware. You can try to figure out the default settings of a native XG105 and apply them to your software installation too. Also this "hyperscan" setting on appliances with CPU's supporting Quickassist from Intel might be noteworthy to test. AFAIK the XG105 CPU doesn't support Quickassist (not sure about that...), but check what the native hardwareimage has in use per default.

    Or if hardware acceleration is in use (if available from CPU)

    console> system hardware_acceleration status
    Configuration status = enabled
    Number of HW acceleration cards = 1
    Drivers loaded = Yes

    Besides of those base settings also check for common troublemakers as activated DoS protection and other things that incidentially might slow you down.

     

    Hope this helps. Please give feedback once you found the bottleneck in your SW instalation.

  • In reply to MKR74:

    Like I and  noted, there's no way the Software is downthrottling. I have a live example on my server which started with 40/4mbps upgraded to 60/20 and now 200/200. Throughtput is full on internet speed and gigabit throughtput on lan speeds(on a single machine, haven't tested multiple machines but I assume I'll have other hardware limitations prior to getting to XG, like the switch)

    It's more like the Software version is not utilising the hardware than downthrottling. 
    I didn't expect for it to have THAT much difference, but it seems that's the case.

    You could add some RAM, it will help, although it won't 200mbit help!
    Just fyi, I have an HP Proliant DL360 G6 with 2x 4core Xeons, 32gb RAM, 2x SAS drives(raid1). Sophos is run as a VM inside Proxmox with it's own LAN and WAN cards(separate from proxmox's LAN). Also I have 4 containers and 2 other VMs.
    Sfos is set with 4cores from the CPU and 4gb ram and works like it should. 

    It may sound like an overkill, but this kind of server is pretty cheap and the power consumption is not that big(about 160-180w on medium demands). Actually with the requirements I have, I don't think I can ever utilise the server full.

    Alternate solution is a medium sized pc(4core) with 4gb ram and an SSD connected at SATA3 port. You only have to connect one extra lan card(assuming the pc already has one, which most if not all do) and bam. You could get away with 150-170€ on a refurbished one. 

  • In reply to MKR74:

    2Gb of ram and an Atom Baytrail Dual Core would not be enough for a software ISO. That is very underpowered. I would look into a fanless PC from Qotom that uses the Intel J1900 CPU and 4 or 8Gb of RAM since you can install the XG home edition on it. BTW these fanless PCs are highly recommended because they use the Intel NIC. Or even build one yourself using an embedded motherboard, a dual LAN Intel NIC, and a pico PSU power supply for a fanless system.

  • In reply to alan weir:

    I have sitting in a corner doing nothing at this stage a J1900 with 6gb ram, 4 NICs and an SSD. While it handles the 100/40 connection okay, the GUI was just sooo slow that testing and seeing the results was not reliable.  That is why I am using the device in my signature.

    Ian

  • In reply to rfcat_vk:

    I am using the software Home install on the latest firmware SFOS 17.5.0 GA running on a Dell Pentium 4 3.4GHz w 3MB RAM... I am seeing nearly wireline speed on speed tests I have 400Mb/s Down and 23Mb/s up service and seeing 480+Mb/s down and 24Mb/s up on the tests I have performed.

    I have one intel NIC on the MB and one cheap PCI based NIC on the system. Hardware acceleration is unavailable... My rules are fairly plain and simple however I do employ FQDN groups and have seen the avd process peg the CPU several times without warning and have yet to understand why that has happened randomly. Are there other settings under the hood we can look at??

     

    console> show ips_conf
    config stream        1
    config maxsesbytes        0
    config stdsig        1
    config qnum        10
    config maxpkts        8
    config disable_tcpopt_experimental_drops        0
    config enable_appsignatures        1
    var SIP_STATUS        enabled
    var IGNORE_CALL_CHANNEL        enabled
    var TCP_POLICY        windows
    var LOCAL_RULE        local.rules
    var DETECT_ANOMALIES        yes
    var TCP_BLOCK        block
    var SEARCH_METHOD        ac-bnfa
    config failclose        off
    config cpulist        0:1

    console> system hardware_acceleration status
    % Error: Unknown Parameter 'hardware_acceleration'

  • In reply to Rick Dunn:

    For a old P4 your system is performing quite well with 400Mb/s in my eyes. Most likely there isn't too much to tweak under the hood here. HW acceleration isn't available due missing AES-NI / Intel Quick Assist support in the P4.

     

    You might check the number of started IPS (snort) instances, but I'd expect already 2 instances (and your P4 to be a dual core with or without HT). So I personally would'nt expect too much more throughput for that hardware by further fiddling around in the base settings.

     

    /Sascha