I get thousands of this alerts every time I use https://www.speedtest.net/
Does it make sense? how can I disable it or fix the issue?
This thread was automatically locked due to age.
I get thousands of this alerts every time I use https://www.speedtest.net/
I gave up on that site because without an open firewall rule I only received latency errors.
It needs its own rule without http/s scanning because it cannot cope with s proxy.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
I have applied this solution
https://community.sophos.com/kb/en-us/133096
Now not only I dont get those alerts, I have full speed on upload 300Mbps with this setting enabled I got around 260 Mbps and thousands of alerts
Hi l0rdraiden
Thank you for following up and i'm glad to hear you were able to resolve!
It looks like this setting was not related with the slow upload speeds, I still have the upload speed issues, with Pfsense doesn't happen.
Is there any reason on why Sophos XG is able to reach full speed at download but not at upload?
The same happens here
https://www.nperf.com/ but now here http://www.movistar.es/particulares/test-de-velocidad/medir-velocidad
With pfsense+suricata in all those I get full 300/300
Hi l0rdraiden
That depends on how your firewall is configured.
For the firewall rule used for your speed test traffic, how is it configured? Did you have any traffic shaping policies applied?
What's the difference in overhead experienced for upload speeds?
Regards,
For the firewall rule affected I only have web filering.
I only have IPS active in a rule that only affect to a host, so the speed test has nothing to do with it
The only way to get 300 Mbps of upload is if I stop the IPS service completetly in "System Services" -> "Services"
It looks like a wrong implementation of Snort in Sophos XG, how my upload speed can be capped if I dont have the IPS active in any rule?
You might want to remove the web filter as well from the speediest rule.
Ian
Also found that speediest.net goes to a lot of sites that are not part of its FDQN which causes failures if you use their FQDN in the allowed rule.
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Hi Flo,
my apologies, I took that comment out after much testing and could not see any changes to my download speeds using speediest.net.
Further my settings for the IPS are not the default, but updated from previous recommendations on how to block some unwanted software/access.
What Idid find was that limiting the speediest.net to its FQDN sites caused it to fail, but no restrictions on download or upload performance.
I will run some more tests with IPS enabled in the speediest rule and report back.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Update on testing.
My IPS settings had no affect on the speedtest.net performance. I have tuned my IPS policy.
Using http/s as the allowed protocols caused the tests to run very slow with block unknown protocols disabled. Also required an update to flash part the way through the test.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Update on testing.
My IPS settings had no affect on the speedtest.net performance. I have tuned my IPS policy.
Using http/s as the allowed protocols caused the tests to run very slow with block unknown protocols disabled. Also required an update to flash part the way through the test.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
All I know is that if I have the IPS enable
And this as the only rule with IPS enable
my CPU while doing a https not managed by that rule download at 30MB/s look like this, (CPU5 and 7 are not attached to Sophos XG)
As far as I know this traffic shouldn't be analyzed by Sophos XG because the rule managing this traffic doesn't have IPS enable.
Then if I disable the IPS Service
under the same conditions my CPU utilization is:
So obviously the IPS is analysing traffic that it should not analyze, and this is a bad implementation of Snort, this https traffic should go through the firewall without and the IPS should not penalized the firewall performance.
I'm pretty sure this is a bug, could you bring this to sophos XG engineers to study it and fix it?
In other firewalls the IPS only works if the rule associated to the IPS is managing traffic, in Sophos XG is not the case.
If you have DOS enabled it will examine all traffic for all rules as distinct from have a specific set of IPS rules for each firewall rule.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Now I have disable DoS settings
And again under the same conditions the CPU load seems to be similar
My rules
IPS service disable and DoS settings disable:
I have replicated the test, this time with speedtest.
IPS engine Enable DoS Disable
IPS engine Disable DoS Disable
Helo IOraiden
This is not a bug nor is snort "wrong implemented". But this is behaviour as designed in SFOS. XG Firewall also uses snort for application classification, and application classification is per XG design globally activated to get all those fancy application reports in reporting. Also means, that IPS always touches the traffic, even if there is no explicit IPS (or AppControl) rule in place.
You can disable that behaviour in the device console using the command
system application_classification off
AppControl and IPS is afterwards still active for any rule where app or ips policy is in place, but it will not touch anymore traffic which has no such policy in place. Means you will reach even on low end hardware easily linespeeds then w/o app and ips policy in place.
Hope that helps (and please also give feedback if it DID help or not ;o))
/Sascha
Thanks a lot, I have tried and it looks like it is working as I expected, now I get full speed.
So to be clear by enanling this option I lose all the functionality related to "Cloud Applications" or is there something else?
Now as before the IPS will only apply to the firewall rules I choose but application discovery will be always off in any case?
One weird thing is why it can handle the donwload speed but not the upload.
I hope Snort 3.0 will be release soon so we won't have this kind of problems, are you playing internally already with the beta?
And as a recomendation it would be nice to have the ability to disable this through the interface, or make clear somehow how the cloud app thing works, so maybe being able to enable cloud app in each firewall rule would help a lot.
Now I have disable the cloud application option but in the interface it looks like the "service" (is no really a service) is working.
Let me throw a little curve ball into this discussion. Why don't other users have this issue, some do but not a majority. I can push my 100/40 without doing those modifications. IAs I have posted in the past i have tuned the IPS DOS and my IPS policies.
Somewhere there is a configuration issue?
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Concerning:
"So to be clear by enanling this option I lose all the functionality related to "Cloud Applications" or is there something else?"
No, you don't loose anything besides reporting of used applications for traffic matching a firewall rule where's no app or ips policy in place. For all other firewall rules XG behaves as before.
rfcat_vk said:Let me throw a little curve ball into this discussion. Why don't other users have this issue, some do but not a majority. I can push my 100/40 without doing those modifications. IAs I have posted in the past i have tuned the IPS DOS and my IPS policies.Somewhere there is a configuration issue?
I’d imagine it depends on your hardware and connection speed. More powerful hardware or slower connection speeds will probably not see this “issue”. With Snort 3.0 and multi threading support, I’m assuming this will become less of an issue, if it’s implemented with Sophos XG.
---
Sophos XG guides for home users: https://shred086.wordpress.com/
One last question, should I place IPS rules on the portforwarding rule (bussiness application rule) of a server or in the allow LAN->WAN rule of the server? or in both?