Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I upgraded from v17.5.8 to v18 EAP about a week ago and noticed a drop in performance and an increased RAM usage.
I do have a XG115 rev2 Appliance installed with the Software Image and a Home Use License.
My Internet connection is 100/40.
With version 17.5.8 I was able to reach about 80 to 90 Mbit download (I already expected more from the hardware)
After the Upgrade I only reach about 50 to 60 Mbit download. There is no DPI or webfiltering activated and it doesn't matter if i activate IPS or not.
SSL/TLS Inspection is turned on but there are not any rules.
Are there any tweaking options for the software version of Sophos XG running on a HW Appliance?
As posted in the initial Announcement:
Do you use a hardware Bridge?
Do you use IPS?
Do you use SSLx (even one rule with "Do not Decrypt")?
In reply to LuCar Toni:
I just would like to know if there are some switches which would increase performance when using a appliance with a software image.
No bridge is in place.
I tried ot with and without IPS. Didn't make any difference.
SSLx is not in use. Only the default rules are in place.
I have 300x30 service and was getting higher than that on 17. Since going to 18, the max I get is also 50-60 down.
I have SSL/TLS inspection disabled. I'm in the same boat, no matter what I've tried disabling, there's no change in performance. Hopefully the next release will be out sooner than later!
On the positive note, the admin interface is MUCH faster than v17 was.
Is there any news on this question?
I’ve been using v18 EAP 1 since launch, and the performance difference between v17.5.8 and v18 is wierd. The v18 has supposed to be faster, but it’s slower.
I’m currently with Intel J1900 + 8GB ram with Intel 82576 NIC.
I’ve made a clean installation, and used IPS GeneralPolicy, ATP (Log and Drop), Default Policy for Web and no HTTPS Decrypt for the testing.
v17.5.8, I would be able to get 260mbit/s which is my WAN download limit, while using less than 45% of CPU usage. With HTTPS Decrypt on, i still has able to get 260mbit/s.
v18, i can barely get 120mbit/s, that’s without TLS/SSL Inspection or HTTPS Decrypt via Web Proxy. If i use HTTPS Decrypt via Web Proxy, i would get the same speeds on any HTML5 speedtest. With TLS/SSL Inspection the throughput would get even lower to 80mbit/s.
Here’s how it looks like with top on v18. Snort is always using 100% of the CPU.
Is there anything that i can do to archive better speeds. Or it’s an issue in my end?
In reply to Prism:
Interesting thread. Someone from Sophos dev team should investigate on that. It is still a beta and they still adjusting “the code” but your case seems to be interesting.
In reply to lferrara:
I saw this issue earlier. As far as i know, its already fixed in the next version.
Michael Dunn ?
my throughput is the same, but response times have blown out and ram usage is up which I assume is caused by all the debugging code left active.
In reply to rfcat_vk:
I think ram usage is going to stay about the same due to additional DPI engine. They are not supporting appliances less that 4GB. I even tried installing a vm with less that 4GB and the installation fails. Even after installation, if you try to decrease the ram in a vm, the firewall goes to safe mode if the ram gets below 3600MB.
I also found that the load average is considerably higher compared to v17.xx Compare you old load average graphs and there is definitely an uptick.
In reply to Billybob:
RAM increase is fine, but going from low 40% to low 70% is a rather large increase on a 6gb system.
Also as you point ou the load has increased from just over 2 to just under 4.
So we wait and see what the next version brings?
Could you retest V18 EAP1 Refresh1?
I've retest it on V18 EAP1 Refresh1, throughput still the same as v18, which is way slower than v17.5.8. I've decided to go back to v17.5.8 just to do some testing again, because i through could be something wrong with my hardware, but the throughput difference still high.
Here's an CPU Usage graph from v17.5.8, while using all my WAN download throughput limit, 240-260 mbit/s. With IPS on generalpolicy.
Here's on v18 EAP 1 Refresh 1. You can see the CPU spike at 8:30, that's when i decide to try download centos 8, throughput limit at it has 130mbit/s
I didn't take any pictures, but for fun i've decide to make a VM of v18 EAP1, with 4 cores/6GB ram(Host => Ryzen 1700, 32GB ram), while on v17.5.8 I could get gigabit speeds on it (Using VirtiO Drivers i could get aroung 1.2 - 1.4 Gbit/s), on v18 the max speed i would get has aroung 480-510 mbit/s on iperf3.
Could you please verify the used drivers in V18?
Check please via ethtool of each interface.
SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool -i Port2driver: igbversion: 184.108.40.206firmware-version: 1.2.1expansion-rom-version:bus-info: 0000:01:00.1supports-statistics: yessupports-test: yessupports-eeprom-access: yessupports-register-dump: yessupports-priv-flags: no
SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool -i Port1driver: igbversion: 220.127.116.11firmware-version: 1.2.1expansion-rom-version:bus-info: 0000:01:00.0supports-statistics: yessupports-test: yessupports-eeprom-access: yessupports-register-dump: yessupports-priv-flags: no
Can you please show us the output of ethtool without -i ?
SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool Port1Settings for Port1: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: Symmetric Supports auto-negotiation: Yes Supported FEC modes: Not reported Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: Symmetric Advertised auto-negotiation: Yes Advertised FEC modes: Not reported Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: pumbg Wake-on: g Current message level: 0x00000007 (7) drv probe link Link detected: yes
SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool Port2Settings for Port2: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: Symmetric Supports auto-negotiation: Yes Supported FEC modes: Not reported Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: Symmetric Advertised auto-negotiation: Yes Advertised FEC modes: Not reported Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes