Slow Throughput after installing v18 EAP


I upgraded from v17.5.8 to v18 EAP about a week ago and noticed a drop in performance and an increased RAM usage.

I do have a XG115 rev2 Appliance installed with the Software  Image and a Home Use License.

My Internet connection is 100/40.

With version 17.5.8 I was able to reach about 80 to 90 Mbit download (I already expected more from the hardware)

After the Upgrade I only reach about 50 to 60 Mbit download. There is no DPI or webfiltering activated and it doesn't matter if i activate IPS or not.

SSL/TLS Inspection is turned on but there are not any rules.

Are there any tweaking options for the software version of Sophos XG running on a HW Appliance?

Thank you!

  • In reply to SaschaParis:

    Hi, Thank you so much for this answer.


    First, if I'm wrong then please correct me.

    I also understand, as the name says, It's an Early Access Program, It can have bugs and performance issues.


    But, The problem I've encountered it's a bit different, I'm not using any IPS/Web Proxy/SSL/TLS Decrypt and somehow snort is using 100% of all my 4 cores.

    To start with it:

    I've created an Rule which allows to pass the Traffic between LAN to LAN, and on this rule I've used .

    Also there's no TLS/SSL Inspection rules being applied on it.


    Testing with Iperf3, From => (VLAN 20), I've been getting the maximum throughput of 430Mbit/s with "iperf3 -c -P 5" While Snort is using 100% of all my cores.


    My question is, what is Snort doing? I've disabled all features on the Rule, I've checked to see if there's any other rule influencing on it, also there's no SSL/TSL Inspection being used on it, and still my throughput is limited by it.


    The problem is, on v17.5.8 I've used to get line-rate throughput with this test.



  • In reply to Prism:

    What is the output of

    system application_classification show

    in your device console? If it's on, you might test setting it to off using same command but replace show by off...

    Not sure about the implication of disabling global app classification in V18, as this command bypasses snort, if no explicit IPS or application control rule is configured in the matching firewall rule. This was a good workaround to get linespeeds up to 17.5.  However - I didn't test if this also bypasses the new fast path offloading capability of V18 (will test if I find some time), but as FastPath offloading in my eyes seems not to behave as intended at this specific release, this might help temporarily speed up things until Fast Path behaves as expected.

    As you mentioned - it's early access..there is time until GA to bring things in shape, so I'm not too worried about in that early stage.

  • In reply to SaschaParis:

    That is not fair sascha. You are asking him to disable application classification which breaks other things such as qos etc while he is clearly stating that he didn't have such problems with v17.5xx 

    Probably turning off the IPS services will do the same thing as turning off classification and it will also break your dashboard that tells you the classification of different websites and other reports. Might as well run a simple iptables router at that point. Wire speed achieved.


    Edit: I see you edited your post considerably. We do agree that it is early so things can only improve from here hopefully. But I think over reliance on snort on a UTM type device is never a good thing since what they are asking snort to do usually needs dedicated appliances due to heavy cpu/ram requirements.

  • In reply to SaschaParis:


    It showed as ON, after turning off i has able to archive full LAN gigabit on it, but...


    The test I've made isn’t fully accurate since I don't have the knowledge nor the equipment to do it correctly.

    But it gives an perspective on the performance difference.


    Since I think there’s something wrong with v18 performance, I’ve decided to create two VM, one with v17.5.8, and another with v18 EAP 1 Refresh 1.

    - Both VM’s had 4 Cores and 8GB RAM (6GB Usable)

    - KVM, with virt-manager has used.

    - Host OS: CentOS.

    - Host: Ryzen 1700 / 32GB RAM.

    - Fedora 31 as the LAN VM, for the testing. With 4 Cores 8GB RAM.

    - VirtiO Driver has been used on all VM’s.


    An outlook on how it has been run:

    HOST - WAN - XG - Isolated/LAN – VM/FEDORA



    Edit: Redone some tests in a better environment, also added pictures. Also used Iperf3.



    v18 EAP 1 Refresh 1,


    IPS – GeneralPolicy – SingleThread: 320 Mbit/s

    IPS – GeneralPolicy – MultiThread: 1.28 Gbit/s





    IPS – GeneralPolicy – SingleThread: 926 Mbit/s

    IPS – GeneralPolicy – MultiThread: 2.78 Gbit/s


    I’m impressed on how much IPS single core speed has been penalized from v17.5.8 to v18, I’ve tested multiple times, but still the difference is too high.


    And as I said before this is just an simple testing, to give an perspective on the performance difference.



  • In reply to Prism:

    Could you show us your Network configuration on this appliance? 

  • In reply to LuCar Toni:

    What exactly Network configurations you want me to show, and what appliance, the VM I've made to test this, or the bare-metal?, Also what version?

    I've also redone the test I've made before in a better environment, the results are on the last post I've made.



  • In reply to LuCar Toni:


    shared all the information to investigate. You question is not very helpful!

  • In reply to Prism:

    Very insightful, Thanks.

    I too noticed slowness with v18.

    I hoped this week-end I find time to revert back to v.17.5.8.

    Because it has become a "trap" trying to keep both version, I will not try to upgrade an inactive v18 firmware anymore.

    What frustrate me utterly, is that I have lost my v17.5.8 absolutely for nothing because v18 EAP refresh 1 is a correction for a single insignificant bug.

    Again, that waste of time could have been avoided with professional communications from Sophos.

    Paul Jr

  • In reply to Prism:

  • In reply to Prism:

    That is some extensive testing and it takes a lot of time to do tests like these. You shouldn't have to show sophos hard proof, they should already have these numbers. While the rest of us are going by simple feel of our internet connection and then perform simple speed tests, you are taking testing to the next level. BRAVO and well done!

    On a side note, I did revive my vm and turned off IPS completely and XG is fairly livable without IPS. Ofcourse none of the graphs work in application categories and all the other app detection is deactivated but for a simple web-filtering firewall/av, it is fairly snappy compared to old v17 I used about a year ago.


  • In reply to Prism:

    For the single thread ...  I have read somewhere some new functions will not work on "imaginary" cores called Hyperthread.  Only on REAL cores.

    That may answer partially ...

    Paul Jr