Sophos XG 105: hardware ISO performs betters than software ISO with home license on XG hardware? Is sophos limiting speeds when using home licenses on Sophos hardware?

Question

Dear community, 
 I am testdriving a XG105 that I got from a friend who works at an IT company to test out the performance. I currently have a 200/200 fiber internet connection. 
 After installing the hardware ISO (HW-17.5.1_MR-1-347) and running the installation wizard, I got a speed result of 160Mbps with all protections enabled in the wizard. 
 However: after installing the software ISO (SW-17.1.4_MR-4-254) with a Home license and running the installation wizard with exactly the same protections enabled, I got a speed result of 30 Mbps . 
 How is this possible? 
 Has Sophos limited the speed of XG home installations on Sophos XG hardware? 
 (I remember that on an older UTM120 device there was NO speed difference between software and hardware installations of UTM and XG.) 
 
 [*-)]

SaschaParis · Answer

For a old P4 your system is performing quite well with 400Mb/s in my eyes. Most likely there isn't too much to tweak under the hood here. HW acceleration isn't available due missing AES-NI / Intel Quick Assist support in the P4. 
 
 You might check the number of started IPS (snort) instances, but I'd expect already 2 instances (and your P4 to be a dual core with or without HT). So I personally would'nt expect too much more throughput for that hardware by further fiddling around in the base settings. 
 
 /Sascha

Panagiotis Vakerlis · Answer

Depends solely on the hardware. On a test server (2x Xeon, 32gb RAM, SAS drives) I got with Home license the throughtput is dead on 200/200 as the line is. 
 Probably the Software ISO doesn't fully utilise the hardware on the XG and that's the reason there's a hardware ISO and a software ISO. If the hardware ISO works well, stick to it.

SaschaParis · Answer

Ok, let's put this right. It's just the opposite way. Sophos does not artifically slow down Softwareversions of the XG (why should they ???), but they do highly optimize the hardwareimages to the according appliances based on their specs (Mem, CPU cores etc.). 
 There are lot of settings under the hood that affects performance and memory usage. Some of the noteworthy are surely the IPS settings for snort. 
 While the hardware images have specially tested and optimized settings as for the search method (hyperscan, ac-bnfa etc.) and also other tweaks in place, the software image is quite generic and has to run on a wide variety of possible hardwares the customers might have. So for example the IPS settings should fit well for a midsized or high-end hardware, but might not too run well untweaked on a low end hardware as a 105 is. 
 You find most of such settings in the CLI guide, there's also a section for ips 
 http://docs.sophos.com/nsg/sophos-firewall/v17.0.5/PDF/SF%20OS%20Command%20Reference%20Guide.pdf 
 
 If I compare a software installation running on a old UTM120 (Dual Core / 2GB Mem) hardware with a native XG125 (Dual Core / 4 GB Mem) is see for example: 
 
 XG125 native Hardware console> show ips_conf config stream 1 config maxsesbytes 0 config stdsig 1 config qnum 10 config disable_tcpopt_experimental_drops 0 config enable_appsignatures 1 config mmap 0 config mmapfilepath 1 config memmode 0 config failclose off config maxpkts 8 var SEARCH_METHOD hyperscan var SIP_STATUS enabled var IGNORE_CALL_CHANNEL enabled var TCP_POLICY windows var DETECT_ANOMALIES no var TCP_BLOCK nblock var LOCAL_RULE local.rules config cpulist 0:1 ips-settings ips_conf console> show ips-settings -------------IPS Settings------------- stream on lowmem off maxsesbytes 0 maxpkts 8 mmap off enable_appsignatures on mmapfilepath var http_response_scan_limit 65535 search_method hyperscan sip_preproc enabled sip_ignore_call_channel enabled -------------IPS Instances------------ IPS CPU 1 0 2 1 UTM120 Appliance running Software SFOS console> show ips_conf config stream 1 config maxsesbytes 0 config stdsig 1 config qnum 10 config disable_tcpopt_experimental_drops 0 config enable_appsignatures 1 config mmap 0 config memmode 0 config failclose off config maxpkts 8 config cpulist 0:1 var SIP_STATUS enabled var IGNORE_CALL_CHANNEL enabled var SEARCH_METHOD ac-bnfa var TCP_POLICY windows var LOCAL_RULE local.rules var DETECT_ANOMALIES no var TCP_BLOCK nblock console> show ips-settings -------------IPS Settings------------- stream on lowmem off maxsesbytes 0 maxpkts 8 mmap off enable_appsignatures on http_response_scan_limit 65535 search_method ac-bnfa sip_preproc enabled sip_ignore_call_channel enabled -------------IPS Instances------------ IPS CPU 1 0 2 1 
 So there's surely place to fiddle within your ips and other base settings to get most out of you hardware. You can try to figure out the default settings of a native XG105 and apply them to your software installation too. Also this "hyperscan" setting on appliances with CPU's supporting Quickassist from Intel might be noteworthy to test. AFAIK the XG105 CPU doesn't support Quickassist (not sure about that...), but check what the native hardwareimage has in use per default. 
 Or if hardware acceleration is in use (if available from CPU) 
 console> system hardware_acceleration status Configuration status = enabled Number of HW acceleration cards = 1 Drivers loaded = Yes 
 Besides of those base settings also check for common troublemakers as activated DoS protection and other things that incidentially might slow you down. 
 
 Hope this helps. Please give feedback once you found the bottleneck in your SW instalation.