Is it possible to get the hardware limitations removed for the home version? Or have they been removed in V18?
This thread was automatically locked due to age.
Is it possible to get the hardware limitations removed for the home version? Or have they been removed in V18?
C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)
__________SETUP___________
HP Small Form Factor: i5 4Cores, 8Gb of RAM.
Intel Network Card 5x Eth
SSD: 256Gb
I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location. There are tons of other UTM packages out there that don't have hardware limitations. I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak. I guess I'll just stay on PFsense until they finally decide to remove the limitations. Thanks
The VM has assinged 3 cores with its 6 threads, the topology is correctly defined in KVM
Without IPS, with Advanced Protection and Web filtering without breaking SSL.
2 threads at 80%
Same as before but with IPS and 3437 selected
I get this with 5 threads 95% average on download, upload is 55% average for 5 threads
Same as before but with Hyperscan,
5 threads at 60%
The IPS is a LAN WAN generic profile basically
So hyperscan somehow worked but still upload speed are bad (maybe becasue the IPS rules are LAN-WAN)
Is there any other way to improve the performance? maybe adding another snort instance? how is the command exactly? "ips-instance"
Yes mine is OFF as well I though it was enable since it is in pfsense/opnsense
SFVH_KV01_SFOS 18.0.0 GA-Build354.HF052220.1# ethtool --show-offload PortA
Features for PortA:
rx-checksumming: on
tx-checksumming: off
tx-checksum-ipv4: off
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: off
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp-mangleid-segmentation: off
tx-tcp6-segmentation: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: off
tx-vlan-offload: off
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-gre-csum-segmentation: off [fixed]
tx-ipxip4-segmentation: off [fixed]
tx-ipxip6-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-udp_tnl-csum-segmentation: off [fixed]
tx-gso-partial: off [fixed]
tx-sctp-segmentation: off [fixed]
tx-esp-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
That upload limit while using IPS is very strange.
Nice to see there has a noticeable change from ac-bfna to hyperscan on your setup.
The command to add more Snort instances is "set ips ips-instance add IPS cpu <core>"
Another thing,what AMD CPU are you using right now with KVM? For better performance (if you are using proxmox or straight kvm with qemu) leave as 6 sockets instead of 3 cores and 6 threads.
Also, can you do the same speed test but with "generalpolicy" as the IPS Rule?
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
I don't have "generalpolicy" maybe I have deleted it but I have tried with "LAN to WAN" (one of the defaults policies) and the result is the same.
I use KVM QEMU 4.2 with Unraid, this section of the config file reflects my CPU configuration
<?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm' id='1'>
<name>SophosXG</name>
<uuid>de38a98d-bd8d-cc02-7277-5d4995ab29f3</uuid>
<metadata>
<vmtemplate xmlns="unraid" name="Linux" icon="linux.png" os="linux"/>
</metadata>
<memory unit='KiB'>6291456</memory>
<currentMemory unit='KiB'>6291456</currentMemory>
<memoryBacking>
<nosharepages/>
</memoryBacking>
<vcpu placement='static'>6</vcpu>
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
<vcpupin vcpu='1' cpuset='4'/>
<vcpupin vcpu='2' cpuset='1'/>
<vcpupin vcpu='3' cpuset='5'/>
<vcpupin vcpu='4' cpuset='2'/>
<vcpupin vcpu='5' cpuset='6'/>
</cputune>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='host-passthrough' check='none'>
<topology sockets='1' cores='3' threads='2'/>
<cache mode='passthrough'/>
<feature policy='require' name='topoext'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
The settings that are changed via console are maintained in a backup?
l0rdraiden said:<topology sockets='1' cores='3' threads='2'/>
<cpu mode="host-passthrough">
<topology sockets="8" cores="1" threads="1"/>
</cpu>
That's my current settings for CPU on one of my XG VM's.
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
I had it like you before but since I changed the topology "for the real one" I get more of performance.
I think sophos limitation to 4 cores applies to threads so you are limited to 4 threads, If you define the topology correctly, you can use the 4 cores with its 8 threads.
Just try a speedtest on that machine to see if it uses more than 4 or 5 threads
l0rdraiden said:Do you know the commands to enable all the offloading so it's processed on the nic?
Yes, but please don't do this, all offloading is already disabled by the own Sophos developers for a reason, enabling it will only cause issues for you.
Primarily to Snort with netmap work correctly, all NIC offloading needs to be disabled, and of course there can be more software inside XG that also needs it to be disabled.
Even if you enable all offloading, on a reboot all your changes will be overwritten.
Remember, XG is a firewall, not a router, so there isn't much use for NIC offloading since you want to inspect the packets.
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
l0rdraiden said:Do you know the commands to enable all the offloading so it's processed on the nic?
Yes, but please don't do this, all offloading is already disabled by the own Sophos developers for a reason, enabling it will only cause issues for you.
Primarily to Snort with netmap work correctly, all NIC offloading needs to be disabled, and of course there can be more software inside XG that also needs it to be disabled.
Even if you enable all offloading, on a reboot all your changes will be overwritten.
Remember, XG is a firewall, not a router, so there isn't much use for NIC offloading since you want to inspect the packets.
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
Hi,
just to add some more confusion: :)
SFVH_SO01_SFOS 18.0.1 MR-1.HF050520.2# ethtool --show-offload Port1
Features for Port1:
rx-checksumming: on [fixed]
tx-checksumming: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: on
tx-scatter-gather: on
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
tx-tcp-segmentation: on
tx-tcp-ecn-segmentation: on
tx-tcp-mangleid-segmentation: off
tx-tcp6-segmentation: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: on [fixed]
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-gre-csum-segmentation: off [fixed]
tx-ipxip4-segmentation: off [fixed]
tx-ipxip6-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-udp_tnl-csum-segmentation: off [fixed]
tx-gso-partial: off [fixed]
tx-sctp-segmentation: off [fixed]
tx-esp-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
I‘m using virtio on Proxmox KVM, no passthrough devices.
Best Regards
Dom
One thing;
Is fastpath enabled and working? You can see if it is by executing: "system firewall-acceleration show" On the console
I believe there's no support for it with the virtio driver.
Thanks!
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v20 GA @ Home
XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall
My network card is passthrough to the VM so maybe these are disable by default becasue the KVM image is intended to run virtualized.
It would be interesting to see how "ethtool --show-offload Port1" looks like in an enterprise hw model of Sophos XG, anyone can post it?
console> system firewall-acceleration show
Firewall Acceleration is Disabled. Fastpath Unload Failed.
This topic was recently discussed here: community.sophos.com/.../questions-about-the-fastpath-feature
FW accel and Fastpath should be disabled for not-ESX hypervisors, see here: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Architecture.html
Any news above increase the CPU or RAM limit? CPU is particulary a problem in virtualized environments.
Can something be done in this regard?
Hi,
in virtual environments you need to lock CPU and memory resources to the XG otherwise you end with strange performance issues.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Hi,
really depends on how much slower the CPU is say compared to a 4 cOre celeron or atom?
how much degradation in throughput are you seeing and what is causing the degradation?
ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
I can't compare vs a non virualized environment but I know the HW that some Sophos XG appliaces has and the cores of my CPU should be much more powerfull despite being virtualized.
www.amd.com/.../amd-ryzen-5-2400g
At least I can tell you that the overhead per core due to virtualization is around 10% in my case, comparing htop in host and on VM.
NIC are passthough and everyhing from a KVM perspective (CPU, Storage is in raw format) is optimiced to increase performance.
I have assigned 6gb DRR4 at 3000MHz
NVME samsung evo 970 dedicated