Hardware Limitations In Home version

C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)

I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location.  There are tons of other UTM packages out there that don't have hardware limitations.  I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak.  I guess I'll just stay on PFsense until they finally decide to remove the limitations.  Thanks

I have them locked to 4 and 6GB, but still you lose performance due to virtualization and CPU for virtualization has many cores and usually run at lower frequencies.

Hi,

really depends on how much slower the CPU is say compared to a 4 cOre celeron or atom?

how much degradation in throughput are you seeing and what is causing the degradation?

ian

I can't compare vs a non virualized environment but I know the HW that some Sophos XG appliaces has and the cores of my CPU should be much more powerfull despite being virtualized.

www.amd.com/.../amd-ryzen-5-2400g

At least I can tell you that the overhead per core due to virtualization is around 10% in my case, comparing htop in host and on VM.

NIC are passthough and everyhing from a KVM perspective (CPU, Storage is in raw format) is optimiced to increase performance.

I have assigned 6gb DRR4 at 3000MHz

NVME samsung evo 970 dedicated

Be honest here, what kind of performance are you expecting on your 2400G? And what throughput you have right now?

I have 600mpbs symetric

If I enable IPS and APPs, it depens but download is around 300 and upload 170 or so.

The thing is that even with a light configuration CPU cores reach 100%. My area will move soon to 1Gbps, so probably I will have problems. I can get a better CPU but that won't help a lot since more than 4 cores can't be assigned and my CPU can reach 3.8Ghz boost to is a lot more compared with atoms and celerons which are usually around 2.5Ghz.

I know that part of the issue is snort but snort will move soon to snort 3 and will work much better with muilticore like suricata. Another thing is how many years will take sophos to implement snort 3 once released.

Ram is usually around 4gb.

I can't see how you're hitting 100% CPU - I was running Sophos G on a Dell Optiplex 3010 with i5-3470, HP 2x port 1Gb card, and the machine had 8GB RAM, 128GB SSD, the CPU with the 500/35 VM Connection here never went about 18%, that was running v18 with IPS, DPI, Web policies, Application policies.

Something is either wrong with your configuration, or the AMD processors just can't and don't perform well - I've seen issues in the past with pfSense and AMD - hence the reason I'm suggesting this as a possibility.

The thing is that even with a light configuration CPU cores reach 100%.

I'll be honest with you, I gave up running Zen 1 Ryzen with Sophos XG, I've had a Ryzen 1700 running KVM, gave it 4vCores and 6GB RAM, and on v18 I couldn't get more than 32MiB/s over a single connection and core, if I enabled TLS Decryption that thing would become unreasonable slow. Same thing happened with a Zen 1+ 2200G, but with software installation.

I went back to a G5400, and I could max out a 1G link over a single core/connection, even with some imix traffic - I would still reach 1GB with NGFW Traffic (IPS+ATP+AppCtrl), and with TLS Decryption the throughput has around 62MiB/s with imix traffic.

Now I'm running with a (Temporary) Ryzen 3300x (Zen 2) and I'm not facing any of the throughput issues I had before with Zen 1. Here's a picture showing the CPU usage on a 1Gbit link HTTP speedtest with IPS+ATP+AppCtrl and AV.

TL;DR: Don't use Zen 1 and Zen 1+ Ryzen CPU's with Sophos XG, if you can stick with Intel.

Thanks a lot for your input regarding zen 1, is your 3300x runing sophos virtualized?

this is sophos VM on iddle

This is sophos VM on load 600mbs but no security attached (IPS, APPS, etc), just plain firewall.

is your 3300x runing sophos virtualized?

I've used it on KVM for a week, but didn't saw any performance slowness on it virtualized.

It's now running XG on bare-metal with the software installation - since there's no need to virtualize anymore. Also looking at the monthly CPU usage, It looks like running a 3300x on XG Home is a waste of money, lol.

But hey, I got it for free, so I'll probably keep using it :)

Also, on your KVM/QEMU setup, what CPU model are you using? QEMU64, or KVM64, EPYC ? Or are you doing a host-passthrough?

On QEMU It's recommended whenever possible to use "host-passthrough", if you use QEMU64/KVM64 as the CPU Model, or any other one, you will see a even worse performance on it.

The only problem on using host-passthrough is with live migration, but since your a home user you shouldn't have to worry about it.

Yes I use host passthrought for CPU

Right now I only have 3 cores exclusive for Sophos, the other one is for dockers, but I have had 4 cores and performance was a bit better but not much.

  <os>
    <type arch='x86_64' machine='pc-q35-5.0'>hvm</type>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='3' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
  </cpu>

Maybe there is something wrong with Ryzen 1 a KVM or Ryzen 1 and Sophos. I have a 3900X that I use in my main computer, this is suppose to replace the 2400G the day I buy a new one, but that day is not close. I guess I will have to suffer the 2400G

Yes I use host passthrought for CPU

Right now I only have 3 cores exclusive for Sophos, the other one is for dockers, but I have had 4 cores and performance was a bit better but not much.

  <os>
    <type arch='x86_64' machine='pc-q35-5.0'>hvm</type>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough' check='none'>
    <topology sockets='1' dies='1' cores='3' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
  </cpu>

Maybe there is something wrong with Ryzen 1 a KVM or Ryzen 1 and Sophos. I have a 3900X that I use in my main computer, this is suppose to replace the 2400G the day I buy a new one, but that day is not close. I guess I will have to suffer the 2400G

Please correct me, if I‘m wrong but from your config it seems that you have allocated 1 socket, 3 cores and 2 threads per core. This would mean that the VM has 6 vCPUs.

My suggestion would be to try 3 or 4 cores with 1 thread per core.

Besides that my config after some throughput testing now is 4 cores with 1 thread = 4 vCPUs on a i7-7500U (2 cores with HT) but with 3 ips instances.

Two other ideas:

- Try the software image (I use this) instead of the KVM image.

- Try another search-mode for the IPS

I have 4 cores 8 threads CPU

I get better performance If I assign 3 cores with their 2 threads each because I can't assing cores in KVM I can assign virtual cores with that topology, so if I use 4 cores (virtual cores) and 1 thread per core I am really using 2 cores (4 threads). So if you do it like I do it you can use 4 cores with 8 threads in a virtualize environment and Sophos XG will accept them.

I have tried diferent combinations in the pass and this gave me better performance, the last thing I can try is to assign 4 cores (threads)  where each thread belong to a different core.

I have tried KVM image and software image, same result, right now I have software image.

This is my IPS config

For the IPS settings, can you change your search-method to hyperscan? It's much better than ac-bnfa.

"set ips search-method hyperscan"

Seriously, on my 3300x with ac-bnfa it IPS over a single connection/core top outs at 800Mbit/s, on a 10G card I can push 2.6Gbit/s, again over a single core/connection.

But it won't matter that much in your setup, because even on idle loads your CPU usage is too high.

Also, did you already tried running XG on ESXi in your 2400G? If I recall correctly, the performance on ESXi with Zen 1 has better than KVM.