Sophos Firewall - extremely poor bandwidth when DoS enabled


I just set up a new Sophos Firewall on my Dell XPS tower (testing). It was all working nice, I was getting about 230 Mbps bandwidth from Then I enabled DoS from Intrusion Prevention --> DoS & spoof protection [tab] --> DoS settings. I clicked the checkbox for SYN flood, UDP flood, TCP flood, and ICMP/ICMPv6 flood. Then my bandwidth went to crap. The max download speeds I get are ~9 Mbps. Ammm.... I missing something? I even tried setting my WAN port to 1000 Mbps - Full Duplex. Advanced Threat Protection is also disabled.

I'm using firmware SFOS 18.5.1 MR-1-Build326 (updated from the initial build I downloaded (SFOS 18.0.5 MR-5-Build586).

I found this page but it's a little outdated so the instructions aren't the same as my GUI, plus the discussion has been locked:

Edited TAGs
[edited by: emmosophos at 6:37 PM (GMT -7) on 23 Aug 2021]
  • Why do you want to enable DOS in the first place? 

    Personally i am not a fan of this settings. Most OS (if not all) can handle such attacks easily in the stacks. Nobody is attacking you with flood attacks nowadays (from a single client). They launch there bot net and therefore the flood protection cannot stop them. 

    I am expecting no benefits of DOS protection on a single client level on a firewall nowadays. The reason is, if the want to bring you down, they are doing this anyway. A client on WAN can do this with this settings or without. They pump the connection with packets, which the firewall cannot stop as the packets are incoming. 


  • Thanks for your input, @Lucar Toni. The answer is because a potential client, a very well known global name brand, has provided us with a vendor assessment questionnaire... a very looooong and detailed questionnaire. One of the questions was "Does your organization utilize a product or service to prevent DoS/DDoS attacks?". We answered no, because we do not.

    Months prior to this questionnaire, we were offered (solicited) a firewall upgrade from our hosted data center but declined. After the questionnaire, I remembered some of the features the Sophos firewall boasted, so we went back to the data center and opted in for it. You mentioned "a single client" twice -- are you referring to my computer? I know no one is attacking me, being one lone anonymous 'puter user on a residential IP. Not sure if you read the part where I'm just testing this out so I'm familiar with the configuration/GUI when we deploy this at our data center with 25+ servers behind the Sophos.

    So are you saying the DoS stuff is useless / fruitless? Do other successful businesses not use DoS services anymore, or do they use a dedicated service/appliance just for DoS? Is this DoS feature on the Sophos firewall just so it can be listed as another feature, making the feature list longer and more appealing, when in fact it is just there for looks? Is it as about as useful as the WINS section in my DHCP configuration? Please excuse my ignorance, I just don't know enough about it and I'm confused by your answer basically asking me why I want to use a listed feature on the firewall in the first place.

    More reasons I'm using the Sophos firewall are the boasted IPS and WAF features -- two more questions that were in the vendor assessment questionnaire we had to say "no" to. We are also planning on having ~12 servers with Sophos Central Intercept X Advanced for Server with EDR "talking" to the Sophos Firewall, and also utilizing the VPN feature with about ~25 clients connected daily. I am hoping the Sophos Firewall can handle this...

  • Check for the current state of attacks. DOS and DDOS are different things. DOS is most likely to attack a service to kill it / shut it down, by using vulnerabilities (like a known bug in the TCP/IP Stack etc.). DDOS is most likely the same kind of approach, just from different clients at the same time. DDOS is likely to be known by botnets, which attack a machine and bringing it down by using the pure power of load to the system. But DOS is more likely sending "one packet, which kills the service". You can read about the differences on wikipedia:

    Now lets look at those approaches: The XG (or any kind of firewall product) could start to protect against DDOS. But The load will come to the firewall anyway. Think about 1000 clients, bombing you with requests at the same time. The firewall can start to block them, but they still arrive on the interface. 

    Most customer of bigger or smaller scale use the ISP to protect against such DDOS attacks. Because the ISP on there backbone can actually detect and stop such requests in a quicker way. You maybe heard about services, getting bombed by those attacks but cannot keep the service up. This is because it is very complicated to protect against such bot net attacks. 

    The DOS protection against a single host works as expected but such attacks are rare and not viable for a attacker. They know, most products block this anyway and they know, they can maybe not generate enough traffic to bring the service down. Therefore they rent cheap botnets for some hours and bomb those ISP connections. 

    The firewall with IPS and other techniques is fighting the other DOS techniques, you find on wikipedia. Just the load part is hard to deal with. You can configure DOS, but my point is, it is hard to find the correct number, you have to use, while not interrupting with your work load. That is one reason, most customer actually do not use this kind of protection anymore.  See Wikipedia as well on the blocking part. 


  • Maybe just another addition: Most customer should know there expected numbers of DDOS Protection. But they likely have no real insights, which makes this option hard to deal with. If you experience issues with the pre definied numbers, increase them until you do not see any issues anymore and get the approval from the customer. 


  • Thanks for the reply LuCar Toni. Unfortunately a lot of that didn't make sense to me, and kind of left me a little more confused. I guess I just assumed I could turn the feature on and it would have some kind of basic defaults that would at least do the bare minimum (kind of like enabling the IPS feature and using the predefined "WAN to LAN" option).

    I did manage to enable DoS and still have good internet traffic, but I had to uncheck "UDP flood", so now I only have "SYN flood" and "ICMP/ICMPv6 flood" checked.

  • Hi,

    for normal LAN activities you should be using LAN to WAN setting.


    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I did read that on the Help page. When we put the production Sophos in place at the data center where there are only servers behind it, I would use WAN to LAN though, correct? That's what I gathered from the verbiage.

  • Depends on if the servers are internet facing or not. Also they are generic policies, I would suggest you create your own with less settings fine tuned to you server type and activities. Interestingly about all that will do is reduce your memory usage.

    you would actually need both to cover the servers outgoing update type requests.


    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • There's only about 10 of the servers with a 1:1 NAT entry and some firewall rules allowing from public. Looks like I have some research to do. Thanks for the info!

Reply Children
No Data