Sophos Firewall - extremely poor bandwidth when DoS enabled


I just set up a new Sophos Firewall on my Dell XPS tower (testing). It was all working nice, I was getting about 230 Mbps bandwidth from Then I enabled DoS from Intrusion Prevention --> DoS & spoof protection [tab] --> DoS settings. I clicked the checkbox for SYN flood, UDP flood, TCP flood, and ICMP/ICMPv6 flood. Then my bandwidth went to crap. The max download speeds I get are ~9 Mbps. Ammm.... I missing something? I even tried setting my WAN port to 1000 Mbps - Full Duplex. Advanced Threat Protection is also disabled.

I'm using firmware SFOS 18.5.1 MR-1-Build326 (updated from the initial build I downloaded (SFOS 18.0.5 MR-5-Build586).

I found this page but it's a little outdated so the instructions aren't the same as my GUI, plus the discussion has been locked:

Edited TAGs
[edited by: emmosophos at 6:37 PM (GMT -7) on 23 Aug 2021]
  • Thanks for the reply LuCar Toni. Unfortunately a lot of that didn't make sense to me, and kind of left me a little more confused. I guess I just assumed I could turn the feature on and it would have some kind of basic defaults that would at least do the bare minimum (kind of like enabling the IPS feature and using the predefined "WAN to LAN" option).

    I did manage to enable DoS and still have good internet traffic, but I had to uncheck "UDP flood", so now I only have "SYN flood" and "ICMP/ICMPv6 flood" checked.

  • Hi,

    for normal LAN activities you should be using LAN to WAN setting.


    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I did read that on the Help page. When we put the production Sophos in place at the data center where there are only servers behind it, I would use WAN to LAN though, correct? That's what I gathered from the verbiage.

  • Depends on if the servers are internet facing or not. Also they are generic policies, I would suggest you create your own with less settings fine tuned to you server type and activities. Interestingly about all that will do is reduce your memory usage.

    you would actually need both to cover the servers outgoing update type requests.


    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • There's only about 10 of the servers with a 1:1 NAT entry and some firewall rules allowing from public. Looks like I have some research to do. Thanks for the info!

  • Very touchy area and takes a lot of fine tuning. Unless have the time don't use. Also why I use more than one firewall.....