New Sophos Support Phone Numbers in Effect July 1st, 2023

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall - extremely poor bandwidth when DoS enabled


I just set up a new Sophos Firewall on my Dell XPS tower (testing). It was all working nice, I was getting about 230 Mbps bandwidth from Then I enabled DoS from Intrusion Prevention --> DoS & spoof protection [tab] --> DoS settings. I clicked the checkbox for SYN flood, UDP flood, TCP flood, and ICMP/ICMPv6 flood. Then my bandwidth went to crap. The max download speeds I get are ~9 Mbps. Ammm.... I missing something? I even tried setting my WAN port to 1000 Mbps - Full Duplex. Advanced Threat Protection is also disabled.

I'm using firmware SFOS 18.5.1 MR-1-Build326 (updated from the initial build I downloaded (SFOS 18.0.5 MR-5-Build586).

I found this page but it's a little outdated so the instructions aren't the same as my GUI, plus the discussion has been locked:

This thread was automatically locked due to age.
  • Thanks for the reply LuCar Toni. Unfortunately a lot of that didn't make sense to me, and kind of left me a little more confused. I guess I just assumed I could turn the feature on and it would have some kind of basic defaults that would at least do the bare minimum (kind of like enabling the IPS feature and using the predefined "WAN to LAN" option).

    I did manage to enable DoS and still have good internet traffic, but I had to uncheck "UDP flood", so now I only have "SYN flood" and "ICMP/ICMPv6 flood" checked.

  • Hi,

    for normal LAN activities you should be using LAN to WAN setting.


    XG115W - v19.5.2 mr-2 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • I did read that on the Help page. When we put the production Sophos in place at the data center where there are only servers behind it, I would use WAN to LAN though, correct? That's what I gathered from the verbiage.

  • Depends on if the servers are internet facing or not. Also they are generic policies, I would suggest you create your own with less settings fine tuned to you server type and activities. Interestingly about all that will do is reduce your memory usage.

    you would actually need both to cover the servers outgoing update type requests.


    XG115W - v19.5.2 mr-2 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • There's only about 10 of the servers with a 1:1 NAT entry and some firewall rules allowing from public. Looks like I have some research to do. Thanks for the info!

  • Very touchy area and takes a lot of fine tuning. Unless have the time don't use. Also why I use more than one firewall.....

  • Well, we got a quote from our ISP for them to do DoS for us -- even though we originally went with the Sophos because it boasted DoS capabilities --- $3200 a month they want. Does anyone know if this is normal? That sounds expensive to me. Also, does anyone know what layer of DoS the Sophos provides? I never got a reply on this thread. Additionally, when setting up this Sophos, the person helping deploy it said I should have checked the "Apply Flag" checkboxes under the DESTINATION section, not SOURCE (in my original screenshot of my test DoS settings). Thoughts?

  • I cannot comment on the pricing, i can only reference to the points, i already made in other subjects. DDOS attackes, which are caused by "Load" are hard to protect on a device level. 

    So if the provider is giving you a actual prevention of "to many packets will arrive your interface" thats a true DDOS prevention. Because the provider is the only part in this segment, which actually can deal with dynamic routing and multiple backend systems such attacks. 

    If a attack launches multiple zombies to flood your interface, the firewall cannot stop this at all. 

    So no matter what you do on the firewall level, a true attack on you as a company in case of "load" is not be able to stop on a firewall protect. It will overload the interface stack, which cannot deal with this at all. See bigger companies getting floaded by DDOS. 

    The question is: Did you already receive such a attack? What was the impact and the lost of your company. Did you had a recovery plan for this? (Second WAN to offload to other WAN ports etc.). 

    I would recommend to check your options and how likely such a attack is to happen and what this will eventually cost, if you WAN is down for 1 hour, 8 hours etc. Because likely bot nets are not there "forever". So a DDOS Attack will not occur for weeks. 

    And as a last part: SD-WAN in SFOS will be improved by latency and other techniques, which could actually see such attacks to happen on your main WAN Port and automatically failover to other WAN ports, which are not publicly known. So if you have a cheap backup WAN, which does not offer services, likely, this WAN interface is not known for the attack and could be used while they flood your primary interface.