Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow/Freezing SMB Traffic over Sophos XG Gateway Opening

Simplified Sam

Hello,

since adding the Sophos XG as man in the middle / gatway to our network, we have speed issues more or less, specially over SMB.

At moment the XG is connectet over 1 gig port to the main switch, the main switch has sub switches, at main switch are also the servers connected. (Switches are also 1 Gig and have atleast 2-4 up/down to the other switch)

Our network is seperated with vlan's clients and servers, about 50-70 clients, and the diagnostics graphs on sophos-xg looks low?.

While copying files over smb i get abot 100 mb/s so i think this fine, even if i notices sometimes freezes time to time and this was worst about half year ago, the speed was then for longer time at 20 mb/s or less and freezed, but i cant say for sure i was copying multiple files then. (Lots of user opens 2D CAD files, and the opening speed is over network much slower.) I did see this on multiple pc's over time.

So i did now some testing with a zip file on our SMB Server (Windows Server, domain joined) with Samsung_Magician_Installer_Official_7.3.0.1100.ZIP. (188 mb, unpacked about 193 mb)

The Zip contains a exe, now opening with my older pc over smb the zip with winrar and starting the exe out of the zip directly, takes ages, like you can count 1% per secound or less! Opening it locally on desktop, whole file about 2-5 secounds.(On HDD, so speed should be about the same)

On other pc which is newer and got maybe one less network-switch beween sophos/server, its lots faster but still slow and you can see it stuttering.

Between the old and new pc in same vlan between 2-3 switches, it's like opening it locally on my old pc. So i guess it's the sophos.
(Between Servers on same vlan on same switch, open's like a champ, so no antivirus/endpoint protection neither!)

Now on my firewall all is disabled and grayed out, got pc --> server with any ports (testing). Advances protection on/off makes no difference. So it should not look into the traffic, right? Or do i miss somehting? 

XGS2100 (SFOS 19.5.2 MR-2-Build624)



This thread was automatically locked due to age.
  • 0

    Hi,

    please check that you have disabled the DOS setting for the four choices in that tab.

    Ian

    XGS118 - v21.5 EAP

    XG115 converted to software licence v21.0.1 MR-1

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    You could try V19.5 MR3 to check if some of those fixes help your scenario. 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      Would be nice, patch notes does not say much what fixed.

      To be honest we got this problem a long time, and it got worse the last years, where i noticed opening files over smb like big setups, takes ages.

      User started complaining firstly that "evrtything" was slow and our applictaion on the network drive was chrashing, so we disabled evrything on the firewallrule SMB. After that it was much better, but people who often opens 2D CAD Drawings, were still complaining, about slow opening speed of the files. As admin, i nerver rly noticed it until now, since the setups takes longer and longer to open.

      Strangly copying got better over time.

      I will try the MR3 if it's avaible for the masses over the web console, how long does it usally takes? I saw it got realesed 7 days ago

      • 0 in reply to Simplified Sam

        just a suggestion: are you using something like file encryption on the Servers or Endpoints? We have seen those acting as massive performance decreasers with SMB file access due to their filter drivers injected into the operating system of the Servers or Clients even if you access actually unencrypted files. This is because the filter driver is scanning all files opened.

        • 0 in reply to LHerzog

          No we dont, we had not this problem before using sophos.

          As i wrote, i already tested smb between clients in the sam vlan (so no gateway involved) and the speed was normal. (Between servers too)

          Disabling endpoint security did not changed anything. (I tested even freshly setuped windows clients without any other programms installed)

          • 0 in reply to Simplified Sam

            tried excluding the firewall rule, that catches the SMB traffic from scanning?

            https://support.sophos.com/support/s/article/KB-000038900?language=en_US

            also disable IPS and other scanning features for that rule. only for testing of course.

            • 0 in reply to LHerzog

              This how my firewall rule looks like, does your KB link offer anything other than the already disabled ones?

              • 0 in reply to Simplified Sam

                yes, you need to test exclusion with bypassing ATP / App also. That still involves IPS  that is scanning the traffic.

                • 0 in reply to LHerzog

                  in your case:
                  set ips ac_atp exception fwrules 35
                  and after testing:
                  set ips ac_atp exception fwrules none

                  • 0 in reply to LHerzog

                    i did a little test with the zip opening a exe, and still got the slow speed. So i guess it not do anything. I will try to test further the next day if the users still complaining. So does that mean even if my firewall rule has ips disabled and i disabled atp manually, it still scans the traffic?

                    • 0 in reply to Simplified Sam

                      yes.

                      Is that rule on top of your ruleset? you can enable logging. The traffic must hit that rule, not an other.

                      AV is also involved automatically. support.sophos.com/.../KB-000035749

                      more description here to bypass the firewall engine also.

                      www.avanet.com/.../

                      I all does not help, you need to tcpdump on the 2 sides of the connection and analyse what is happening. packets not arriving, maybe there is an MTU issue. lots of possibilities.

                  Unfiltered HTML