Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Performance impact / Best Practice: Log firewall rules

Hi there,

as the title says, i'm searching for information, how much the performance of a XGS (2100) firewall it will cost, if i activate the logging of most of our firewall rules?

I have in mind for many years, that logging of firewall rules should be only activated in cases, where you have to troubleshoot errors - because of a possible performance decrease.

But as our business grows, we want to be able to check logs some days back for troubleshooting or - in case of a possible attack from the outside - to check, which internal systems may have been accessed/attacked. 

We run a XGS 2100-Cluster with about 50 local users and ~5 branch offices. The branch offices only access local servers and services; we don't route all traffic from there through our XGS. CPU is mainly at ~10-15% load.

I searched a little bit in the Sophos Community/Google, but i don't find any advice or facts (like: "i activated logging on 20 rules and have 10% more CPU used"); the little information i found, also in some Knowledge base-Articles from Sophos is, that logging firewall rules has "not many impact on the performance of the XG". 

Actual, we don't use a external syslog server - it is planned for the future; but for now, i wan't to log with the XG itself.

Thanks in advance!

Bastian



Edited TAGs
[edited by: Erick Jan at 9:08 AM (GMT -7) on 21 Aug 2024]
  • I'm not sure if and if so how much performance it costs, but we are logging almost all firewall rules on all of our firewalls. We have 2 sites with XG210 and XG230 with respectively 50 and 80 users and we have some smaller sites with smaller devices.

    We don't notice any lagging on the firewalls and our 500Mbps line can be fully used if necessary.

    We even have a drop rule with logging at the end of all rules since we find this very helpfull sometimes to figure out why something is not working (new applications that use their own ports to communicate to the outside world for example).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello,

    Thank you for contacting Sophos Community!

    It is suggested to enable Firewall Logging to get the proper reporting for external connections. However, we must also consider the limitations we have for disk usage.

    You must enable only the log settings most important for your reporting requirement. You can choose it from Configure -> System Services -> Log Settings:

    https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/index.html

    Additionally, you must consider the disk usage and hence choose the report retention period lower to tackle the high disk utilization from now on. You must review the settings from Monitor & Analyze -> Show Reports Settings -> Data Management: 

    Note: It is suggested to use external reporting like Central Firewall Reporting or External syslog server.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • My experience is the same like , it doesn't cost that much.

    And additionally, if you hunt for some error, you always wish you had turned logging on before and not "on demand".

    My opinion: if that is slowing down your system, you need a bigger firewall model.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Can confirm. Enable it on all of your rules. It won't make a noticably difference.

    Some special rules may be good without logging in some cases.

    Example: if your infrastructure is logging to a syslog server you may not want all the sylog connections to be logged on the firewall whis is also sending syslogs to the syslog server as this may largely increase your log volume on the syslog server.

  • The reporting subsystem is called garner.
    Various services and component send logs to garner, which stores in a database for display in the Log Viewer and Reports.
    service debug logs are separate, text files on disk.

    garner has a system in place that limits the amount of log events it will accept per minute.  It does this in order to prevent itself from taking too much resources.  Every minute it will accept up to 60,000 log events.  More than that it will drop the log events.  Currently this limit is the same on every box - large and small.  As far as I know in a future release the limit is increasing (for large boxes?).

    The effect is that if an administrator put on lots of extra logging for firewall rules it will not result in high cpu / resource usage.  Instead it will result in random log drops.  Random because they could be logs from any subsystem (though if firewall is logging the most it is most likely firewall logs dropped).

    The dropping of logs is not visible to the admin.  I have seen this on many customer boxes and I frequently need to recommend to customers to reduce unnecessary firewall logging.  This is in part because if I am trying to diagnose issues on their box it is hard if I cannot rely on logs appearing.  It is more common to see dropped logs on larger/busier boxes.

    If you want look at your own system, on the command line:
    grep "Drop events" /log/garner.log
    MESSAGE Aug 25 00:51:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 44285
    MESSAGE Aug 25 00:52:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 131932
    MESSAGE Aug 25 00:53:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 42700
    MESSAGE Aug 25 00:53:59Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '3932', Drop events count 0

    You can see here that once a minute it logs to the debug log.  On this customer box in minute 1 there were 104,000 log events, the first 60,000 were logged and the remaining 44,000 dropped.  The next minute there were 191,000 log events, then 102,000 events, then 4000 events.  Events log can be bursty and in fact on this customer at this time of day 4000-5000 log per minute is most common.  The garner protection of dropping logs does not affect them on their normal business but protects them from performance issues when the logging was 20x normal for 4 minutes.

    Recommendations:
    1) In Log Settings, disable the log for "Invalid Traffic".  This is quite noisy and not useful unless you are trying to diagnose a problem.

    2) In the Firewall Rules, take a look at the rules that are Action=Accept and that have the highest in/out byte count.  Make sure those have Log firewall traffic off.
    Firewall Rules that have low traffic it is fine, and those that you are doing Drop or Reject you probably want to keep log on.  You can use a filter for firewall rules to help find rules that have log on.

    3) If you have a bottom Drop All rule I would only turn on logging if you are trying to diagnose an issue.