Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Performance impact / Best Practice: Log firewall rules

Hi there,

as the title says, i'm searching for information, how much the performance of a XGS (2100) firewall it will cost, if i activate the logging of most of our firewall rules?

I have in mind for many years, that logging of firewall rules should be only activated in cases, where you have to troubleshoot errors - because of a possible performance decrease.

But as our business grows, we want to be able to check logs some days back for troubleshooting or - in case of a possible attack from the outside - to check, which internal systems may have been accessed/attacked. 

We run a XGS 2100-Cluster with about 50 local users and ~5 branch offices. The branch offices only access local servers and services; we don't route all traffic from there through our XGS. CPU is mainly at ~10-15% load.

I searched a little bit in the Sophos Community/Google, but i don't find any advice or facts (like: "i activated logging on 20 rules and have 10% more CPU used"); the little information i found, also in some Knowledge base-Articles from Sophos is, that logging firewall rules has "not many impact on the performance of the XG". 

Actual, we don't use a external syslog server - it is planned for the future; but for now, i wan't to log with the XG itself.

Thanks in advance!

Bastian



Edited TAGs
[edited by: Erick Jan at 9:08 AM (GMT -7) on 21 Aug 2024]
Parents
  • I'm not sure if and if so how much performance it costs, but we are logging almost all firewall rules on all of our firewalls. We have 2 sites with XG210 and XG230 with respectively 50 and 80 users and we have some smaller sites with smaller devices.

    We don't notice any lagging on the firewalls and our 500Mbps line can be fully used if necessary.

    We even have a drop rule with logging at the end of all rules since we find this very helpfull sometimes to figure out why something is not working (new applications that use their own ports to communicate to the outside world for example).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • My experience is the same like , it doesn't cost that much.

    And additionally, if you hunt for some error, you always wish you had turned logging on before and not "on demand".

    My opinion: if that is slowing down your system, you need a bigger firewall model.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Can confirm. Enable it on all of your rules. It won't make a noticably difference.

    Some special rules may be good without logging in some cases.

    Example: if your infrastructure is logging to a syslog server you may not want all the sylog connections to be logged on the firewall whis is also sending syslogs to the syslog server as this may largely increase your log volume on the syslog server.

Reply
  • Can confirm. Enable it on all of your rules. It won't make a noticably difference.

    Some special rules may be good without logging in some cases.

    Example: if your infrastructure is logging to a syslog server you may not want all the sylog connections to be logged on the firewall whis is also sending syslogs to the syslog server as this may largely increase your log volume on the syslog server.

Children
No Data