Low speeds and TLS Engine Errors

So I've just started using this and am a bit unsure how "FastPath" works exactly and I'll drill into some specifics.

I'm testing this on a gigabit (1Gb/940Mb) connection in both a Virtual Machine and on a custom desktop using the 'SW' package.

VM (VMware) = 

CPU: Xeon E5-2690 @ 2.9GHz (4 Cores Allocated)

RAM: 6GB

-----

SW Appliance =

CPU: Pentium G2020 @ 2.9GHz - 2 Cores

RAM: 6GB

-----

Speeds --

On v17.5 I was hitting about 700Mbps down and 280Mbps Up as Snort on the VM was using a single instance (single thread) and running at 99% during the test. When upgraded to v18 EAP, I'm getting about 150Mbps down and 200Mbps up with still a single Snort instance running at 99%

 

On this custom build box next to me with it running, i got about 550Mbps/550Mbps and saw two instances of Snort running up above 90% (one per core I'm guessing) Multiple instances only ran when a multi-connection test was running

 

At one point during the tests I saw Snort on the custom box rise up then drop down to about 2-5% usage after the first few seconds while the test was running. I may have thought this was 'FastPath' behavior but am unsure.

 

TLS Inspection -- I've been really impressed with this so far and It's going to be really usefull. I'm just pretty much noting a few errors I has while running it. Some applications were encountering errors (downloaders, etc...) and the logs showed "Dropped due to TLS engine error"

Further information I have on "Dropped due to TLS engine error" (Example being discord here in the logs but there were a lot of these for other sites):

  • profile_name="Maximum compatibility"
  • bitmask=""
  • key_type="KEY_TYPE__UNKNOWN"
  • fingerprint=""
  • session="0"
  • cert_chain_served="TRUE"
  • cipher_suite="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  • sni="discordapp.com"
  • tls_version="TLS version - 1.2"
  • reason="Dropped due to TLS engine error"
  • exception=""
  • message=""

It's not much of a problem as many of the apps that may complain about the TLS drops are easily excluded using the new tools :)

Parents
  • Thanks for the feedback. Regarding the SSL/TLS issues - I'm really pleased to hear that overall it's been performing well for you.

    It is unavoidable that some applications will encounter problems and not accept the replacement certificates that we create to allow us to decrypt and re-encrypt the content. Our goal is to make this kind of thing easier to track down and deal with - we hope in future releases to further automate this process.

    For now, we are aware of a number of outstanding issues where error messages are not as useful as they should be. One of these areas is where connections are established then quickly rejected by clients - usually because of certificate validation errors. Discord's client is certainly one that we've seen doesn't like being intercepted.

    Look for things to improve on the logging front in upcoming updates.

  • Thanks.

     

    Yes it looks like some software clients with those sticky certs. So I reset my config as that was causing the single Snort instance.

    I'll be upgrading the hardware unit with a quad core Xeon CPU soon and it's running as my primary test for now.

    With no IPS/Web/ATP I get 900Mbps/820Mbps (Probably my package max)

    Web filtering takes me to about 500/500 on this CPU which is fine and IPS / TLS Decrypt goes to about 200Mbps/280Mbps which I can see on a Pentium G2020.

    It feels like the web interface has really sped up too. The loopback NAT rules are lovely and I don't mind the rule separation at all, it's pretty nice actually.

     

    I've also tested IPS on incoming rules and on outbound connections from certain devices. It doesn't cause everything to max out snort which is nice.

     

    I'm also actually super happy about VLANs on bridges. This will be really enjoyable!!! I've already played with that of course. I need to play with SSO and Kerberos as that excites me. TLS Inspection will be a great thing to roll out. The exceptions are so easy to make from log viewer and the visibility is wonderful. It seems to be working great indeed. Most of our clients are still within the 150Mbps ranges.

    Very excited to keep playing!!!

    **I'd still love to see an extra option on the endpoint<-->firewall isolation policies to operate a "Block by default" policy where it blocks any access from other machines on the network unless they have heartbeats. You could manually whitelist things. That way you can set up a policy that is "You can only access x machines if you have a happy endpoint installed"

  • Hi Andrew,

    Have you checked to make sure you have all cores enabled for IPS?

    This is done from the Option 4 console with the following:

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method ac-q
    sip_preproc enabled
    sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
    1 0
    2 1
    3 2
    4 3

    By default, only 2 cpu cores are enabled (so i've seen on software installs, generally, someone correct me if wrong) and I had to enabled the other two in my quad core. I have an up to 300mbps and run an Intel J1900, with only 2 enabled I got around 120mbps but had a scalable increase of speed to 240-250 by enabling two more cores. This is done like below:

    console> set ips ips-instance add IPS cpu
    0 1 2 3

    Just want to check you're getting all the performance out your CPU :)

    Emile

  • console> set ips ips-instance add IPS cpu
    0 1 2 3

     

    The command line don't work for me. I get an "Unknown parameter" error. [:O]

     

    When i type in "set ips ips-instance add IPS cpu" the console show me:

    cpu    cpu

    After that i try to type in 0 1 2 3 but then the Unknown Parameter error occurs.

    Maybe i'm doing something wrong...

  • Only problem with enabling more than 2 instances is that each instance is almost using a gig of ram so you would hit that 6GB home user limit and start swapping. Swapping will probably have negligible effect on firewall performance but it irks me when I run out of ram and linux is swapping. In a business setting you probably will go for an appliance for support reasons anyway.

  • you can try hitting tab on the keyboard. It gives more options on the available commands. 

Reply Children
No Data