Low speeds and TLS Engine Errors

Thanks for the feedback. Regarding the SSL/TLS issues - I'm really pleased to hear that overall it's been performing well for you.

It is unavoidable that some applications will encounter problems and not accept the replacement certificates that we create to allow us to decrypt and re-encrypt the content. Our goal is to make this kind of thing easier to track down and deal with - we hope in future releases to further automate this process.

For now, we are aware of a number of outstanding issues where error messages are not as useful as they should be. One of these areas is where connections are established then quickly rejected by clients - usually because of certificate validation errors. Discord's client is certainly one that we've seen doesn't like being intercepted.

Look for things to improve on the logging front in upcoming updates.

Thanks.

Yes it looks like some software clients with those sticky certs. So I reset my config as that was causing the single Snort instance.

I'll be upgrading the hardware unit with a quad core Xeon CPU soon and it's running as my primary test for now.

With no IPS/Web/ATP I get 900Mbps/820Mbps (Probably my package max)

Web filtering takes me to about 500/500 on this CPU which is fine and IPS / TLS Decrypt goes to about 200Mbps/280Mbps which I can see on a Pentium G2020.

It feels like the web interface has really sped up too. The loopback NAT rules are lovely and I don't mind the rule separation at all, it's pretty nice actually.

I've also tested IPS on incoming rules and on outbound connections from certain devices. It doesn't cause everything to max out snort which is nice.

I'm also actually super happy about VLANs on bridges. This will be really enjoyable!!! I've already played with that of course. I need to play with SSO and Kerberos as that excites me. TLS Inspection will be a great thing to roll out. The exceptions are so easy to make from log viewer and the visibility is wonderful. It seems to be working great indeed. Most of our clients are still within the 150Mbps ranges.

Very excited to keep playing!!!

**I'd still love to see an extra option on the endpoint<-->firewall isolation policies to operate a "Block by default" policy where it blocks any access from other machines on the network unless they have heartbeats. You could manually whitelist things. That way you can set up a policy that is "You can only access x machines if you have a happy endpoint installed"

Hi Andrew,

Have you checked to make sure you have all cores enabled for IPS?

This is done from the Option 4 console with the following:

console> show ips-settings
-------------IPS Settings-------------
stream on
lowmem off
maxsesbytes 0
maxpkts 8
enable_appsignatures on
http_response_scan_limit 65535
search_method ac-q
sip_preproc enabled
sip_ignore_call_channel enabled

-------------IPS Instances------------
IPS CPU
1 0
2 1
3 2
4 3

By default, only 2 cpu cores are enabled (so i've seen on software installs, generally, someone correct me if wrong) and I had to enabled the other two in my quad core. I have an up to 300mbps and run an Intel J1900, with only 2 enabled I got around 120mbps but had a scalable increase of speed to 240-250 by enabling two more cores. This is done like below:

console> set ips ips-instance add IPS cpu
0 1 2 3

Just want to check you're getting all the performance out your CPU :)

Emile

console> set ips ips-instance add IPS cpu
0 1 2 3

The command line don't work for me. I get an "Unknown parameter" error. [:O]

When i type in "set ips ips-instance add IPS cpu" the console show me:

cpu    cpu

After that i try to type in 0 1 2 3 but then the Unknown Parameter error occurs.

Maybe i'm doing something wrong...

Only problem with enabling more than 2 instances is that each instance is almost using a gig of ram so you would hit that 6GB home user limit and start swapping. Swapping will probably have negligible effect on firewall performance but it irks me when I run out of ram and linux is swapping. In a business setting you probably will go for an appliance for support reasons anyway.

you can try hitting tab on the keyboard. It gives more options on the available commands. 

Hi Balmasque,

Sorry, i forgot to mention that i was tabbing to show the options.

What's the result when you do "show ips-settings" (without quotes) in the standard console?

@BillyBob, you're right that snort consumes 1.1GB but I've never noticed a performance deficit and checking my 4C4GB home doohick appliance ATOP i see the following 2.9GB swap with 2.8GB free. Snort is showing 5 instances with 1.1GB each but ATOP is actually reporting that they are only consuming 25% total. Now 5x 25% doth not make a proper number and never really thought about it. Do they do memory sharing, you won't need 1 instance of signatures per instance, it's maimly the buffers that are the problem. I think we might need someone to clarify the memory consumption methodology of snort.

I suspect they are cleverly sharing a single memory block for patterns.

Emile

Tested this a little further. Installing with 1vcpu on a vm will spawn 2 instances. So they are using one master and a child process. Increased to 4vcpu and the snort instances automatically increased to 5.  One master and 4 child processes. You are correct that each instance is not taking 1GB ram although "top" shows them using 1GB each. I suspect only the master is counted toward memory usage and the child processes just distribute the load among different cpu cores. 

Tried adding and removing snort instances and its a little counter intuitive. Sophos automatically adds snort instances depending on your cpus but if you want to decrease the instances to remove stress on an under powered processor at the cost of some throughput, you have that capability.

You have to reboot or restart IPS after each command 

"Set ips ips-instance add IPS cpu 0"

"Set ips ips-instance add IPS cpu 1"

etc. and it will bind the snort instance to that specified cpu and will only spawn one snort instance (master and slave) at a time. You can run the command for each cpu to add more instances or clear to default by running

"Set ips ips-instance clear" 

For example running "Set ips ips-instance add IPS cpu 1" on a 4vcpu machine gives me

console> show ips-settings                                                      
-------------IPS Settings-------------                                          
        stream on                                                               
        lowmem off                                                              
        maxsesbytes 0                                                           
        maxpkts 8                                                               
        enable_appsignatures on                                                 
        http_response_scan_limit  65535                                         
        search_method ac-q                                                      
        sip_preproc enabled                                                     
        sip_ignore_call_channel enabled                                         
        inspect untrusted-content                                               
                                                                                
-------------IPS Instances------------                                          
IPS CPU                                                                         
 1  1                                   

Wish a dev would enlighten us more on the inner working of certain things once in a while[;)]

Regards

Hi billybob,

what you are also saying is that v18 uses a different version of snort to v17, eg this one appears to be multi-threaded like?

Ian

Hi billybob,

what you are also saying is that v18 uses a different version of snort to v17, eg this one appears to be multi-threaded like?

Ian

Hi rfcat,

Snort in XG has always been multithreaded?

Emile

Sorry, you must have configured it someway that was not obvious to the forum members because there are a number of posts about about snort issues and hitting the limits of 1 cpus.

People posting their configuration is not the same as showing the cpu/memory and throughput which showed 1 (one) snort max'ed out and not adding additional memory or processes to handle the extra load.

Ian

Hello Ian,

This isn't a case of "my config shows XYZ it must be ABC", Snort being multi threaded on the XG was one of its foundation blocks for marketing and design back in v15 and v16.

Emile

Edit: ah, I'm getting caught up on the difference between multi threaded and multi instanced! But my point still stands, it has been notable youhave been able to dramatically increase your throughput by adding more CPU instances. Now, web downloads are multi socket these days so that's why you will see a direct increase in web performance.

Hi,

thank you for the detailed commands. I will try this later. [Y]

One question left: Will this setting persists even after an firmware update or i must set up this again?

Hi Balmasque,

These settings will persist through reboot and firmware upgrade :)

Emile

As far as i know, all Command Line Entries / settings on Console are saved in Backup and should be peristent after update.

But should be tested, if you have time, feel free to try it. 

Thank you to both of you. [H]