Low speeds and TLS Engine Errors

So I've just started using this and am a bit unsure how "FastPath" works exactly and I'll drill into some specifics.

I'm testing this on a gigabit (1Gb/940Mb) connection in both a Virtual Machine and on a custom desktop using the 'SW' package.

VM (VMware) = 

CPU: Xeon E5-2690 @ 2.9GHz (4 Cores Allocated)

RAM: 6GB

-----

SW Appliance =

CPU: Pentium G2020 @ 2.9GHz - 2 Cores

RAM: 6GB

-----

Speeds --

On v17.5 I was hitting about 700Mbps down and 280Mbps Up as Snort on the VM was using a single instance (single thread) and running at 99% during the test. When upgraded to v18 EAP, I'm getting about 150Mbps down and 200Mbps up with still a single Snort instance running at 99%

 

On this custom build box next to me with it running, i got about 550Mbps/550Mbps and saw two instances of Snort running up above 90% (one per core I'm guessing) Multiple instances only ran when a multi-connection test was running

 

At one point during the tests I saw Snort on the custom box rise up then drop down to about 2-5% usage after the first few seconds while the test was running. I may have thought this was 'FastPath' behavior but am unsure.

 

TLS Inspection -- I've been really impressed with this so far and It's going to be really usefull. I'm just pretty much noting a few errors I has while running it. Some applications were encountering errors (downloaders, etc...) and the logs showed "Dropped due to TLS engine error"

Further information I have on "Dropped due to TLS engine error" (Example being discord here in the logs but there were a lot of these for other sites):

  • profile_name="Maximum compatibility"
  • bitmask=""
  • key_type="KEY_TYPE__UNKNOWN"
  • fingerprint=""
  • session="0"
  • cert_chain_served="TRUE"
  • cipher_suite="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  • sni="discordapp.com"
  • tls_version="TLS version - 1.2"
  • reason="Dropped due to TLS engine error"
  • exception=""
  • message=""

It's not much of a problem as many of the apps that may complain about the TLS drops are easily excluded using the new tools :)

Parents
  • Thanks for the feedback. Regarding the SSL/TLS issues - I'm really pleased to hear that overall it's been performing well for you.

    It is unavoidable that some applications will encounter problems and not accept the replacement certificates that we create to allow us to decrypt and re-encrypt the content. Our goal is to make this kind of thing easier to track down and deal with - we hope in future releases to further automate this process.

    For now, we are aware of a number of outstanding issues where error messages are not as useful as they should be. One of these areas is where connections are established then quickly rejected by clients - usually because of certificate validation errors. Discord's client is certainly one that we've seen doesn't like being intercepted.

    Look for things to improve on the logging front in upcoming updates.

  • Thanks.

     

    Yes it looks like some software clients with those sticky certs. So I reset my config as that was causing the single Snort instance.

    I'll be upgrading the hardware unit with a quad core Xeon CPU soon and it's running as my primary test for now.

    With no IPS/Web/ATP I get 900Mbps/820Mbps (Probably my package max)

    Web filtering takes me to about 500/500 on this CPU which is fine and IPS / TLS Decrypt goes to about 200Mbps/280Mbps which I can see on a Pentium G2020.

    It feels like the web interface has really sped up too. The loopback NAT rules are lovely and I don't mind the rule separation at all, it's pretty nice actually.

     

    I've also tested IPS on incoming rules and on outbound connections from certain devices. It doesn't cause everything to max out snort which is nice.

     

    I'm also actually super happy about VLANs on bridges. This will be really enjoyable!!! I've already played with that of course. I need to play with SSO and Kerberos as that excites me. TLS Inspection will be a great thing to roll out. The exceptions are so easy to make from log viewer and the visibility is wonderful. It seems to be working great indeed. Most of our clients are still within the 150Mbps ranges.

    Very excited to keep playing!!!

    **I'd still love to see an extra option on the endpoint<-->firewall isolation policies to operate a "Block by default" policy where it blocks any access from other machines on the network unless they have heartbeats. You could manually whitelist things. That way you can set up a policy that is "You can only access x machines if you have a happy endpoint installed"

  • Hi Andrew,

    Have you checked to make sure you have all cores enabled for IPS?

    This is done from the Option 4 console with the following:

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 8
    enable_appsignatures on
    http_response_scan_limit 65535
    search_method ac-q
    sip_preproc enabled
    sip_ignore_call_channel enabled

    -------------IPS Instances------------
    IPS CPU
    1 0
    2 1
    3 2
    4 3

    By default, only 2 cpu cores are enabled (so i've seen on software installs, generally, someone correct me if wrong) and I had to enabled the other two in my quad core. I have an up to 300mbps and run an Intel J1900, with only 2 enabled I got around 120mbps but had a scalable increase of speed to 240-250 by enabling two more cores. This is done like below:

    console> set ips ips-instance add IPS cpu
    0 1 2 3

    Just want to check you're getting all the performance out your CPU :)

    Emile

  • console> set ips ips-instance add IPS cpu
    0 1 2 3

     

    The command line don't work for me. I get an "Unknown parameter" error. [:O]

     

    When i type in "set ips ips-instance add IPS cpu" the console show me:

    cpu    cpu

    After that i try to type in 0 1 2 3 but then the Unknown Parameter error occurs.

    Maybe i'm doing something wrong...

  • Only problem with enabling more than 2 instances is that each instance is almost using a gig of ram so you would hit that 6GB home user limit and start swapping. Swapping will probably have negligible effect on firewall performance but it irks me when I run out of ram and linux is swapping. In a business setting you probably will go for an appliance for support reasons anyway.

  • you can try hitting tab on the keyboard. It gives more options on the available commands. 

  • Hi Balmasque,

    Sorry, i forgot to mention that i was tabbing to show the options.

    What's the result when you do "show ips-settings" (without quotes) in the standard console?

    @BillyBob, you're right that snort consumes 1.1GB but I've never noticed a performance deficit and checking my 4C4GB home doohick appliance ATOP i see the following 2.9GB swap with 2.8GB free. Snort is showing 5 instances with 1.1GB each but ATOP is actually reporting that they are only consuming 25% total. Now 5x 25% doth not make a proper number and never really thought about it. Do they do memory sharing, you won't need 1 instance of signatures per instance, it's maimly the buffers that are the problem. I think we might need someone to clarify the memory consumption methodology of snort.

    I suspect they are cleverly sharing a single memory block for patterns.

    Emile

  • Tested this a little further. Installing with 1vcpu on a vm will spawn 2 instances. So they are using one master and a child process. Increased to 4vcpu and the snort instances automatically increased to 5.  One master and 4 child processes. You are correct that each instance is not taking 1GB ram although "top" shows them using 1GB each. I suspect only the master is counted toward memory usage and the child processes just distribute the load among different cpu cores. 

    Tried adding and removing snort instances and its a little counter intuitive. Sophos automatically adds snort instances depending on your cpus but if you want to decrease the instances to remove stress on an under powered processor at the cost of some throughput, you have that capability.

    You have to reboot or restart IPS after each command 

    "Set ips ips-instance add IPS cpu 0"

    "Set ips ips-instance add IPS cpu 1"

    etc. and it will bind the snort instance to that specified cpu and will only spawn one snort instance (master and slave) at a time. You can run the command for each cpu to add more instances or clear to default by running

    "Set ips ips-instance clear" 

    For example running "Set ips ips-instance add IPS cpu 1" on a 4vcpu machine gives me

    console> show ips-settings                                                      
    -------------IPS Settings-------------                                          
            stream on                                                               
            lowmem off                                                              
            maxsesbytes 0                                                           
            maxpkts 8                                                               
            enable_appsignatures on                                                 
            http_response_scan_limit  65535                                         
            search_method ac-q                                                      
            sip_preproc enabled                                                     
            sip_ignore_call_channel enabled                                         
            inspect untrusted-content                                               
                                                                                    
    -------------IPS Instances------------                                          
    IPS CPU                                                                         
     1  1                                   

     

    Wish a dev would enlighten us more on the inner working of certain things once in a while[;)]

     

    Regards

  • Hi billybob,

    what you are also saying is that v18 uses a different version of snort to v17, eg this one appears to be multi-threaded like?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi rfcat,

    Snort in XG has always been multithreaded?

    Emile

  • Thats how it worked with me:

    console> set ips ips-instance clear (first) (then add below seq.)

    console> set ips ips-instance add IPS cpu 0
    console> set ips ips-instance add IPS cpu 1
    console> set ips ips-instance add IPS cpu 2
    console> set ips ips-instance add IPS cpu 3

    Thanks,

Reply Children
No Data