Is software UTM performance limited?

See this community.sophos.com/.../119464

IPS uses snort which is core limited. Run speed tests on two machines at the same time.  That should saturate the connection.  You'll also see multiple instances of snort running.  Login via ssh and run top to observe this.

https://community.sophos.com/kb/en-us/119464

Speed tests run on 2 different machines at the same time.

Interestingly, I had to set the instances to 3 to get 2 to work. Otherwise just a single instance would show up in top with actual activity.  Setting it to 0, 1 or 2 all results in the same single instance used to scan. 

Jay Jay Thanks for the info. 

Speedtest.net defaults to multiple connections, 6 from what I see, so it is a single instance of SNORT by client IP address and not connection/stream? Does that mean as home users no one person will ever be able use more than the ~375Mbps when downloading?

It should be possible to get higher speeds however you need to have a processor with an as high as possible single core speed (so the higher the MHz of the processor, the more speed you'll get with IPS-enabled. 

For example the (brand new Intel Core i5-10600 Processor) which has 4.8GHz or the somewhat less expensive Intel Core i3-10320 Processor at 4.6GHz will probably do much more on single-core IPS performance.

I looked up SNORT and there is a version 3.0 which is multi threaded. I'm guessing since all the focus is on XG we will never see this in UTM?

I'm guessing the same otherwise it would have already been implemented....

That is truly unfortunate, as I feel the XG product doesn't offer what the UTM product does.  I have spun up an XG a couple of times now and it lacks the pure functionality that UTM has over it.

Maybe at some point the XG platform will do all the things the UTM will, I am using this at home and have about 8 segments into a L2/L3 switch with a 10G interface to the UTM.

Thank

T-Rex

You need to put exceptions in place for speedtests. Once you do that, they go full speed, it's IPS doing it's thing.

You have some more in depth tuning available here: https://community.sophos.com/kb/en-us/132399

Be warned, you might have very interesting results so be cautious. Ive tried some of these on a 330 SG and it gave various mixed results.

That's exactly what I did for the few speedtest sites I visit often. The others are subject to the filtering and thus return slower speeds.  I believe I have filters in place in both IPS and web filtering.

That's just like cheating; putting exceptions in place just for the speedtest sites so they show good throughput. What you want to have is good throughput overall not just on the speedtest site....

For that to happen with the single core snort process you need the fastest single-core processor (in terms of MHz) that you can find. But usually if more people are simultaneously using the internet connection, each user can (and will) use a snort core and thus the total throughput could be higher than just the speedtest of 1 user shows.

Another trick is to check from the command line.

Copy and paste each block instead of just using single lines. 

First, download the speed test:

cd /home
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py --no-check-certificate

Check the speed with IPS off, and then with it on.

cd /home
cc set ips status 0
sleep 15s
python speedtest.py
cc set ips status 1
sleep 30s
python speedtest.py

Cheers - Bob