This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is software UTM performance limited?

Hi all, I am running Sophos UTM Home (currently 9.702-1) for years and have been very happy with it. I have always had it running as a VM in ESXi on a NUC and with IPS running I was limited to about 340Mbps. This was fine since my internet downstream was 100Mbps, then 250Mbps and then 360Mbps.

I have a big brother to the NUC which is a 20-core (3.5GHz) Xeon ESXi server so when my internet connection went up to 600Mbps I moved the Sophos VM to that big ESXi server. The config is the same on both so I didnt have to change anything but I noticed I was still limited to about 375Mbps (vs 340Mbps on the NUC) on the big server. Turning off IPS I was seeing the full 600Mbps.

CPU usage was only hitting 25% when running a speedtest but just to be sure I shutdown the VM and gave it 16GB of RAM (up fom 4GB) and 16 cores (8cores x 2 sockets up from 4 cores x 1 socket), started up the VM and reran the speedtest (various providers) and again hit a limit of around 375Mbps. I turned off IPS and it jumped up to the full 600Mbps.

So I am wondering what is the reason for this? Even if the Home version was limited to 4 cores/cpus, the 4 cores @ 3.5GHZ that should still be more than enough horsepower to do IPS at 600Mbps.

Thanks



This thread was automatically locked due to age.
Parents
  • See this community.sophos.com/.../119464

     

    IPS uses snort which is core limited. Run speed tests on two machines at the same time.  That should saturate the connection.  You'll also see multiple instances of snort running.  Login via ssh and run top to observe this.

    https://community.sophos.com/kb/en-us/119464

    Speed tests run on 2 different machines at the same time.

    Interestingly, I had to set the instances to 3 to get 2 to work. Otherwise just a single instance would show up in top with actual activity.  Setting it to 0, 1 or 2 all results in the same single instance used to scan. 

  •  Thanks for the info. 

     

    Speedtest.net defaults to multiple connections, 6 from what I see, so it is a single instance of SNORT by client IP address and not connection/stream? Does that mean as home users no one person will ever be able use more than the ~375Mbps when downloading?

  • It should be possible to get higher speeds however you need to have a processor with an as high as possible single core speed (so the higher the MHz of the processor, the more speed you'll get with IPS-enabled. 

    For example the (brand new Intel Core i5-10600 Processor) which has 4.8GHz or the somewhat less expensive Intel Core i3-10320 Processor at 4.6GHz will probably do much more on single-core IPS performance.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I looked up SNORT and there is a version 3.0 which is multi threaded. I'm guessing since all the focus is on XG we will never see this in UTM?

Reply Children
  • I'm guessing the same otherwise it would have already been implemented....


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • That is truly unfortunate, as I feel the XG product doesn't offer what the UTM product does.  I have spun up an XG a couple of times now and it lacks the pure functionality that UTM has over it.

    Maybe at some point the XG platform will do all the things the UTM will, I am using this at home and have about 8 segments into a L2/L3 switch with a 10G interface to the UTM.

     

    Thank

    T-Rex