UTM 9 - IPS tweaking?

I also see this in my IPS log, not sure what what the warning means?

With IPS enabled, you will get a bit lower speed.  That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately.  XG may be different in handling this, and I'm sure it is, but... I don't use that product.

Andrew English said:

WARNING: normalizations disabled because DAQ can't replace packets.

That's a Snort warning, but it can be ignored for the most part, I believe.

Yeap I saw another post mentioning lowering the 12 months to 6 months to improve the bandwidth but there is a cost to doing that. Funny enough my IPS on my home lab UDM-Pro doesn't affect my 1Gbit bandwidth at all. Makes me wonder if its even enabled. LOL

This guide will help you improve IPS throughput by increasing the amount of Snort instances.  It involves downloading Putty and requires you to SSH into the UTM, but it works. 

"To ensure that other UTM processes have enough processing power, 1 CPU is set aside and by default not used by the IPS engine. On smaller UTM models with only 2 CPUs the result is that only a single Snort instance is used, which may result in lower than desired throughput when using IPS scanning."

Sophos UTM: Low throughput with Intrusion Prevention (IPS)

Another thing you can do is make sure "add extra warnings" is not enabled, and limit your IPS rules to <12 months.

Hi Andrew and welcome to the UTM Community!

As Alan and Amodin have said, Snort is single-threaded, so you will want to do speed tests on at least 2 devices simultaneously.

Cheers - Bob

Applied this change, the "add extra warnings" were not enabled by default, and the IP rules were limited to <12 months. With <12 months without the CPU update I was averaging 60 to 70Mbps on our 100Mbps connection. Looks like with the change I am getting around 83Mbps on the downstream which is an improvement. 

I'm glad that you saw improvement, but also frankly surprised because it's single-threaded so each 'instance' of a used thread is like 'per user' maxed out.

I've done this on my quad-core Xeon in my UTM and saw zero improvement.  That is until my ISP magically found some download bandwidth shortly after we saw the AT&T Fiber truck driving through our neighborhood announcing they were coming into the area, lol.

I also saw a remarkable speed increase as well. I think the speed increase is more noticeable on dual core CPUs. Something about Snort instances=n-1, where n=the number of CPU cores. 

Glad the tweak worked for Andrew. Since the IPS is the bottleneck of the UTM it would have been nice if this tweak was already implemented to begin with. And the lower tier SG units have very slow dual core CPUs.