New Sophos Support Phone Numbers in Effect July 1st, 2023

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 - IPS tweaking?

Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)?

We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled. 

This thread was automatically locked due to age.
  • I also see this in my IPS log, not sure what what the warning means?

    022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | DFA
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 1 byte states : 2.94
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 2 byte states : 16.13
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 4 byte states : 0.00
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: +----------------------------------------------------------------
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: WARNING: normalizations disabled because DAQ can't replace packets.
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: Session Reload: Reference Count Non-zero for old configuration.
  • With IPS enabled, you will get a bit lower speed.  That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately.  XG may be different in handling this, and I'm sure it is, but... I don't use that product.

    WARNING: normalizations disabled because DAQ can't replace packets.

    That's a Snort warning, but it can be ignored for the most part, I believe.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Yeap I saw another post mentioning lowering the 12 months to 6 months to improve the bandwidth but there is a cost to doing that. Funny enough my IPS on my home lab UDM-Pro doesn't affect my 1Gbit bandwidth at all. Makes me wonder if its even enabled. LOL

  • This guide will help you improve IPS throughput by increasing the amount of Snort instances.  It involves downloading Putty and requires you to SSH into the UTM, but it works. 

    "To ensure that other UTM processes have enough processing power, 1 CPU is set aside and by default not used by the IPS engine. On smaller UTM models with only 2 CPUs the result is that only a single Snort instance is used, which may result in lower than desired throughput when using IPS scanning."

    Sophos UTM: Low throughput with Intrusion Prevention (IPS)

    Another thing you can do is make sure "add extra warnings" is not enabled, and limit your IPS rules to <12 months.

  • Hi Andrew and welcome to the UTM Community!

    As Alan and Amodin have said, Snort is single-threaded, so you will want to do speed tests on at least 2 devices simultaneously.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Applied this change, the "add extra warnings" were not enabled by default, and the IP rules were limited to <12 months. With <12 months without the CPU update I was averaging 60 to 70Mbps on our 100Mbps connection. Looks like with the change I am getting around 83Mbps on the downstream which is an improvement. 

  • I'm glad that you saw improvement, but also frankly surprised because it's single-threaded so each 'instance' of a used thread is like 'per user' maxed out.

    I've done this on my quad-core Xeon in my UTM and saw zero improvement.  That is until my ISP magically found some download bandwidth shortly after we saw the AT&T Fiber truck driving through our neighborhood announcing they were coming into the area, lol.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • I also saw a remarkable speed increase as well. I think the speed increase is more noticeable on dual core CPUs. Something about Snort instances=n-1, where n=the number of CPU cores. 

    Glad the tweak worked for Andrew. Since the IPS is the bottleneck of the UTM it would have been nice if this tweak was already implemented to begin with. And the lower tier SG units have very slow dual core CPUs.