Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 8 subscribers
  • Views 6009 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 - IPS tweaking?

Andrew English

Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)?

We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled. 



This thread was automatically locked due to age.
Parents
  • 0

    I also see this in my IPS log, not sure what what the warning means?

    022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | DFA
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 1 byte states : 2.94
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 2 byte states : 16.13
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 4 byte states : 0.00
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: +----------------------------------------------------------------
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: WARNING: normalizations disabled because DAQ can't replace packets.
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: Session Reload: Reference Count Non-zero for old configuration.
  • +1 in reply to Andrew English

    With IPS enabled, you will get a bit lower speed.  That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately.  XG may be different in handling this, and I'm sure it is, but... I don't use that product.

    Andrew English said:
    WARNING: normalizations disabled because DAQ can't replace packets.

    That's a Snort warning, but it can be ignored for the most part, I believe.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • +1 in reply to Andrew English

    With IPS enabled, you will get a bit lower speed.  That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately.  XG may be different in handling this, and I'm sure it is, but... I don't use that product.

    Andrew English said:
    WARNING: normalizations disabled because DAQ can't replace packets.

    That's a Snort warning, but it can be ignored for the most part, I believe.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
  • 0 in reply to Amodin

    Yeap I saw another post mentioning lowering the 12 months to 6 months to improve the bandwidth but there is a cost to doing that. Funny enough my IPS on my home lab UDM-Pro doesn't affect my 1Gbit bandwidth at all. Makes me wonder if its even enabled. LOL

  • 0 in reply to Andrew English

    Hi Andrew and welcome to the UTM Community!

    As Alan and Amodin have said, Snort is single-threaded, so you will want to do speed tests on at least 2 devices simultaneously.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML