This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 - IPS tweaking?

Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)?

We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled. 



This thread was automatically locked due to age.
Parents
  • I also see this in my IPS log, not sure what what the warning means?

    022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | DFA
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 1 byte states : 2.94
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 2 byte states : 16.13
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: | 4 byte states : 0.00
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: +----------------------------------------------------------------
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: WARNING: normalizations disabled because DAQ can't replace packets.
    2022:10:21-11:47:50 3gmanu-fw01 snort[2542]: Session Reload: Reference Count Non-zero for old configuration.
  • With IPS enabled, you will get a bit lower speed.  That's the nature of filtering, and with Sophos not updating Snort to a multi-threading capable version, it won't get any better unless IPS is disabled unfortunately.  XG may be different in handling this, and I'm sure it is, but... I don't use that product.

    WARNING: normalizations disabled because DAQ can't replace packets.

    That's a Snort warning, but it can be ignored for the most part, I believe.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yeap I saw another post mentioning lowering the 12 months to 6 months to improve the bandwidth but there is a cost to doing that. Funny enough my IPS on my home lab UDM-Pro doesn't affect my 1Gbit bandwidth at all. Makes me wonder if its even enabled. LOL

  • Hi Andrew and welcome to the UTM Community!

    As Alan and Amodin have said, Snort is single-threaded, so you will want to do speed tests on at least 2 devices simultaneously.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Andrew and welcome to the UTM Community!

    As Alan and Amodin have said, Snort is single-threaded, so you will want to do speed tests on at least 2 devices simultaneously.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data