Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Is there any recommendations for tweak IPS on a SG125w running UTM 9 (latest version)?We have a 100Mb/sec LOS connection which drops from 100Mbps to 70Mbps with IPS enabled.
This guide will help you improve IPS throughput by increasing the amount of Snort instances. It involves downloading Putty and requires you to SSH into the UTM, but it works.
"To ensure that other UTM processes have enough processing power, 1 CPU is set aside and by default not used by the IPS engine. On smaller UTM models with only 2 CPUs the result is that only a single Snort instance is used, which may result in lower than desired throughput when using IPS scanning."
Sophos UTM: Low throughput with Intrusion Prevention (IPS)
Another thing you can do is make sure "add extra warnings" is not enabled, and limit your IPS rules to <12 months.
Applied this change, the "add extra warnings" were not enabled by default, and the IP rules were limited to <12 months. With <12 months without the CPU update I was averaging 60 to 70Mbps on our 100Mbps connection. Looks like with the change I am getting around 83Mbps on the downstream which is an improvement.
I'm glad that you saw improvement, but also frankly surprised because it's single-threaded so each 'instance' of a used thread is like 'per user' maxed out.
I've done this on my quad-core Xeon in my UTM and saw zero improvement. That is until my ISP magically found some download bandwidth shortly after we saw the AT&T Fiber truck driving through our neighborhood announcing they were coming into the area, lol.
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SSD HDD | GB Ethernet x5
I also saw a remarkable speed increase as well. I think the speed increase is more noticeable on dual core CPUs. Something about Snort instances=n-1, where n=the number of CPU cores.
Glad the tweak worked for Andrew. Since the IPS is the bottleneck of the UTM it would have been nice if this tweak was already implemented to begin with. And the lower tier SG units have very slow dual core CPUs.