Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 9255 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CPU recommendations - more Cores or more GHz

goetz.reinicke

Hi,

we have a 10Gb internet connection and recently we debugged some performance topics and ended up by the question: What will increase our throughput better: more cores or more GHz.

We saw that with IPS our troughput is dropping very much while one snort process is running at 100% cpu.

With IPS enabled: +- 75 MB/s, IPS disabled: 450MB/s. MB not mbit.

Currently we have a dual CPU 8-Core X3460@2.80GHz while the average CPU usage is low in the reporting graphs.

As the hardware is quit old, we plan to upgrade to new servers and try to check for new cpus. May be a single CPU E5-1650 6-Core@3,6 GHz would be a good choice?!

We don't have that much concurrent connection, but need fast ones :)

Thanks for feedback and suggestions. Regards . Götz



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    CPU core and RAM are important. 

    The IPS scanning engine can launch multiple processes on multiple CPU cores however only one process is used per IP source and destination pair.
    As the speed of the connection increases the demand on the system resources also increases to process the increased packet flow.
    When using a fast network connection there will come a point where the available network bandwidth is greater than the speed in which the IPS process can scan
    the traffic resulting in the CPU core running the process to reach 100%. There are no exact figures for this impact because it depends on the model of UTM and
    what else the system is doing at the time.

    As long as any new connections originate from either a different source or go to a different destination then these will pass through
    a new IPS process on a separate CPU core. This would therefore allow a simultaneous connection to only have its speed capped when its CPU core reaches 100% or
    when the available network bandwidth has become saturated. In real world terms this means the actual impact in network performance as a whole will
    not be as dramatic as the results of the speed test shows and the end users will unlikely notice any impact to network performance unless they are transferring
    very large files.

    Do not enable IPS on hosts, networks or services which are time-sensitive (VoIP etc).
    Ensure that you only enable Attack Patterns for hosts, operating systems and services which are actually running on your network.
    Add all internal HTTP, DNS, SMTP and SQL Servers to the appropriate dialog box in the 'Advanced' section for IPS configuration.
    Add a second UTM for High Availability and activate in "Active/Active" mode for load balancing of IPS processing.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    so in short I understand, that for overall bandwidth more cores are helpful and for faster "single" connections a fast core is important. So the biggest bottleneck is a singelthreded IPS process regarding a fast connection to one system.

     

    Thanks to point that out! regards . Götz

Reply
  • 0 in reply to sachingurung

    Hi,

    so in short I understand, that for overall bandwidth more cores are helpful and for faster "single" connections a fast core is important. So the biggest bottleneck is a singelthreded IPS process regarding a fast connection to one system.

     

    Thanks to point that out! regards . Götz

Children
No Data
Unfiltered HTML