Gigabit Internet and Sophos - a losing combination

All I can tell you is that we support hundreds of employees on a SG450 with a single 100Mbs internet connection and satisfactory performance.   CPU load is trivial.

Douglas, thank you for the reply.  The SG UTM can deliver 100 Mbps with all subscriptions enabled in most hardware configurations -- my SG115 can almost pull it off (although the load is only 10 power users).

According to the screenshots I posted, any UTM above the SG/XG 125 will deliver 100 Mbps 'Realworld' IPS.  I need 1000 Mbps.

I am actually impressed that Sophos publishes any "real world" numbers.   Most vendors do not because of these kind of objections.    These are additional things to consider as you look for the right hardware configuration for you.

1) a 1Gbps connection cannot delivery 1Gbps of throughput.   The Ethernet architecture requires interpacket gaps and packet headers, and TCP/IP adds additional headers.   The theoretical limits have doubtless dropped since the transition from baseband to twisted-pair, so I don't know what's realistic with modern switches, but I suspect that 50% max is the most that is realistic even under highly-tuned conditions.   

2) Lots of home connections are asymmetric.   There are some significant problems that can occurs when the upload and download speeds differ significantly.   My simplified understanding is that these configurations have problems because the ACKs are not received fast enough on the slow link.   RFC 3449 has the technical details on this.   I have been burned very badly when trying to connect to sites that both had asymmetric connections.   I would expect that this will limit your effective throughput.   Verizon has a FIOS optimizer tool available as a link from their speed test web page.   It sets some Windows registry settings to minimize the impact of asymmetric connections.  This is actually odd since FIOS is increasingly offered as a symmetric link.  I have seen it have a positive effect, but it does not document its changes.   I don't know how to tune the TCP/IP settings on a Unix-based box like UTM.

3) Sophos has to add latency to do its work.   How much latency will be a function of how much analysis you are asking it to perform on a specific packet flow.   Whatever the latency, it will interfere with your ability to get maximum throughput.

All of these are issues that are likely to be found on competitive configurations as well.   Happy hunting.

Douglas,

I have symmetric gigabit fiber from att.  While they don't deliver 1000 mbps, typical speed tests from geographically near test sites indicate 900-950 mbps in either direction.  Snort testing is disabled for such speed tests.  When enabled, numbers drop to ~220 down/300 up mbps.  UTM is virtualized under esxi.  Box has an i5 5250u cpu, utm gets 4GB of ram and 4 cpus.

The reason that snort (IPS) will (dramatically) reduce throughput is that it is only a single-core application that is highly dependent on the CPU clock speed. The higher the clockspeed of the CPU the higher the throughput for IPS will be.

Multiple cores can be used however, but not for 1 connection; multiple users using the connnection at the same time will use multiple cores (as far as I am informed correctly), but every user in itself can only use 1 core for their connection.

Also in a far past I have found the following shell tweaks could squeeze out some more speed (I don't know if this is still applicable or necessary, at my current system there is no up_threshold file nomore and my scaling_governor was configured as 'powersafe');

echo "performance" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (better performance replace # respectively by 0, 1, 2, 3 for 4-core CPU)
echo "ondemand" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (standard setting)

echo -n 50 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (better performance)
echo -n 95 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (standard setting)

The reason that snort (IPS) will (dramatically) reduce throughput is that it is only a single-core application that is highly dependent on the CPU clock speed. The higher the clockspeed of the CPU the higher the throughput for IPS will be.

Multiple cores can be used however, but not for 1 connection; multiple users using the connnection at the same time will use multiple cores (as far as I am informed correctly), but every user in itself can only use 1 core for their connection.

Also in a far past I have found the following shell tweaks could squeeze out some more speed (I don't know if this is still applicable or necessary, at my current system there is no up_threshold file nomore and my scaling_governor was configured as 'powersafe');

echo "performance" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (better performance replace # respectively by 0, 1, 2, 3 for 4-core CPU)
echo "ondemand" >/sys/devices/system/cpu/cpu#/cpufreq/scaling_governor (standard setting)

echo -n 50 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (better performance)
echo -n 95 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold (standard setting)