This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Performance tests / hardware benchmarks (unofficial)

There have been a lot of questions here lately about hardware recommendations for high-speed internet connections. In my experience, the IPS (Snort) tends to quickly become a bottleneck on low-end to moderate hardware with 50mbps+ connections (or DMZ links).

Therefore, I'm creating this thread...

Note these are USER benchmarks, and are not conducted, validated, or endorsed by Sophos.

For general hardware compatibility information, please read
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/27167

If you have a question, post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095

I propose that we post here using this template:

Template for copying/pasting:
--------------------------- (begin template) ---------------------------
UTM Version tested:
UTM 64-bit or 32-bit: (run "uname -a" and look for x86_64 if unsure)
IPS Pattern Version tested:
# of IPS patterns enabled:
Anti-Portscan: [ON / OFF]
Anti-DoS/Flooding: [ON / OFF]
Application Control (Network Visibility): [ON / OFF]
Advanced Threat Protection (ATP): [ON / OFF]
System OR Motherboard:
Virtualization HyperVisor: (if any. include version #)
CPU: (include model #. cat /proc/cpuinfo if unsure)
RAM: [total GB, # of DIMMs, and speed (MHz and CAS, if known)]
Network Interfaces make/model/chipset: (use lspci if unsure)
Network Interface connection speed: (100mbps or 1gbps... verify with ethtool)
Network Interface BUS: (e.g. 1 onboard, one in PCIe x16 slot)
VLANs in use during benchmarks: [YES/NO] (If yes, specify if tests were run through a single NIC or dual)

any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking):

If using Virtualization, also include:
# of CPU cores assigned to the UTM
any MHz limits are in place:
how the NICs are assigned to the VM (VT-D or bridged)
which NIC driver is in use (VMXNET3 is strongly recommended for ESXi):

Benchmark Client1:
CPU:
OS:
NIC:
NIC connection speed: (e.g. 100mbps or 1gbps)
AntiVirus?:
Comments:

Benchmark Client2 (e.g. iperf server / file server, ...):
CPU:
OS:
NIC:
NIC connection speed: (e.g. 100mbps or 1gbps)
AntiVirus?:
Comments:

Internet Connection type and advertised Up & Down Speeds (if any non-local tests were conducted):

Benchmark Results:
IPS OFF / disabled:
Local iPerf:
Local SMB/CIFS:
Local NFS:
Local iSCSI:
speedtest.net: [up / down] [browser used]
others:

IPS ON, single-stream:
Local iPerf:
Local SMB/CIFS:
Local NFS:
Local iSCSI:
speedtest.net: (up / down)
others:

IPS ON, multi-stream:
same as above, but with multiple clients or servers simultaneously. Relevant with multi-core CPUs, esp. if above results are slow.

Comments / Notes:
(general relevant comments)

Link to unofficial HCL hardware thread POST: (if any)

--------------------------- (end template) ---------------------------

INSTRUCTIONS / NOTES:
1. These benchmarks would be most helpful if all of the IPS pattern groups are enabled (which is currently the default), so we can get an apples-to-apples comparison.
Currently the "Extra Warnings" are disabled by default, so I'd recommend leaving them off.

2. Any changes to the IPS patterns or settings will cause the IPS to restart; during the restart, IPS performance will be inconsistent; please watch the CPU graph or tail the IPS log to be sure the restart completes before resuming benchmarks.

3. please check to see if any other traffic is passing the firewall before and during benchmarking, as this would cause the results to be too low.

4. "Local" means LAN(x)->LAN(y) or LAN->DMZ, not single-LAN!

5. iPerf for Windows is available at Iperf
un*x clients are available in most OS repos.

Running multiple tests with common ports is a good idea, as IPS performance will vary for different services. However, depending upon what services your OS is running, this may be difficult.
Make sure to allow iPerf through your firewalls (UTM and client/host firewalls).

6. Client/Server AntiVirus should be disabled during file or web tests.

7. Please disable the UTM's http proxy if doing HTTP / WEB tests, as it will badly skew the results in unpredictable directions.

8. VM hypervisors (ESXi, Hyper-V, Xen, KVM) are OK as long as they are mentioned
Please do not bother benchmarking anything running on a desktop virtualization system such as VMWare WorkStation / Fusion or Parallels, as their networking performance is generally poor and/or inconsistent.
If running Xen, KVM, etc. on top of another OS (RedHat, Ubuntu, ...), please mention so, and the OS version.

9. Please make sure there is enough RAM (there should be little or no SWAP utilization in Reporting->Hardware); the IPS will use 500-800MB per Instance (expect about 1 Instance per CPU CORE OR THREAD (different users are getting different results)). If you do not have enough RAM for multiple IPS instances, you can reduce them. 1 instance is sufficient for single-stream benchmarking.

Setting IPS instances to higher than # of PHYSICAL Cores will usually HURT performance, even if you have Hyper-Threading (at least that is the case on my Atom CPU).

10. Please do not keep yourself logged into webadmin during testing; it consumes a lot of CPU.
If you need to watch bandwidth graphs, iftop is available on the console.

11. Note that QOS settings can limit peak bandwidth.

12. The UTM's Hard Drive type and speed is irrelevant to IPS speed, as long as the system is not actively swapping.
However, for file-server tests, the Client/Server's drive speeds are important.

13. if you are not confident in your abilities or results, please post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095 and ask for help

14. if I missed anything, please leave a reply to my other thread:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095

Thanks!
Barry

This thread was automatically locked due to age.

0 BarryG over 12 years ago

UTM Version tested: 9.106
UTM 64-bit or 32-bit: 32-bit
IPS Pattern Version tested: 52015
# of IPS patterns enabled: 7942 of 15947
Application Control (Network Visibility): ON. (Turning off made no noticeable difference on this system)
System OR Motherboard: MSI Industrial Atom board (obsolete)
Virtualization HyperVisor: none
CPU: Intel Atom N270, 1.60GHz, single-core (+ HyperThreading)
RAM: 2GB, single DIMM. speed unknown at the moment, but I'm certain it meets the CPU's MAX RAM interface speed.
Network Interfaces make/model/chipset: dual Intel 82574L
Network Interface connection speed: 1gbps each
Network Interface BUS: both onboard, probably PCI bus
VLANs in use during benchmarks: YES. SINGLE-NIC for Local Tests

any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking): not modified

Benchmark Client1 (fileserver, iperf client):
CPU: Intel i5-4670k, 3.4GHz
OS: Windows 8.1 RTM, 64-bit
NIC: Intel i217-v
NIC connection speed: 1gbps
AntiVirus?: disabled
Comments: used in all tests

Benchmark Client2 (iperf server):
CPU: Intel i7-620M (laptop, 2.66GHz dual core)
OS: Fedora 19 Linux, 64-bit
NIC: Intel 82577LM onboard
NIC connection speed: 1gbps
AntiVirus?: none
Comments: used only in iPerf tests

Benchmark Client3 (file server):
CPU: AMD Athlon 64, 2.2GHz
OS: Win 7, 32-bit
NIC: NVidia NForce4
NIC connection speed: 1gps
AntiVirus?: none
Comments: only for SMB/CIFS test

Internet Connection type and advertised Up & Down Speeds: FiOS 15/5, but frequently tests at 25/5 or even 25/10

Benchmark Results
IPS OFF / disabled:
Local iPerf: 434-461mbps. probably limited by PCI bus and/or single-NIC w VLANs
Local iPerf DUALTEST (bidirectional): 545-598mbps COMBINED. probably limited by PCI bus and/or single-NIC w VLANs
Local SMB/CIFS: 30mbps (probably limited by client HD speed)
speedtest.net: 25mbps down, 5.5mbps up. Browser: Chrome 30

IPS ON, single-stream:
Local iPerf, default port 5001: 32.0 - 33.9 mbps
Local iPerf, default, DUALTEST (bidirectional): 67-75 mbps COMBINED
Local iPerf, port 80: 16.9 - 17.7 mbps
Local iPerf, port 80, DUALTEST (bidirectional): 24-36 mbps COMBINED
Local iPerf, port 139: 28.1-31.5 mbps
Local iPerf, port 445: 30.8-34.3 mbps
Local SMB/CIFS: 4-5mbps [:(]
speedtest.net: 16.5mbps down, 5.5mbps up

IPS ON, multi-stream:
not relevant on this single-core CPU

Comments / Notes:
I'm not testing this system with all patterns turned on as the performance is already poor. No point in beating a dead horse.
see also: https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41214 for some #'s with fewer patterns enabled.

The System Interrupt ('si' in top) load is very high on this system (>60% under iPerf). Apparently the NICs have no offloading features, etc.
That said, I've seen much poorer performance reports of Atom systems with Realtek NICs, so I don't regret getting Intels.

Warning: for single-stream, all currently (October 2013) available Atoms will not be any faster except for any GHz clock and RAM difference, as they are all the same CPU architecture. Multi-core should help with multi-stream.

Newer Atoms (Silvermont/Bay Trail/Avoton) are coming soon. They are supposed to have up to 50% better CPU performance, but I don't know what the real-world boost will turn out to be.

Link to unofficial HCL hardware thread POST:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/27167

Barry
0 BarryG over 12 years ago

UTM Version tested: 9.106
UTM 64-bit or 32-bit: 64-bit
IPS Pattern Version tested: 52155
# of IPS patterns enabled: 8826 of 16811 (default, all groups are on)
Application Control (Network Visibility): OFF
System OR Motherboard: HP MicroServer Gen8 - G1610T
Virtualization HyperVisor: none
CPU: Intel Celeron G1610T 2.30GHz dual-core (no HT)
RAM: 8GB, single DIMM, DDR3 1600 / PC3-12800 CL=11
Network Interfaces: dual Broadcom BCM5720
Network Interface connection speed: 1gbps
Network Interface BUS: dual onboard (PCIe)
VLANs in use during benchmarks: NO

any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking): power management enabled, OS management setting

Benchmark Client1 (fileserver, iperf client):
CPU: Intel i5-4670k, 3.4GHz
OS: Windows 8.1 RTM, 64-bit
NIC: Intel i217-v
NIC connection speed: 1gbps
AntiVirus?: disabled
Comments: used in all tests

Benchmark Client2 (iperf server):
CPU: Intel i7-620M (laptop, 2.66GHz dual core)
OS: Fedora 19 Linux, 64-bit
NIC: Intel 82577LM onboard
NIC connection speed: 1gbps
AntiVirus?: none
Comments: used only in iPerf tests

Internet Connection type and advertised Up & Down Speeds: FiOS 15/5, but frequently tests at 25/5 or even 25/10

Benchmark Results
IPS OFF / disabled:
Local iPerf: 860-906mbps [[:D]]
Local iPerf DUALTEST: 1190-1210mbps [[:D]]
Local SMB/CIFS: pending
speedtest.net: pending

IPS ON, single-stream:
Local iPerf: 212-268mbps
Local iPerf DUALTEST: 229-280mbps COMBINED
Local iPerf port 80: 68-72mbps
Local iPerf port 80 DUALTEST: 140-146mbps
Local iPerf port 139: 189-196mbps
Local iPerf port 445: 153-221mbps
Local SMB/CIFS: pending
speedtest.net: pending

IPS ON, multi-stream:
pending

Comments / Notes:
By default, only one Snort process is running on this system.

The System Interrupt ('si' in top) load is very low on this system (peak 3.2%). I believe this is an indication of very good NICs.

Link to unofficial HCL hardware thread POST: https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/27167

Barry
0 apijnappels over 12 years ago

Hi Barry,

Are you doing all tests with iperf?
If so, which commands do you use?

iperf -s -p # (for the mentioned iperf tests).

Do you also use iperf for SMB/CIFS, or how do you test these?

Is the DUALTEST the iperf test with -d in the client or something else?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
0 BarryG over 12 years ago

Hi,

Yes, I believe that's the correct iPerf command; I didn't change packet sizes or any advanced settings. All tests were done using TCP (which is default).

I did run iPerf on the SMB/CIFS ports (445 & 139); those tests are listed.

For the tests listed as "Local SMB/CIFS", I did file copies from LAN->DMZ between Win7 and Win8.1 PCs.
I'm not sure why the result was so poor compared to iPerf; the iPerf port 80 test result compares well to speedtest.net.

Barry
0 BarryG over 12 years ago

UTM Version tested: 9.171 (BETA)
UTM 64-bit or 32-bit: 64-bit
IPS Pattern Version tested: 54113
# of IPS patterns enabled: 1565 of 4657 (default, all groups are on, 12month age limit set)
Anti-Portscan: OFF
Anti-DoS/Flooding: OFF
Application Control (Network Visibility): OFF
Advanced Threat Protection (ATP): OFF
System OR Motherboard: GigaByte GA-Z87N-WiFi
Virtualization HyperVisor: none
CPU: Intel i5-4670 (Haswell) 3.4GHz (3.8GHz Turbo) quad-core (no HT), stock cooler
RAM: 4GB, single DIMM, DDR3 1866 / PC3 14900 CL=9@1866, using SPD
Network Interfaces tested:
1. Onboard Intel i217-V gigE NIC
2. PCIe Intel 82572EI gigE NIC
Network Interface connection speed: 1gbps
Network Interface BUS: PCIe
VLANs in use during benchmarks: NO

any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking): defaults

Benchmark Client1 (fileserver, iperf server):
CPU: Intel i5-4670k, 3.4GHz
OS: Windows 8.1, 64-bit
Iperf 2.0.5-2
NIC: Intel i217-v
NIC connection speed: 1gbps
AntiVirus?: disabled
Comments: used in all tests

Benchmark Client2 (iperf client):
CPU: Intel i7-620M (laptop, 2.66GHz dual core)
OS: Fedora 19 Linux, 64-bit
Iperf 2.0.5
NIC: Intel 82577LM onboard
NIC connection speed: 1gbps
AntiVirus?: none
Comments: used only in iPerf tests

Internet Connection type and advertised Up & Down Speeds: FiOS 50/25, but tests at about 60/40.

Benchmark Results
IPS OFF / disabled:
Local iPerf: 430mbps
Local iPerf DUALTEST: 750mbps
Local SMB/CIFS: pending
speedtest.net: pending

IPS ON, single-stream:
Local iPerf: 360mbps
Local iPerf DUALTEST: 590mbps COMBINED
Local iPerf port 80: 308mbps
Local iPerf port 80 DUALTEST: 520mbps
Local iPerf port 139: pending
Local iPerf port 445: pending
Local SMB/CIFS: pending
speedtest.net: pending

IPS ON, multi-stream:
pending

Comments / Notes:
CPU throttling seems to be a problem on this system. User William has commented on this quite a bit in these forums. I had to run an instance of 'openssl speed' to get the CPU to run at full speed, otherwise the IPS results are less than half as fast.
This shouldn't be a problem on a busy, multi-user system, and even if it is a problem, port 80 still gets 120mbps.

By default, two Snort processes are running on this system, but I never saw more than one busy, even with multiple Iperf connections running (on one client/server pair). I guess it distributes load by IP?

The System Interrupt ('si' in top) load is very low on this system (peak 0.6%). I believe this is an indication of very good NICs (and a fast CPU).

I am not sure why the results for the i5 with IPS disabled are so much lower than the HP with IPS disabled, unless the Broadcom NICs are really that much better.
The Intel PCIe NIC in the i5 is pretty old.
Nonetheless, the IPS performance with the i5 is better, but this is also with the 9.2 beta, and there are some significant IPS changes there, so it's not an apples-to-apples comparison.

Link to unofficial HCL hardware thread POST: pending

Barry
0 apijnappels over 12 years ago

Hi Barry,

What do you mean with you had to run openssl speed? Is it something you run from the commandline?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
0 BarryG over 12 years ago

Hi, yes, command-line.
I'm posting more about it at https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29162

Barry
- 0 rfcat_vk over 12 years ago in reply to BarryG
  
  Hi Barry,
  trying to run some tests on my i3-4130 box using 9.194-5, so you get a better spread of results. So far not good, the added NIC keeps failing under load. The kernel shows an error.
  
  I don't have a spare PCI-e NIC to replace it with at the moment, no car and temp is 38c and rising.
  
  Ian
  
  I found another card hidden in the spare parts draw, but that gives the same errors. Either board incompatibility or faulty motherboard.
  Might be or might not be of interest, what little testing I was able to, the CPU never really budged from about 2% even when thoughput hit 96Mb/sec
  
  XGS118 - v21.5.0
  
  XG115 converted to software licence v21.5.0
  
  If a post solves your question please use the 'Verify Answer' button.
0 BarryG over 12 years ago

Hi Ian, there's a kernel bug with the intel driver and some NICs... What are you using?

There's a couple threads about it.

Barry
- 0 rfcat_vk over 12 years ago in reply to BarryG
  
  Hi Barry,
  Intel 82574L CT cards. I thought that was fixed in an earlier 9.2b.
  
  Only seems to happen under load and maybe a bit of heat as a result of the load.
  
  Ian
  
  XGS118 - v21.5.0
  
  XG115 converted to software licence v21.5.0
  
  If a post solves your question please use the 'Verify Answer' button.
0 William Warren over 12 years ago

UTM Version tested: 9.108
UTM 64-bit or 32-bit: 64 bit
IPS Pattern Version tested:57032
# of IPS patterns enabled:4494 of 19126 patterns
Anti-Portscan: ON
Anti-DoS/Flooding: OFF
QOS: BOTH(see below)
Application Control (Network Visibility): ON
Advanced Threat Protection (ATP): OFF
System OR Motherboard:
Virtualization HyperVisor: Hyper-v (Server 2008 R2)
CPU: Xeon E3-1220 v2 (3.10 GHZ)
RAM: 3 Gigs
Network Interfaces make/model/chipset: Intel Dual nic, 2x broadcom
Network Interface connection speed: Gigabit
Network Interface BUS: 2x onboard pcie x1 1 dual port pcie x4
VLANs in use during benchmarks: NO

any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking): None set to dell Default

If using Virtualization, also include:
# of CPU cores assigned to the UTM 2
any MHz limits are in place: reserved 50% of total cpu power.  MAX 100%
how the NICs are assigned to the VM:  Intel assigned to internal lan..shared by file server vm internal and UTM internal and host internal. 1 nic assigned to wan only for utm.  1 nic assigned to internet dedicated to utm.  1 nic assigned for wifi dedicated to utm.
Windows drivers for all nics.

Internet Connection type and advertised Up & Down Speeds (if any non-local tests were conducted): Comcast cable provisioned at 50/10

Benchmark Results:
speedtest.net:
QOS OFF, IPS ON, http proxy a/v ON Dual Scan at 5 megabytes.
Speedtest.net by Ookla - My Results

QOS OFF, IPS ON, http Proxy OFF.
Speedtest.net by Ookla - My Results

QOS ON, IPS ON, Http Proxy ON
Speedtest.net by Ookla - My Results

Comments / Notes:
I have a couple of things going for me here.  One I've been using and been deeply tinkering with UTM since v4.  I also have fast enough hardware AND i have dedicated enough resources to the UTM to overcome it's IPS shortcomings.  During the runs with HTTP Proxy off the host cpu never went above 2.0 ghz.  Once the http proxy was engaged it got pegged to it's maximum of 3.1 ghz.  My host system however is fast enough to stuff a 50 meg pipe with single stream action though.  I have my qos set to 50/10 so you can see the reservations the download equalizer and upload optimizer has on my machine's performance(my wife is upstairs doing things and my kid and her friend are on their cell phones on the wifi).  I only have 2 cores assigned to the UTM because if i assigned 4 my IPS results would stink without me having to either modify the power profile of the host machine or reduce the number of ips instances to try to increase the load enough on one or two cores to force a ghz ramp.  Hopefully 9.2 or higher will rectify this shortcoming. For right now the best config is the fastest DUAL CORE cpu you can get.  unless you have more than 50 users with a high http proxy load a quad core is going to HURT your IPS performance instead of helping it.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
- 0 ManfredHeubeck over 10 years ago in reply to William Warren
  
  UTM Version tested: 9.309
  UTM 64-bit
  IPS Pattern Version tested: 78709
  # of IPS patterns enabled: 5525
  Anti-Portscan: OFF
  Anti-DoS/Flooding: OFF
  Application Control (Network Visibility): ON
  Advanced Threat Protection (ATP): ON
  System OR Motherboard: Gigabyte C1037UN-EU
  Virtualization HyperVisor: --------------------
  CPU: Celeron c1037U / 2x 1.8 Ghz
  RAM: 4GB
  Network Interfaces make/model/chipset: Realtek
  Network Interface connection speed: 1Gbit
  Network Interface BUS: 2x onboard (1x WAN / 1x LAN and Vlan)
  VLANs in use during benchmarks: YES single NIC
  
  any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking): ------------------------------
  
  Benchmark Client1: Server
  CPU: C1037 (same Mainboard as UTM)
  OS: Windows 8.1 Pro
  NIC: Realtek
  NIC connection speed: 1gbps
  AntiVirus?: NO
  Comments:
  
  Benchmark Client2: Client
  CPU: AMD Phenom II 1090T @ 3.8ghz
  OS: Windows 7 Pro
  NIC: Realtek
  NIC connection speed: 1gbps
  AntiVirus?: Sophos UTM Client
  Comments:
  
  Internet Connection type and advertised Up & Down Speeds (if any non-local tests were conducted): VDSL 100 / 40 - Sync 93 / 35
  
  Benchmark Results:
  IPS OFF / disabled:
  Local iPerf: 430 mbps on Port 80 / without Vlan and UTM 630mbps on the same Switch
  Local SMB/CIFS: 430 mbps (limited by 1 NIC UTM, maybe Switch Vlan)
  Local NFS: ---------------
  Local iSCSI: ---------------
  speedtest.net: ---------------
  others:
  
  IPS ON, single-stream:
  Local iPerf: 165 mbps on Port 80
  Local SMB/CIFS: 300 mbps
  Local NFS: ---------------
  Local iSCSI: ---------------
  speedtest.net: ---------------
  others: