There have been a lot of questions here lately about hardware recommendations for high-speed internet connections. In my experience, the IPS (Snort) tends to quickly become a bottleneck on low-end to moderate hardware with 50mbps+ connections (or DMZ links).
Therefore, I'm creating this thread...
Note these are USER benchmarks, and are not conducted, validated, or endorsed by Sophos.
For general hardware compatibility information, please read
https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/27167
If you have a question, post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095
I propose that we post here using this template:
Template for copying/pasting:
--------------------------- (begin template) ---------------------------
UTM Version tested:
UTM 64-bit or 32-bit: (run "uname -a" and look for x86_64 if unsure)
IPS Pattern Version tested:
# of IPS patterns enabled:
Anti-Portscan: [ON / OFF]
Anti-DoS/Flooding: [ON / OFF]
Application Control (Network Visibility): [ON / OFF]
Advanced Threat Protection (ATP): [ON / OFF]
System OR Motherboard:
Virtualization HyperVisor: (if any. include version #)
CPU: (include model #. cat /proc/cpuinfo if unsure)
RAM: [total GB, # of DIMMs, and speed (MHz and CAS, if known)]
Network Interfaces make/model/chipset: (use lspci if unsure)
Network Interface connection speed: (100mbps or 1gbps... verify with ethtool)
Network Interface BUS: (e.g. 1 onboard, one in PCIe x16 slot)
VLANs in use during benchmarks: [YES/NO] (If yes, specify if tests were run through a single NIC or dual)
any relevant non-default BIOS settings (such as thermal or power limits / throttling or overclocking):
If using Virtualization, also include:
# of CPU cores assigned to the UTM
any MHz limits are in place:
how the NICs are assigned to the VM (VT-D or bridged)
which NIC driver is in use (VMXNET3 is strongly recommended for ESXi):
Benchmark Client1:
CPU:
OS:
NIC:
NIC connection speed: (e.g. 100mbps or 1gbps)
AntiVirus?:
Comments:
Benchmark Client2 (e.g. iperf server / file server, ...):
CPU:
OS:
NIC:
NIC connection speed: (e.g. 100mbps or 1gbps)
AntiVirus?:
Comments:
Internet Connection type and advertised Up & Down Speeds (if any non-local tests were conducted):
Benchmark Results:
IPS OFF / disabled:
Local iPerf:
Local SMB/CIFS:
Local NFS:
Local iSCSI:
speedtest.net: [up / down] [browser used]
others:
IPS ON, single-stream:
Local iPerf:
Local SMB/CIFS:
Local NFS:
Local iSCSI:
speedtest.net: (up / down)
others:
IPS ON, multi-stream:
same as above, but with multiple clients or servers simultaneously. Relevant with multi-core CPUs, esp. if above results are slow.
Comments / Notes:
(general relevant comments)
Link to unofficial HCL hardware thread POST: (if any)
--------------------------- (end template) ---------------------------
INSTRUCTIONS / NOTES:
1. These benchmarks would be most helpful if all of the IPS pattern groups are enabled (which is currently the default), so we can get an apples-to-apples comparison.
Currently the "Extra Warnings" are disabled by default, so I'd recommend leaving them off.
2. Any changes to the IPS patterns or settings will cause the IPS to restart; during the restart, IPS performance will be inconsistent; please watch the CPU graph or tail the IPS log to be sure the restart completes before resuming benchmarks.
3. please check to see if any other traffic is passing the firewall before and during benchmarking, as this would cause the results to be too low.
4. "Local" means LAN(x)->LAN(y) or LAN->DMZ, not single-LAN!
5. iPerf for Windows is available at Iperf
un*x clients are available in most OS repos.
Running multiple tests with common ports is a good idea, as IPS performance will vary for different services. However, depending upon what services your OS is running, this may be difficult.
Make sure to allow iPerf through your firewalls (UTM and client/host firewalls).
6. Client/Server AntiVirus should be disabled during file or web tests.
7. Please disable the UTM's http proxy if doing HTTP / WEB tests, as it will badly skew the results in unpredictable directions.
8. VM hypervisors (ESXi, Hyper-V, Xen, KVM) are OK as long as they are mentioned
Please do not bother benchmarking anything running on a desktop virtualization system such as VMWare WorkStation / Fusion or Parallels, as their networking performance is generally poor and/or inconsistent.
If running Xen, KVM, etc. on top of another OS (RedHat, Ubuntu, ...), please mention so, and the OS version.
9. Please make sure there is enough RAM (there should be little or no SWAP utilization in Reporting->Hardware); the IPS will use 500-800MB per Instance (expect about 1 Instance per CPU CORE OR THREAD (different users are getting different results)). If you do not have enough RAM for multiple IPS instances, you can reduce them. 1 instance is sufficient for single-stream benchmarking.
Setting IPS instances to higher than # of PHYSICAL Cores will usually HURT performance, even if you have Hyper-Threading (at least that is the case on my Atom CPU).
10. Please do not keep yourself logged into webadmin during testing; it consumes a lot of CPU.
If you need to watch bandwidth graphs, iftop is available on the console.
11. Note that QOS settings can limit peak bandwidth.
12. The UTM's Hard Drive type and speed is irrelevant to IPS speed, as long as the system is not actively swapping.
However, for file-server tests, the Client/Server's drive speeds are important.
13. if you are not confident in your abilities or results, please post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095 and ask for help
14. if I missed anything, please leave a reply to my other thread:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22095
Thanks!
Barry
This thread was automatically locked due to age.
