I have a Rangeley C2758F (8 cores at 2.4Ghz). When in the firewall I exclude lots of countries (africa, arab countries, north korea etc), I keep rules against windows, linux and FTP attacks 24 months old and I put in the blacklist a list of domains taken from malwaredomainlist.com, my speedtest sign 50Mbps. On wireless I have 30Mbps.
I have 2 lines of 100Mbps each + 1 backup line on VDSL with 5Mbps. My sophos UTM 9 do load balancing between the 2 lines 100Mbps and failover on the 5Mbps.
my network is composed by a 48 port Gigabit Switch UBIQUITI + a 48 port Gigabit POE Switch Ubiquiti interconnected at 10Gbps through SFP+ multimode and a patch cord OM4
Access points are Ubiquiti AC AP PRO directly connected on the ubiquiti switches through cable CAT 7A 1500Mhz at an average distance from the switches of 30 metres.
The poor speed is due to the fact that Sophos UTM use SNORT which is single threaded and require lots of GHz in the CPU to allow good transfer rate. (good = 100Mbps and more)
Unfortunately when I built my appliance I had in mind to install pfSense which take advantage of an elevated number of cores and doesn't care much about clock speed.
i like Sophos UTM better, but I will need to change soon my mainboard and CPU if I want to use a lot of rules and in the same time not be forced to use just the 15% of the bandwidth that I pay.
If you are happy with a J1900 good for you....I work as telecom engineer, routers and hardware are my passion and for me is normal to have 30000 euros of equipment at home and I want great performances....Other give 10.000 euros for a bike made of carbon and are happy with 256Kbps internet and 50 euro android phones...
I have been reading through most of this post from the beginning. From the time of the original post to now we have had a few years and many new CPUs have come on the market, for both home systems and the server world.
Just thought to give you some other ideas you might want to think about for your UTM configuration. I still run the UTM version 9.7. I have it running as a VM machine on VMWare ESXi 6.7. Running on an old Dell R510. UTM VM given 4 CPUs, and 6gig RAM with 4 network ports. It runs well for my Home network. I do I.T. work so I need a reliable system for remote access into my employer's network. I am planning to go back to a physical box just because I want it as it's own appliance. No issues or any performance issues with the VM. I can take snapshots and also back up the VM image. If you do use several computers at home, and or for a "Learning Lab" if they can be VM Machines, it might be worth the money to build a single larger machine and VM some of your systems as well as UTM or XG. One System to run production as well as test machines. You might want to look into VMWare, Virtual Box or similar hypervisor and maybe on E-bay or other sources find a used well equipped server with Dual CPU (6 or 8 cores) and and run UTM/XG virtually and add resources to the VM as needed. So as your network / firewall needs grow you can easily add CPU and Ram to the UTM VM. You need to have 4 to 8 Physical network ports on the VM Server because depending on your WAN,LAN, DMZ or other networks on the UTM you will want a interface for each to assign to the UTM / XG.
I have 6 VMs on my ESXi system, dual 6 core CPUs, hyper threading and 48 gigs ram, and plenty of disk storage. VMWare offers a free ESXI license that has most features / functions you would need. Beside that I run several Windows 2016 servers and some Linux systems on the ESXi server. Saves space, and maybe in the log run power, since having one well equipped machine. And can have many computer systems in one box. So just a thought.
I use to run the UTM on old Servers, again my VM configuration of Sophos UTM is using only 3% CPU 44% of the 6 Gig ram. Firewall, Intrusion Prevention, Web Filtering, SMTP & POP3 Proxy, Wireless Protection, Antivirus Antispam, Antispyware, DHCP, DNS are currently enabled. My ISP provider is MediaCom with their fastest Internet package, I think it is up to 1 gig download and 100 meg upload. I do alot of streaming and large file sync transfers with my web site on GoDaddy.
Hope this idea is of some use, best of luck finding the best hardware solution for your firewall.
My home Network / Computer system looks more like what you would find in a small to medium business. I.T. is my profession and I use what one would find in a business more than a typical home or small home office. I do this to keep my I.T. skill set current.
there a re many MBs out there that run low power. If you are using MS products on VMs then you are not really saving much in the way of power because they don't allow the server to sleep. A VM should have dedicated cores and memory running at close to max speed if you are planning on any decent performance or throughput. SNORT will not ramp up the CPU unless there are multiple users and will then become your bottle next.
Hello, Yes I agree. At this point, Power with the ESXi is not as much of a concern for me. I can see for others it is a good factor to look at. I live alone so there are not multi users, maybe at times between all the VMS hitting Microsoft for updates all at the same time, while I am streaming or working on some VMS that need Internet access, it is a little hard for me to really tax the Sophos I suppose. My HP Gen 7 server should be arriving in a week's time, that will pull more power Than the UTM VM on that server. For my home use and lab use, I try to configure and run do things as one might find in the average to medium business, and do run of sorts my own small data center. I know I am more of the exception than the norm. So in that respect, as far as power goes, I am not saving. But thought to just put that idea out there for anyone who might not have thought about such a possible configuration. I am thinking of doing more with the ESXi system and the VMs on it where they are getting used more and are Internet facing for e-mail and web server. I Appreciate your thoughts and thank you for the post.
I know very well ESxI and I actually run pfsense and after that Endian in a virtualized environment based on ESXI 5.5 for more than a year before passing to Sophos UTM. For testing purposes it's great, but running a firewall in a virtual environment when in production (even at home) is not a good idea because it augment the "surface" of possible attacks.
Moreover, a server like you have, represent a single point of failure for the whole network : it's enough that your power supply gets hosed and all your network and services are down. Idem when you decide to power it off for replacing or upgrading components.
And also : unless built on reliable server grade material in a airconditioned room and in an IT rack with UPS (as I have at home) your network is at risk.
I took the path of separating my appliances many years ago and I do regulars backup on a FREENAS server with 72TB raw space with 2 pools of 6 disks in RAIDZ2 on redundant UPS and closed in a 42" rack in a controlled temperature/humidity room.
For the Firewall I plan soon to pass on an I3 9100F with 8 ECC RAM on a Supermicro X11CSL-IF (I ALWAYS buy supermicro and server grade material even for my everyday use PC's) just because I'm not in the mood to change the case SUPERMICRO SC505-203B that I already have.
The heatsink will be of course a supermicro SNK-P0049A4 which both adapt to the case and to the max TDP of 65W allowed by the case and reached by the I3-9100F (which I wanted to replace with an I3-9350KF but it draw 130W)
To compensate the lack of NIC on the mainboard (only two) I'll use an Intel Quad NIC like the 350 mounted using a riser cable
i tend to stay away from servers purchased on ebay at low budget and with powerful processors but with astronomical power requirement: they are out of warranty and in the long period they will cost more to run. Don't get me wrong: I often purchase components on Ebay and Amazon...but just the ones that are non critical (case, monitors) or that you know from the beginning that if they work, they work (CPU and RAM)....but i would not buy a whole server..unless new or unless is just for "play" or for not important stuff.
I like to assembly my servers myself and pick each component exactly tailored for the task... as an Example on my FREENAS I have a 58€ cpu Pentium G3220 that never got used more than 40% since 2013, but I have an HBA adapter SAS3 9305-24i 12Gb/s which I paid 600€ and 12 DISK 6 TB Western Digital GOLD WD6002FRYZ which represents 2750€ in disks....and that's make all the difference in transfer rate.
Hardware balance must be applied only to PCs which are MULTIPURPOSE , a server is UNBALANCED by nature as it need to do a SINGLE JOB
An EsxI server it will never be hardware tailored for every possible machine inside, this is why in datacenters they tend to virtualize the same class of servers (all firewalls in one, all windows server in another) and not a single Esxi Server which contain firewall, database, windows, server, MAME emulator, SYSLOG Server, NAS and PLEX....this is called masochism.
Just for info:
I did migrate toward a i3-9100F on Supermicro X11SCL-IF with 16GB RAM ECC in a case SUPERMICRO SC505-203B + nic card 4 port GIGABIT with a riser, the lot assembled by me.
I have two coaxial internet lines that provide each 200Mbps in Download and 10Mbps in upload.
Using a blacklist taken from https://www.malwaredomainlist.com/hostslist/hosts.txt, another personalized blacklist added to it with around 50 entries, rules windows and linux 24 months old + country blocking and bundling together the lines I have a download speed of 335Mbps out of 400Mbps (2 x 200Mbps)
Performaces are basically equivalent to the Sophos SG 450 rev 2 that use a Xeon Quad Core E3-1275v5 @3.6Ghz (for a fraction of the price)
For the same type of case, (that doesn't allow for more than 65W CPU because of heat) we could consider the Xeon E-2234 (71W) that it's slightly powerful
But honestly the i3-9100F it's at 80 dollars on Amazon versus the Xeon E-2234 that costs 389 dollars... so I choose the I3 9100F
I can improve the speeds using a feature in the supermicro motherboard "X11SCL-IF" that allow me to put the CPU in "ALWAYS TURBO" and of course reducing the rules for windows and linux to <12 months
I will test this as soon as possible and I will share the results here.
Passing from the Atom C2758 to the I3-9100F increased my download speed between 3 and 5 times (before I was doing around 70Mbps or 100Mbps at best).
If somebody is interested in buying a SUPERMICRO A1SRi-2758F equipped already with 8GB ECC for 300 euros just let me know :)
which features you turned on?
I am using 2x Sophos SG330 (put a xeon e3-1235v3 inside) here (HA cluster, active-passive) and I had no problem to use my 500mbit/s fully (single threaded download) with all features activated? when antivirus engine is downloading and checking the file, the cpu usage is about 30%...
Same thing before with my old server used as firewall (xeon x3450), 500mbits was no problem...cpu usage little bit higher.
BUT I have installed and tested here some sophos SG105 and SG115 (rev2) over the time and with activated IPS the bottle neck was really the CPU.
SG105 ~80 Mbit/s
I have A LOT of features on:
In Network Protection > Firewall I block all IPV6, a scanner list of around 200 IP adresses (in and out)
In Intrusion prevention > Attack Patterns I have rule age "no time limit" for Windows, Linux and Others , 24 months for Attack against servers (DNS, FTP, SSH, SNMP, RADIUS, CVS) and 12 months for attacks against client software and no time limit for Protocol anomaly and malware
In web protection - > Web filtering profiles > filter actions I block WEAPONS, CRIMINAL ACTIVITIES, GAMBLES, DRUGS, EXTREMISTIC SITES, NUDITY, and then I add this list : http://mirror1.malwaredomains.com/files/justdomains
You're not paying me for advice, but the following is aimed at others just as much as at you...
I doubt you can do anything to speed up your UTM with your current configuration. Adding a list of over 26 thousand sites is not the best way to use the UTM.
At Check Single URL, you can get a free membership that allows you to check 100 sites at a time. That should give you the additional categories you might want to block instead of blocking a list like the one in the TrustedSource database.
A well-cared for environment shouldn't need IPS rules older than 12 months.
Cheers - Bob
A well-cared for environment shouldn't need IPS rules older than 12 months. : I know but don't forget that i'm using it at home and behind the UTM I have Linux receivers like two GIGABLUE 800 SE in which the linux based distributions are very old.
I doubt you can do anything to speed up your UTM with your current configuration. Adding a list of over 26 thousand sites is not the best way to use the UTM. I never counted them but you are right ....I counted them now and there are 26855 lines....
At Check Single URL, you can get a free membership that allows you to check 100 sites at a time. That should give you the additional categories you might want to block instead of blocking a list like the one in the TrustedSource database. : I didn't knew that such service exist ....thanks