IPS slows down internet by 50%

Indeed, IPS will hit the performances, that is by design. IPS will scan each bytes crossing by and search for a match accros all the Snort signatures you've selected.

1st things 1st, select your signatures according to what you want to protect; Linux based signatures aren't really useful if you do not have any Linux hosts in the protected networks. Web Servers signatures are of no use if you do not have any Web Servers behind the UTM.. And so on...

2nd IPS can be CPU intensive, you can mangle with the IPS engine counts although per default it's IPS engine counts = number of CPU's minus 1.

https://community.sophos.com/kb/en-us/120329

https://community.sophos.com/kb/en-us/119464

https://community.sophos.com/products/unified-threat-management/f/general-discussion/22429/utm-tweaking-guide-2-0

According to my testings a bunch of rules are extremely CPU intensive: Attack against client software >> Multimedia (iTunes blabla)
I'm running an UTM 9.5.x home based license with 16 GB RAM and 4 vCPU on an i7 and my ISP bandwidth is still reached with a full IPS implementation.

Thanks for your answer i will try this.

Do you why Sophos only shows 2GB when i have giving the VM 4GB?

Nope i do not know (might be that you've setup without the 64bits extensions, only thing i can think of), although i'll be honest with you; get a professional grade hypervisor (ESXi, KVM or such). Also, try your UTM setup bare bone, without any hypervisor layer, so you know what the hardware is capable of.

No i am sure i have installed the 64 bits extentions.

I can increase the number of vCPU' s, but the current load is 8% while testing my connection. So it doesnt really make sense to increase them.  Does it?

Switching to ESXi is not an option. I have to use Hyper V.

I could test without Hyper V but i would like to use it like the way i am now.

I will first look over your suggestions:)

Nope indeed, more vCPU wont change much. Although if you'd setup at 1st with 2 vCPUs i do not think IPS counts is dynamic. Meaning one engine in your case even with 4 vCPUs afterwards.
I'd backup your UTM config, resetup a clean VM with more RAM, 4vCPUs and restore your config. You should see the RAM amount at VM layer you give at HV layer. Mem limitation are only on free XG not the UTM i think.

Although, this will do just fine: https://www.vmware.com/products/vsphere-hypervisor.html
I'd baseline on ESXi and advise from there.

I have increased the memory up to 16GB, i can see the change in dashboard now. Don't know why i didn't see it before.

Even when i turn all the attack patterns OFF the download speed still doesn't go up.

I will reinstall the VM with more vCPU en the current 16GB.

Even after a reinstall with 8 vCPU en 16GB (from the start)the download speed still the same.

Hi, Nick, and welcome to the UTM Community!

Note that Snort is single-threaded and that the tests you're using never use more than one vCPU.  A single test will not be able to fill that 350Mbps pipe unless you do some serious pruning of the rules as Mokaz suggests.

Cheers - Bob

Bob thanks for the welcome!

What does this mean exactly?

Will my users (me and girlfriend ) be able to use the full 350Mbps pipe? I have run some tests, when i download an 1GB file i hit an average of 19/20MB/s so not the full 350Mbps pipe i assume..

How much vCPU's and memory is enough for Sophos?

For normal home browsing, downloading, etc., I bet two vCPUs will be fine for the two of you.  If you both test with such downloads simultaneously, the total throughput for the two of you should fill your pipe.  The limiting factor for one user is the speed of the CPU and the number of Snort rules to process.

Cheers - Bob