Hi, Nick, and welcome to the UTM Community!

Note that Snort is single-threaded and that the tests you're using never use more than one vCPU.  A single test will not be able to fill that 350Mbps pipe unless you do some serious pruning of the rules as Mokaz suggests.

Cheers - Bob

Bob thanks for the welcome!

What does this mean exactly?

Will my users (me and girlfriend ) be able to use the full 350Mbps pipe? I have run some tests, when i download an 1GB file i hit an average of 19/20MB/s so not the full 350Mbps pipe i assume..

How much vCPU's and memory is enough for Sophos?

For normal home browsing, downloading, etc., I bet two vCPUs will be fine for the two of you.  If you both test with such downloads simultaneously, the total throughput for the two of you should fill your pipe.  The limiting factor for one user is the speed of the CPU and the number of Snort rules to process.

Cheers - Bob

Bob,

So that means that one user will not be able to use the full 350Mbps? Is that correct? Is the X5650 CPU that bad when it comes to Sophos? But what i don't get is that the vCPU usage isn't higher than 8%, it the CPU is the problem shouldn't the load be higher then?

Snort rules is not the same as Attack Patterns? Because i unchecked all the boxes but that made no difference.

WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  Sometimes, you need to wait a few minutes for changes to take full effect.

You could probably fill a 350Mbps pipe with a single connection if you had a 6GHz CPU.

Cheers - Bob

WebAdmin is a GUI that manipulates databases of objects and settings.  A single change there can cause the Configuration Daemon to rewrite hundreds of lines of the code used to run the UTM.  Sometimes, you need to wait a few minutes for changes to take full effect.

You could probably fill a 350Mbps pipe with a single connection if you had a 6GHz CPU.

Cheers - Bob

Bob,

Thanks for al your help so far :)

As for as i know there is no 6Ghz cpu ;) my X5650 isn't that bad, is it? Is there a reason the scanning is single core? Making it multicore would improve the performance enormous or am i missing something?

Plus a friend of mine has got the same socket cpu but a little bit cheaper one. When he does the test he fills his complet internet pipe (200Mbps).

Is there really no way to improve my performance a bit? Isn't it my Hyper-V which is causing a drop in download performance? Are there more people with download problems and using Hyper-V?

In the near future i will probably upgrade to a socket 2011-3 server. But if you are right, this also will not really improve my performance, right? I will probably buy something like a E5-2620 on a Asus Z10PA-U8. Do you have a better suggestion for my upgrade with regards to Sophos? So far i am really impressed by Sophos what a cool program plus it has a lot of options!!

I could use my workstation (Asus X99-a +5820) for a test. Install Windows server 2016 and install the Sophos VM from the start. Import my configuration and run the test again. But like you said before, this wil not really improve my download performance right?

Mokaz' suggestion should help.  Disable the Snort rules again, [Apply] at each section, reboot, check that the rules are still disabled and test again.  Any change?

Cheers - Bob

Done and no change...

As said, try a professional grade hypervisor. Try the UTM barbone. And if you've read the post I've linked above, try HA Active/Active in order to load balance IPS. Or you might want to search for hardware based IPS offloading solutions in order to reach your perimeter bandwidth.

I tend to trust this test;
http://www.dslreports.com/speedtest