Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 7100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG 135 can only handle 45% of my ISP speeds?

Jonathan Bartell

I have a 1 Gbps Internet connection and so I purchased an SG 135 with the understanding per the spec sheet that the IPS can handle 1,500 Mbps throughput. Well I set it up to bare bones just for testing by enabling only the firewall and IPS. Speedtests with iperf show that I can only get 500 Mbps up and down.

 

Baffled, I asked support which said "IPS will reduce up to 45% of bandwidth from what your Internet Provider said as all traffic will be scanned."

 

Where is this documented and how does this make sense? Wouldn't the 1,500 Mbps throughput that is advertised included scanning since that's what an IPS does? The way support explained, even if I buy a 3,000 Mbps IPS from Sophos, I will still only get 500 Mbps.

 

This is in bridged mode in full transparent mode. As a test I also disabled all attack pattern scans with still the same results.



This thread was automatically locked due to age.
  • +1

    See here for the spec sheet:https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-xg-series-appliances-brna.aspx 

    Acording this, you theoretically should receive 1200Mbps for a 135 in NGFW Mode.

    In your case, tweaking IPS values will possibly improve IPS Troughput.

    See the following KB for parameters that can be tweaked: https://community.sophos.com/kb/en-us/124015 

    I'd also make sure that in your case all 4 CPU Cores are used for IPS.

     

    Edit: Ah, forget all I mentioned above. You are talking about SG. ON SG Firewalls there is a known limitation in IPS that one specific Traffic flow can be only handled by one single CPU Core. If you do testings as you did, and you do a top on the firewall's CLI while testing, you will see that one core is on 100% while the others are in idle. This behaviour of SG cannot be changed as far as I know. But you could test with a second computer at the same time, and then you will get 2x500mbps and 2 Cores on 100%.

    Because of inability to create fine-granular IPS Policy in SG, this Firewall should not be used in projects where IPS has a strong Focus, because it simply is not the right platform for that. Switching to XG would be the Solution then.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to HuberChristian

    Thank you for looking at the spec sheet, but that's for the XG. I have an SG. The specsheet on that (SG 135) is 1500 Mbps on the IPS. Even if I got half of that, It'd hit 750 Mbps and I'd be happier than I am now.

     

    I'll look at the tweaking guide. I had no idea you could put all CPU cores on the IPS, I just assumed the device would self manage resources. Thanks

     

    Edit: saw your edit after I responded. Well then I think maybe I misunderstood the SG. It's actually unfortunate that I didn't get all that I thought I would. I should maybe look to return this and have a look at the XG then. I purchased this mostly for the IPS :-|

  • 0 in reply to Jonathan Bartell

    Jonathan Bartell said:

     

    Edit: saw your edit after I responded. Well then I think maybe I misunderstood the SG. It's actually unfortunate that I didn't get all that I thought I would. I should maybe look to return this and have a look at the XG then. I purchased this mostly for the IPS :-|

     

    There is a possibility to migrate your SG Hardware to XG. See https://community.sophos.com/kb/en-us/124588 
    So maybe it's not necessary to return the Hardware. 

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to HuberChristian

    You will have a similar issue with the XG. You need to learn or pay someone to tune your IPS.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 EAP

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Jonathan Bartell

    Hi Jonathan and welcome to the UTM Community!

    If you do return that, ask Sophos Sales for a recommendation of a reseller that will take the time to understand your needs and give you good counsel.  Then again, maybe you did get good advice and just don't understand the issues...

    Snort is a single-threaded process, so any one access will use only one core.  To get the true measure of the throughput with that quad-core Atom, you would need four simultaneous tests on four separate devices.  If you need for one connection to have much more speed, you would need a lot more GHz.  If you have many users, you will likely be able to fill your pipe with no problem.  You might want to read Performance issues with IPS on SG210.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML