This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Circumventing processor throughput limitation on UTM using DMZ?

I have a home office with a SG-105.  After recently upgrading to a 1Gbps broadband circuit, I am trying to figure out how to use that bandwidth for my home purposes, without the limitations of the UTM.  

If I configure a port for a DMZ, can I shut off packet inspection for that port and then have access to the full internet bandwidth, understanding that I won't have security on that port?  Or will the throughput limitation of this sized UTM still apply?

Thanks for any input on this subject.

Steve



This thread was automatically locked due to age.
  • Hi Steve,

    The SG105 is by and far not suitable for a gigabit connection, let alone for just iptables.

    Just for perspective, Sophos official recommendation is an SG430 for a gigabit internet connection with IPS enabled, you could maybe get away with an SG330 for just AV.

    The processor of an SG430 rev. 2 is an e3-1225v3 (iirc) and the sg105 is a dual core atom or a celery stick if i remember correctly.

    Unfortunately, you can only either turn off IPS for your DMZ for iptables security only or you will have to upgrade (considerably).

    Sorry for the bad news.

    Emile

  • Emile:

    My thinking is to have zero security on the DMZ port.  Would that prevent the throughput limitation?

     

    Steve

  • Hi Steve,

    Frankly, i don't think that little CPU would be very good at handling gigabit switching even at best. If it were just dmz and the internet, maybe.

    But anything that causes a cpu spike coukd drop your switching traffic throughput immediately. For just FW switching i would do a minimum of an SG135. Those 105s are really only designed for SOHOs with ADSL speeds with security applied.

    Emile

  • Hey Steve - welcome to the UTM Community!

    Let me add my voice to Emile's...

    I never recommend Sophos appliances for home users.  If I were you, I would buy/make a PC with at least a 3+GHz quad-core CPU and 8MB of RAM.  You 'll be able to restore your existing configuration to the new device.  Once you have your new UTM running, sell that 105.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I think this approach makes sense, especially since I have such a machine in my closet.

    But how does licensing work?  I don't see how I can transfer a UTM license.  Ideas?

    Thanks for taking the time to suggest this.

    Steve

  • Bob:  Which type of Linux would I install?

  • You're right that an appliance license won't work on your own computer, Steve.  If you're not running a business out of your home where you're using the UTM to protect your business, you can use the free home-use license.  If you are using this with business uses, send me a PM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    you don't install linux, just the SG from the ISO disk.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Turns out that he does run a business out of his home.  In an exchange of PMs, I commented that the 105 was right for his business (includes Sophos Support!) and that the free home-use license could be put on a beefier computer so that non-business computers could take advantage of the Gb connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA