Sophos UTM 9.705-3 Intrusion Prevention

I've always assumed that the snort single instance was the crux of the speed test always capping at <=100Mbps problem.

I upgraded to 9.705-3 this morning and decided to search to see if I could find problems anyone else was reporting so I could be aware in case I experienced similar issues, and saw this thread.

In the past I've found some things Bob has mentioned about settings that helped tune IPS but I never got over 100Mb (like 105 would be the highest burst I would see)

Today I decided to spend some time playing with settings and I found an odd anomaly.
****disclaimer I'm not an expert at Sophos UTM, I've been using since Astaro 'in 2007ish I think', but follow the recommendations of support, and then defer to Bob, be ready to assume your own risks****

Prior to 9.705-3, I had already set my num_instances to 7 for my 8 cpu VM: (default = 0 which is supposed to be n-1)

Prior to 9.705-3, I had already adjusted my queue_length:

Today I decided to play with max_queued_bytes and immediately saw the speed increase:

The anomaly was when I changed my max_queued_bytes back to 0 I'm still getting 220+Mbps. I've rebooted the UTM to be sure it wasn't a fluke, and I'm seeing similar S5 logs for max bytes:

I've always assumed that the snort single instance was the crux of the speed test always capping at <=100Mbps problem.

I upgraded to 9.705-3 this morning and decided to search to see if I could find problems anyone else was reporting so I could be aware in case I experienced similar issues, and saw this thread.

In the past I've found some things Bob has mentioned about settings that helped tune IPS but I never got over 100Mb (like 105 would be the highest burst I would see)

Today I decided to spend some time playing with settings and I found an odd anomaly.
****disclaimer I'm not an expert at Sophos UTM, I've been using since Astaro 'in 2007ish I think', but follow the recommendations of support, and then defer to Bob, be ready to assume your own risks****

Prior to 9.705-3, I had already set my num_instances to 7 for my 8 cpu VM: (default = 0 which is supposed to be n-1)

Prior to 9.705-3, I had already adjusted my queue_length:

Today I decided to play with max_queued_bytes and immediately saw the speed increase:

The anomaly was when I changed my max_queued_bytes back to 0 I'm still getting 220+Mbps. I've rebooted the UTM to be sure it wasn't a fluke, and I'm seeing similar S5 logs for max bytes:

EDIT: 2020-10-06 Instead of using the link I provide here, use the one below found by Amodin and davery23.

Excellent find, Dave!  I think the best thread here for such optimizations is Sascha Paris' old ASG Tweaking thread.

Cheers - Bob

Bob, I wen to that ASG tweak link and page isn't found.  ;)  

I'd like to start tweaking mine, as my UTM seems to be having the same thing on this release, and I've SSH'd into my UTM maybe twice ever.

I found this one, but wasn't sure if that was the same one you were trying to link.

found this one:

community.sophos.com/.../utm-tweaking-guide-2-0

Thanks, old friend, I fixed the broken link in my post above.  I think the one you and Dave found is the newer version, so I'll edit the old one for Sascha and point users to the newer version.

Cheers - Bob

Thanks, the 2.0 guide does need some tweaking of its own - I was just reading the TCP scaling, and where it points to adjust it is even out of date, lol. Some of it could also be a bit more specific.

Still having great trouble with IPS. Simply having it enabled with everything within disabled, is still crippling the connection to the Internet. I did a speedtest on two different machines, each connected to different VLAN's. Only one of those VLAN's was included in the IPS config. Here are the results:

Machine on VLAN which is included in IPS:

Download: 120Mbps
Upload: 21Mbps

Machine on VLAN which is not included in IPS:

Download: 185Mbps
Upload: 20Mbps


Both machines were tested twice and one after the other. Both tests used the same Speedtest.net server.

Cheers,
Richard

I just scanned this thread, Richard, and didn't see where you mentioned what CPU you have.

Cheers - Bob

Hi Bob,

The CPU in this box is a Intel® Core i5-2467M. The box has 8GB of RAM also.

Cheers,
Richard

We should have asked you that awhile ago, Richard.  That's a 1.6 GHz dual-core introduced in 2011.  You're getting the maximum throughput that one would expect with that CPU - about the same as with the lowest-end Sophos SG appliance.  Depending on the number of people in your home, a newer dual- or quad-core processor with 3+ GHz is what's appropriate for your needs.  8GB sounds good.

Cheers - Bob