Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 9 subscribers
  • Views 7021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.705-3 Intrusion Prevention

RichardHughes1

Hello,

I appear to be having some trouble with the Intrusion Prevention on my UTM. When I have Intrusion Prevention enabled, my network speeds are reduced dramatically. For example, my WAN connection; with and without Intrusion Prevention enabled:

Enabled - Download: 98Mbps
Disabled - Download: 206Mbps

I have tried changing various settings within Intrusion Prevention (whilst still having it enabled), but this made no improvement in the network speed. I had a look in the live-log whilst trying a speedtest and I had a large amount of this entry:

S5: Session exceeded configured max bytes to queue 1048576 using 1053000 bytes (client queue).

I tried doing some searches online for this but I can't seem to find anything other than it's nothing to worry about... but I'm pretty sure this is telling me what the problem is? Is it possible to increase the max bytes to queue? I'm currently using only 35% of 8GB RAM on this box.

Cheers,
Richard



This thread was automatically locked due to age.
  • 0 in reply to Amodin

    Thanks, old friend, I fixed the broken link in my post above.  I think the one you and Dave found is the newer version, so I'll edit the old one for Sascha and point users to the newer version.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks, the 2.0 guide does need some tweaking of its own - I was just reading the TCP scaling, and where it points to adjust it is even out of date, lol. Some of it could also be a bit more specific.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Still having great trouble with IPS. Simply having it enabled with everything within disabled, is still crippling the connection to the Internet. I did a speedtest on two different machines, each connected to different VLAN's. Only one of those VLAN's was included in the IPS config. Here are the results:

    Machine on VLAN which is included in IPS:

    Download: 120Mbps
    Upload: 21Mbps

    Machine on VLAN which is not included in IPS:

    Download: 185Mbps
    Upload: 20Mbps


    Both machines were tested twice and one after the other. Both tests used the same Speedtest.net server.

    Cheers,
    Richard

  • 0 in reply to RichardHughes1

    I just scanned this thread, Richard, and didn't see where you mentioned what CPU you have.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The CPU in this box is a Intel® Core i5-2467M. The box has 8GB of RAM also.

    Cheers,
    Richard

  • 0 in reply to RichardHughes1

    We should have asked you that awhile ago, Richard.  That's a 1.6 GHz dual-core introduced in 2011.  You're getting the maximum throughput that one would expect with that CPU - about the same as with the lowest-end Sophos SG appliance.  Depending on the number of people in your home, a newer dual- or quad-core processor with 3+ GHz is what's appropriate for your needs.  8GB sounds good.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    I'm having similar issues. I'm constantly having to up the queue_length and max_queue_bytes with all these log errors.  I'm currently at  queue_length 32768 and max_queue_bytes 1000000. 

    Also why is our Snort version so old? it's 2.9.11.2 which is years old on the latest firmware. Can we not get it upgraded to at least the latest 2.9.x version? I mean 3.0 is in beta.

  • 0 in reply to Sophos User287

    Snort 2.9.11.2?  It's very difficult to vet and modify a new version for inclusion in a security product like UTM.  Most every module is several years old.  Instead of attempting to integrate every new version, the existing code is modified when there are new vulnerabilities found - that permits a faster response than bringing in the new version with the vulnerability repaired.

    Your current max_queue_bytes appears to be lower than the OP's.  What do you get with the following?

    cc get ips snortsettings max_queued_bytes

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Seem to be plenty of vulns being fixed if you check the changelog but anyway, not the real problem..

    cc get ips snortsettings max_queued_bytes
    10000000

    What we need to be able to do is modify memcap which seems to be hard set at the value. Is that possible? Or is this command supposed to do that because I don't see it changing.

Unfiltered HTML