Yet another IPS question, like many others in the past. I have searched the old threads in the forum related to IPS, but could not find an answer to my question (maybe i missed something).
I am running Sophos UTM 9.705-3 virtualized on ESXi. It has 4 GB RAM and 4 cores assigned (the CPU barely goes over 2% usage).
My internet subscription is 500Mbps.
The question here is regarding the IPS performance. When i keep the IPS disabled, a speed test shows about 440Mbps, which is fine.
When i enable the IPS (local networks->only one host) even with NO ATTACK PATTERN ticked, the speed test does not go over 320 Mbps. So i loose 100Mbps only by activating this feature; if i start to tick few attack patterns like malware and windows (time 6 months) the speed drops to 290 Mbps and of course, if i tick more and more patterns, the speed drops accordingly.
I have played with the recommendations here https://support.sophos.com/support/s/article/KB-000034986?language=en_US&c__displayLanguage=en_US , but the result is the same.
Am i doing something wrong, or this is a normal behavior of the IPS engine (eating a lot of bandwidth even in idle times) ?
IPS is powered by Snort which is single threaded still and throughput is directly correlated to cpu single threaded performance. It does per packet scanning so yes enabling will slow down if cpu can't keep up. When it comes to higher per client IPS throughput, you need a higher frequency cpu with better instructions per second.
Ok, but how high should be the frequency of the CPU? i currently have 4 x Intel Xeon E#-1270 V2 @ 3.50GHz. Isn't that enough?I know it is based on SNORT single threaded, but should this CPU handle the requirements? Also i see thre is no high usage on it, no spikes, all good.
You can spawn multiple snort instances Its a good idea to go N-1 so you could have 3 consecutive snort instances running. Much better performance.
How can i accomplish that?
SSH into the UTM as loginuser then su- to root and run this command:
cc set ips num_instances 3
That will set it to 3 concurrent instances. or cc set ips num_instances 0 to put it back to default.