IPS throughput again

Hello,

Yet another IPS question, like many others in the past. I have searched the old threads in the forum related to IPS, but could not find an answer to my question (maybe i missed something).

I am running Sophos UTM 9.705-3 virtualized on ESXi. It has 4 GB RAM and 4 cores assigned (the CPU barely goes over 2% usage).

My internet subscription is 500Mbps. 

The question here is regarding the IPS performance. When i keep the IPS disabled, a speed test shows about 440Mbps, which is fine.

When i enable the IPS (local networks->only one host) even with NO ATTACK PATTERN ticked, the speed test does not go over 320 Mbps. So i loose 100Mbps only by activating this feature; if i start to tick few attack patterns like malware and windows (time 6 months) the speed drops to 290 Mbps and of course, if i tick more and more patterns, the speed drops accordingly.

I have played with the recommendations here https://support.sophos.com/support/s/article/KB-000034986?language=en_US&c__displayLanguage=en_US   , but the result is the same.

Am i doing something wrong, or this is a normal behavior of the IPS engine (eating a lot of bandwidth even in idle times) ?

Thanks

Parents
  • IPS is powered by Snort which is single threaded still and throughput is directly correlated to cpu single threaded performance.  It does per packet scanning so yes enabling will slow down if cpu can't keep up.  When it comes to higher per client IPS throughput, you need a higher frequency cpu with better instructions per second. 

Reply
  • IPS is powered by Snort which is single threaded still and throughput is directly correlated to cpu single threaded performance.  It does per packet scanning so yes enabling will slow down if cpu can't keep up.  When it comes to higher per client IPS throughput, you need a higher frequency cpu with better instructions per second. 

Children