This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS throughput again

Hello,

Yet another IPS question, like many others in the past. I have searched the old threads in the forum related to IPS, but could not find an answer to my question (maybe i missed something).

I am running Sophos UTM 9.705-3 virtualized on ESXi. It has 4 GB RAM and 4 cores assigned (the CPU barely goes over 2% usage).

My internet subscription is 500Mbps. 

The question here is regarding the IPS performance. When i keep the IPS disabled, a speed test shows about 440Mbps, which is fine.

When i enable the IPS (local networks->only one host) even with NO ATTACK PATTERN ticked, the speed test does not go over 320 Mbps. So i loose 100Mbps only by activating this feature; if i start to tick few attack patterns like malware and windows (time 6 months) the speed drops to 290 Mbps and of course, if i tick more and more patterns, the speed drops accordingly.

I have played with the recommendations here https://support.sophos.com/support/s/article/KB-000034986?language=en_US&c__displayLanguage=en_US   , but the result is the same.

Am i doing something wrong, or this is a normal behavior of the IPS engine (eating a lot of bandwidth even in idle times) ?

Thanks



This thread was automatically locked due to age.
Parents
  • IPS is powered by Snort which is single threaded still and throughput is directly correlated to cpu single threaded performance.  It does per packet scanning so yes enabling will slow down if cpu can't keep up.  When it comes to higher per client IPS throughput, you need a higher frequency cpu with better instructions per second. 

  • Ok, but how high should be the frequency of the CPU? i currently have 4 x Intel Xeon E#-1270 V2 @ 3.50GHz. Isn't that enough?
    I know it is based on SNORT single threaded, but should this CPU handle the requirements? Also i see thre is no high usage on it, no spikes, all good.

Reply
  • Ok, but how high should be the frequency of the CPU? i currently have 4 x Intel Xeon E#-1270 V2 @ 3.50GHz. Isn't that enough?
    I know it is based on SNORT single threaded, but should this CPU handle the requirements? Also i see thre is no high usage on it, no spikes, all good.

Children