This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS slows down my Internet connection since some days

Hi,

I recognized yesterday that my download speed is not as fast as it should be. I've a 120/6 Mbit/s line and during downloads I reach only about 50-60 Mbit/s. Upload is fine. So I did some further investigations and found out, that IPS is the problem. After disabling IPS on the UTM the download speed was fine.

I enabled IPS again and took a look into the logs, CPU and MEM load, but I can't find any hints what could cause the problem. I've disabled all checks in IPS (signatures, TCP and UDP flooding, port scanning...) without disabling IPS itself, but the download speed was still "slow".


I'm sure that last week the download speed was OK with IPS enabled. What could happend?

BTW: Since I've my UTM I've never seen any IPS matches in the logs and/or overview. That's strange in my opinion. Maybe my ISP is filtering this packets befor they can reache the UTM.

Jas



This thread was automatically locked due to age.
  • Hi Jas,

    Implementing IPS will by default effect the bandwidth. It is because packets are deep scanned and verified withing the ips engine which consumes bandwidth.

    Refer the guide here and fine tune the IPS configurations.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Ho :)

    I was pretty sure that I've already answered to your response, but i can't see/find it. So, new try....


    Of course IPS effects the bandwidth and/or performance of the UTM, but one or two weeks ago IPS was already enabled and the full bandwidth was available during downloads.

    The CPU and memory load is normal during downloads. Therefore I think it's not a performance problem.
    When I disable all signatures the bandwidth is still low. I must disable IPS itself to get the full bandwidth available.

  • In regard to not seeing many alerts, I doubt your ISP is filtering a lot.  But, it is important to remember that the IDS/IPS will only work against rules that allow traffic for the most part.  There are parts of advanced protection that will alert you to other issues, but not the signature-based IDS/IPS rules.

  • The rule age was the problem. It stood on "< 24 months". I can't remember that I've changed this value in the last weeks, but since I've set it back to "< 12 months" the speed is just fine.

    I still do not understand why IPS slows down the speed, when the CPU and MEM have no high load.

    But.....the main thing is, that it works now as expected.

    Thank you!

  • IPS is single-threaded, so the number of rules it checks can have a dramatic effect on throughput, as you've noticed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA