Hardware Limitations In Home version

Is it possible to get the hardware limitations removed for the home version?  Or have they been removed in V18?

Parents
  • C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)

  • I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location.  There are tons of other UTM packages out there that don't have hardware limitations.  I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak.  I guess I'll just stay on PFsense until they finally decide to remove the limitations.  Thanks

  • With the limitations I wouldn’t offer it as an option to home based clients.  With being unable to fully test the software to its full capacity no I wouldn’t spec out to my business clients.  Again it’s a choice the company makes.

  • Flyncalpoly said:

    With the limitations I wouldn’t offer it as an option to home based clients.  With being unable to fully test the software to its full capacity no I wouldn’t spec out to my business clients.  Again it’s a choice the company makes.

    I'm sure Sophos will be sad to lose your business.

  • Thanks for trolling.  If people like you are representing the company then I have no desire to be part of this community. Have a nice day troll

  • Flyncalpoly said:
    Thanks for trolling.  If people like you are representing the company then I have no desire to be part of this community. Have a nice day troll

    I'm sorry, but, What the fsck? Seriously?

     

    I can't believe I'm wasting my time writing this. This really looks like a weak troll post from you.

     

    In the beginning of the thread you said;

    Flyncalpoly said:
    there is no reason to limit hardware if it is proven that the UTM is in a home location.

    How in the world will you prove to Sophos that  your currently only running XG on a Home environment? Do you really think they will put a lot of people and money just to inspect all Home users 24/7/365 to know if their running the Home version within their homes, instead of a small office? Just so the home users can have no hardware limit.

    You should be grateful there even is a home license from the beginning.

    No other else NGFW vendor in the market does this.

     

    Flyncalpoly said:
    There are tons of other UTM packages out there that don't have hardware limitations.

    And all of them doesn't even come close to what Sophos XG is currently capable off. Most of them are half baked solutions, and open source packages that have no interconnection between themselves.

    Look at pfsense, you can't have an IPS such as Suricata or Snort inspecting decrypted content from Squid, just because both of them inspect traffic direct from the interface.

     

    Flyncalpoly said:
    The limitation could be removed with the annual plan of $50/yr for the home premium.

    As stated by , the old astaro had a home license for $50, but the administration cost has way too high to maintain, It's much simpler giving it out for free to the home users.

     

    Flyncalpoly said:
    What you see is fair is your opinion; what I see is fair as a power home user / home lab is different.

    If you were a Home lab user, or a power users you would know exactly the performance you can get from XG. Even for today standards you can get 1Gbit/s of inspected traffic with XG fairly easy.

    The only problem here are people running CPU's from 2010 and expecting to push 1Gbit on their old dual core celeron that even on 2010 standards has already too weak.

     

    Flyncalpoly said:
    The limitation isn't necessary, and pushes people away from the product, which it has done to me.

    The limitation is necessary, so companies don't abuse it.

     

    Flyncalpoly said:
    It doesn't seem this product is in primetime for power users.

    Complete the opposite, just give yourself a time and learn what XG is capable of.

     

    Flyncalpoly said:
    Would you use a faster computer if there were no hardware limitations?  If you had a 7th generation intel with 16gb of ram, a 3 year old computer, would you want hardware limitations on it? You don't see a problem; I do.  No argument in the world will change my mind that there shouldn't be hardware limitations built into the software..

     

    Why do you even want a i5, i7 just wasting energy and being loud as fsck while a 2018 Celeron that barely uses 20W can do 1Gbit with SSL/TLS Decryption?

     

    Flyncalpoly said:
    Any who this seems pointless at this time; as the developers will not unlock the software package for users.  Therefore, I will continue to use PFSense rather than giving the Sophos developers a yearly subscription fee.  Good luck to others; maybe they will finally realize this is the right thing in V20.

     

    https://www.enterpriseav.com/SFv-4C6.asp

     

    The current price for a 4C6GB license, with the same features of the home version will cost you $7000 USD/Year, do you really want more as a home user?

     

    Flyncalpoly said:
    With the limitations I wouldn’t offer it as an option to home based clients.  With being unable to fully test the software to its full capacity no I wouldn’t spec out to my business clients.  Again it’s a choice the company makes.

     

    One thing, Home Users here are the minority. And if you really wanted to offer XG for your clients, you could simply become a partner and get NFR licenses for demonstration.

  • “you could simply become a partner and get NFR licenses for demonstration.“

    Thank you had I known this I would have gone this route in the beginning.

  • If and when I can get Vodafone Gigafast etc.  I'm mulling a £500 budget for a device, I spent £300 on a UDM-Pro before selling it a month later.  They're now going for crazy money for what is such a flawed edge device.

     

    Tempted to sell the Pondesk unit I bought and get the i3 back into service.  The SFF PC with 4 port Intel NIC is just sat in the spares pile at the moment.  Not sure the total power consumption of the unit.

     

    This is a comparison between the two units I have atm re CPU - http://cpuspecs.com/E3845-vs-i3-6100T

  • Look at a Dell OptiPlex 3070 with i3-9100 - that's currently less than £500 with more than enough SSD storage, 8GB RAM.

    Install a PCIe network card, and you'll have the ultimate machine, that's reasonable on power, and also enough throughput.

    Tim Grantham

    Enterprise Architect & Business owner

  • Shame the SFF offering from Dell doesn't have the ability to install a SFF PCI-E NIC.

     

    The Intel I3-9100T has a lower TDP rating too.  Will look into options further etc.

  • I thought the SFF does - or do you mean the Micro - as I presume the later and yes would be nice if that had a PCI-e slot on it - would be perfect...

    Tim Grantham

    Enterprise Architect & Business owner

  • In that speedtest are you using the IPS and Advanced protection? or just a bare fw rule?

     

    Because I can max out a 3.6 GHZ processor with 3 cores 6 threads (virtualize) with IPS amd advanced protection at arround 400Mbps upload is much worse.

     

     Your sophos central account is bussiness or personal? what advanges do you have linking you fw to sophos central?

Reply
  • In that speedtest are you using the IPS and Advanced protection? or just a bare fw rule?

     

    Because I can max out a 3.6 GHZ processor with 3 cores 6 threads (virtualize) with IPS amd advanced protection at arround 400Mbps upload is much worse.

     

     Your sophos central account is bussiness or personal? what advanges do you have linking you fw to sophos central?

Children
  • I have IPS and ATP enabled and can get that level of performance, it will depend on your underlaying architecture - the E5-2697v4 CPUs are fairly powerful.

     

    2x cores of the E5-2697v4 gives the same level of performance as a i5-4400 (Going by CPU benchmark results)

    Tim Grantham

    Enterprise Architect & Business owner

  • How many virtual cores are you assigning to Sophos xg?

    Are you using esxi?

    I have a 2400G my single core performance is much better than yours

  • Using ESXi - was 6.5 and now 6.7 - 3 months time will be 7.0 - The VM has been assigned as 1 CPU with 2 core per socket - found the performance better that way.

     

    So you're on AMD - hmm, I've seen strange things with AMD in the past under virtualisation - where the CPU seems to bog down and not give the full performance when shared between several VMs - so much so that I stick with Intel for any hardware replacement programs, just because I know it will work and work well..

    Tim Grantham

    Enterprise Architect & Business owner

  • Hi,

    it is personal, the history is kept for 7 days.

    I setup the account during beta testing and it is still operational.

    What advantages, for me none really, but I can comment on it in the forums when things are not correct or someone asks for advice.

    CM does offer a couple reports the the native XG does not eg bandwidth usage.

    Ian

    You do get remote access to your XG without the exposing your external access, not that I need that anymore.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • This is weird because I don't have any performance issue when I use pfsense or opnsense virtualized

  • But both of those are different architecture - it's a bit like saying GIMP works fast on my machine, but PhotoShop doesn't...

     

    The other thing to bear in mind is the way that machines handle network configuration - the CPU under certain conditions will take the hit at processing, where on Xeon processors it's more left to the hardware in the Network Card...

     

    AMD used to be bad for this, and the CPU would load under heavy network traffic.

     

     

    I would suspect that the Sophos XG is more at home on Intel platforms than AMD.

     

    Don't get me wrong, AMD are good, but in the right circumstances - they are great for gaming machines, and general desktop performance.

    Tim Grantham

    Enterprise Architect & Business owner

  • My NIC are Intel i350 and they are passtrough to the VM so there is no emulation. These are enterprise grade nic and the HW offloading is disable you they are doing some work instead the CPU

    What you are mentioning has nothing to do with the CPU but with the network card chipset

    I have had VMs based on FreeBDS, Ubuntu and Centos and have always perform well, so maybe what it is not optimized is Sophos. I am using KVM and as far as I know Sophos is based on Ubuntu/debian

  • I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    It potentially is possible that Sophos isn't optimised for AMD hardware, after all given that this is designed to run on their own hardware / Azure which is all intel based (as far as I know / yes there are AMD VMs available in Azure, but you specify them), then why go to the extra effort?

    I'm just going by previous experience, and albeit 3-4 years ago, we noticed that some AMD systems (DL385p G8's) were doing high CPU when transferring SMB traffic, changed to Intel hardware - DL380p Gen8 and it was much faster.

    Tim Grantham

    Enterprise Architect & Business owner

  • BLS said:
    I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    By default most of the NIC offload is disabled on XG, I believe It's required for IPS to work in inline mode.

     

    SFVH_SO01_SFOS 18.0.0 GA-Build379.HF052220.1# ethtool --show-offload Port1
    Features for Port1:
    rx-checksumming: on
    tx-checksumming: off
            tx-checksum-ipv4: off
            tx-checksum-ip-generic: off [fixed]
            tx-checksum-ipv6: off
            tx-checksum-fcoe-crc: off [fixed]
            tx-checksum-sctp: off [fixed]
    scatter-gather: off
            tx-scatter-gather: off
            tx-scatter-gather-fraglist: off [fixed]
    tcp-segmentation-offload: off
            tx-tcp-segmentation: off
            tx-tcp-ecn-segmentation: off [fixed]
            tx-tcp-mangleid-segmentation: off
            tx-tcp6-segmentation: off
    udp-fragmentation-offload: off
    generic-segmentation-offload: off
    generic-receive-offload: off
    large-receive-offload: off
    rx-vlan-offload: off
    tx-vlan-offload: off

  • Hi,

     

    Can you change your search method from ac-bfna to hyperscan and do the same test again?

    Here's the difference by the default IPS options in XG to changing it to hyperscan, you can use "set ips search-method hyperscan" to change it.

     

    Iperf3;

    Default (ac-bfna):

    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec   989 MBytes   830 Mbits/sec                  receiver

     

    Hyperscan:

    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec  2.71 GBytes  2.33 Gbits/sec                  receiver

     

    Both of them where using only a single core from my XG.

    Also there's lot's of issues using XG with AMD hardware on KVM, primarily with SSL/TLS Decryption throughput.

     

    Using SSL/TLS Inspection:

    Saving to: ‘iso’

    iso                  11%[>                ] 207.05M  34.2MB/s

     

    Using Web Proxy:

    Saving to: ‘iso’

    iso                  14%[=>               ] 260.74M   217MB/s

     

    The CPU has a AMD Ryzen R7 1700.

     

     

    Edit: The results on ESXi is much better than KVM.

    Using the SSL/TLS Inspection with Decryption + IPS; I can get 70MB/s over a single core, which is the expected throughput for the CPU without using AES-NI. Also the same throughput I've got over a single core on a AMD Ryzen 3 2200G.

    So the issue is pretty much only on KVM.

     

    Thanks!