Hardware Limitations In Home version

Is it possible to get the hardware limitations removed for the home version?  Or have they been removed in V18?

Parents
  • C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)

  • I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location.  There are tons of other UTM packages out there that don't have hardware limitations.  I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak.  I guess I'll just stay on PFsense until they finally decide to remove the limitations.  Thanks

  • I have IPS and ATP enabled and can get that level of performance, it will depend on your underlaying architecture - the E5-2697v4 CPUs are fairly powerful.

     

    2x cores of the E5-2697v4 gives the same level of performance as a i5-4400 (Going by CPU benchmark results)

    Tim Grantham

    Enterprise Architect & Business owner

  • BLS said:

    I thought the SFF does - or do you mean the Micro - as I presume the later and yes would be nice if that had a PCI-e slot on it - would be perfect...

     

     

    Sorry, yes I was referring to the Micro.

     

    Currently on a 70/20 Vodafone ADSL connection, just wanting Vodafone to pull their finger out for rolling out Gigafast more.  

  • How many virtual cores are you assigning to Sophos xg?

    Are you using esxi?

    I have a 2400G my single core performance is much better than yours

  • Using ESXi - was 6.5 and now 6.7 - 3 months time will be 7.0 - The VM has been assigned as 1 CPU with 2 core per socket - found the performance better that way.

     

    So you're on AMD - hmm, I've seen strange things with AMD in the past under virtualisation - where the CPU seems to bog down and not give the full performance when shared between several VMs - so much so that I stick with Intel for any hardware replacement programs, just because I know it will work and work well..

    Tim Grantham

    Enterprise Architect & Business owner

  • Hi,

    it is personal, the history is kept for 7 days.

    I setup the account during beta testing and it is still operational.

    What advantages, for me none really, but I can comment on it in the forums when things are not correct or someone asks for advice.

    CM does offer a couple reports the the native XG does not eg bandwidth usage.

    Ian

    You do get remote access to your XG without the exposing your external access, not that I need that anymore.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • This is weird because I don't have any performance issue when I use pfsense or opnsense virtualized

  • But both of those are different architecture - it's a bit like saying GIMP works fast on my machine, but PhotoShop doesn't...

     

    The other thing to bear in mind is the way that machines handle network configuration - the CPU under certain conditions will take the hit at processing, where on Xeon processors it's more left to the hardware in the Network Card...

     

    AMD used to be bad for this, and the CPU would load under heavy network traffic.

     

     

    I would suspect that the Sophos XG is more at home on Intel platforms than AMD.

     

    Don't get me wrong, AMD are good, but in the right circumstances - they are great for gaming machines, and general desktop performance.

    Tim Grantham

    Enterprise Architect & Business owner

  • My NIC are Intel i350 and they are passtrough to the VM so there is no emulation. These are enterprise grade nic and the HW offloading is disable you they are doing some work instead the CPU

    What you are mentioning has nothing to do with the CPU but with the network card chipset

    I have had VMs based on FreeBDS, Ubuntu and Centos and have always perform well, so maybe what it is not optimized is Sophos. I am using KVM and as far as I know Sophos is based on Ubuntu/debian

  • I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    It potentially is possible that Sophos isn't optimised for AMD hardware, after all given that this is designed to run on their own hardware / Azure which is all intel based (as far as I know / yes there are AMD VMs available in Azure, but you specify them), then why go to the extra effort?

    I'm just going by previous experience, and albeit 3-4 years ago, we noticed that some AMD systems (DL385p G8's) were doing high CPU when transferring SMB traffic, changed to Intel hardware - DL380p Gen8 and it was much faster.

    Tim Grantham

    Enterprise Architect & Business owner

  • BLS said:
    I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    By default most of the NIC offload is disabled on XG, I believe It's required for IPS to work in inline mode.

     

    SFVH_SO01_SFOS 18.0.0 GA-Build379.HF052220.1# ethtool --show-offload Port1
    Features for Port1:
    rx-checksumming: on
    tx-checksumming: off
            tx-checksum-ipv4: off
            tx-checksum-ip-generic: off [fixed]
            tx-checksum-ipv6: off
            tx-checksum-fcoe-crc: off [fixed]
            tx-checksum-sctp: off [fixed]
    scatter-gather: off
            tx-scatter-gather: off
            tx-scatter-gather-fraglist: off [fixed]
    tcp-segmentation-offload: off
            tx-tcp-segmentation: off
            tx-tcp-ecn-segmentation: off [fixed]
            tx-tcp-mangleid-segmentation: off
            tx-tcp6-segmentation: off
    udp-fragmentation-offload: off
    generic-segmentation-offload: off
    generic-receive-offload: off
    large-receive-offload: off
    rx-vlan-offload: off
    tx-vlan-offload: off

Reply
  • BLS said:
    I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    By default most of the NIC offload is disabled on XG, I believe It's required for IPS to work in inline mode.

     

    SFVH_SO01_SFOS 18.0.0 GA-Build379.HF052220.1# ethtool --show-offload Port1
    Features for Port1:
    rx-checksumming: on
    tx-checksumming: off
            tx-checksum-ipv4: off
            tx-checksum-ip-generic: off [fixed]
            tx-checksum-ipv6: off
            tx-checksum-fcoe-crc: off [fixed]
            tx-checksum-sctp: off [fixed]
    scatter-gather: off
            tx-scatter-gather: off
            tx-scatter-gather-fraglist: off [fixed]
    tcp-segmentation-offload: off
            tx-tcp-segmentation: off
            tx-tcp-ecn-segmentation: off [fixed]
            tx-tcp-mangleid-segmentation: off
            tx-tcp6-segmentation: off
    udp-fragmentation-offload: off
    generic-segmentation-offload: off
    generic-receive-offload: off
    large-receive-offload: off
    rx-vlan-offload: off
    tx-vlan-offload: off

Children
  • Yes mine is OFF as well I though it was enable since it is in pfsense/opnsense

     

    SFVH_KV01_SFOS 18.0.0 GA-Build354.HF052220.1# ethtool --show-offload PortA      
    Features for PortA:                                                             
    rx-checksumming: on                                                             
    tx-checksumming: off                                                            
            tx-checksum-ipv4: off                                                   
            tx-checksum-ip-generic: off [fixed]                                     
            tx-checksum-ipv6: off                                                   
            tx-checksum-fcoe-crc: off [fixed]                                       
            tx-checksum-sctp: off [fixed]                                           
    scatter-gather: off                                                             
            tx-scatter-gather: off                                                  
            tx-scatter-gather-fraglist: off [fixed]                                 
    tcp-segmentation-offload: off                                                   
            tx-tcp-segmentation: off                                                
            tx-tcp-ecn-segmentation: off [fixed]                                    
            tx-tcp-mangleid-segmentation: off                                       
            tx-tcp6-segmentation: off                                               
    udp-fragmentation-offload: off                                                  
    generic-segmentation-offload: off                                               
    generic-receive-offload: off                                                    
    large-receive-offload: off                                                      
    rx-vlan-offload: off                                                            
    tx-vlan-offload: off                                                            
    ntuple-filters: off [fixed]                                                     
    receive-hashing: on                                                             
    highdma: on [fixed]                                                             
    rx-vlan-filter: on [fixed]                                                      
    vlan-challenged: off [fixed]                                                    
    tx-lockless: off [fixed]                                                        
    netns-local: off [fixed]                                                        
    tx-gso-robust: off [fixed]                                                      
    tx-fcoe-segmentation: off [fixed]                                               
    tx-gre-segmentation: off [fixed]                                                
    tx-gre-csum-segmentation: off [fixed]                                           
    tx-ipxip4-segmentation: off [fixed]                                             
    tx-ipxip6-segmentation: off [fixed]                                             
    tx-udp_tnl-segmentation: off [fixed]                                            
    tx-udp_tnl-csum-segmentation: off [fixed]                                       
    tx-gso-partial: off [fixed]                                                     
    tx-sctp-segmentation: off [fixed]                                               
    tx-esp-segmentation: off [fixed]                                                
    fcoe-mtu: off [fixed]                                                           
    tx-nocache-copy: off                                                            
    loopback: off [fixed]                                                           
    rx-fcs: off [fixed]                                                             
    rx-all: off [fixed]                                                             
    tx-vlan-stag-hw-insert: off [fixed]                                             
    rx-vlan-stag-hw-parse: off [fixed]                                              
    rx-vlan-stag-filter: off [fixed]                                                
    l2-fwd-offload: off [fixed]                                                     
    hw-tc-offload: off [fixed]                                                      
    esp-hw-offload: off [fixed]                                                     
    esp-tx-csum-hw-offload: off [fixed]                                             
    rx-udp_tunnel-port-offload: off [fixed]            
  • Do you know the commands to enable all the offloading so it's processed on the nic?

  • l0rdraiden said:
    Do you know the commands to enable all the offloading so it's processed on the nic?

    Yes, but please don't do this, all offloading is already disabled by the own Sophos developers for a reason, enabling it will only cause issues for you.

    Primarily to Snort  with netmap work correctly, all NIC offloading needs to be disabled, and of course there can be more software inside XG that also needs it to be disabled.

     

    Even if you enable all offloading, on a reboot all your changes will be overwritten.

     

    Remember, XG is a firewall, not a router, so there isn't much use for NIC offloading since you want to inspect the packets.

     

    Thanks!

  • Hi,

    just to add some more confusion: :)

    SFVH_SO01_SFOS 18.0.1 MR-1.HF050520.2# ethtool --show-offload Port1
    Features for Port1:
    rx-checksumming: on [fixed]
    tx-checksumming: on
    tx-checksum-ipv4: off [fixed]
    tx-checksum-ip-generic: on
    tx-checksum-ipv6: off [fixed]
    tx-checksum-fcoe-crc: off [fixed]
    tx-checksum-sctp: off [fixed]
    scatter-gather: on
    tx-scatter-gather: on
    tx-scatter-gather-fraglist: off [fixed]
    tcp-segmentation-offload: on
    tx-tcp-segmentation: on
    tx-tcp-ecn-segmentation: on
    tx-tcp-mangleid-segmentation: off
    tx-tcp6-segmentation: on
    udp-fragmentation-offload: off
    generic-segmentation-offload: on
    generic-receive-offload: off
    large-receive-offload: off [fixed]
    rx-vlan-offload: off [fixed]
    tx-vlan-offload: off [fixed]
    ntuple-filters: off [fixed]
    receive-hashing: off [fixed]
    highdma: on [fixed]
    rx-vlan-filter: on [fixed]
    vlan-challenged: off [fixed]
    tx-lockless: off [fixed]
    netns-local: off [fixed]
    tx-gso-robust: on [fixed]
    tx-fcoe-segmentation: off [fixed]
    tx-gre-segmentation: off [fixed]
    tx-gre-csum-segmentation: off [fixed]
    tx-ipxip4-segmentation: off [fixed]
    tx-ipxip6-segmentation: off [fixed]
    tx-udp_tnl-segmentation: off [fixed]
    tx-udp_tnl-csum-segmentation: off [fixed]
    tx-gso-partial: off [fixed]
    tx-sctp-segmentation: off [fixed]
    tx-esp-segmentation: off [fixed]
    fcoe-mtu: off [fixed]
    tx-nocache-copy: off
    loopback: off [fixed]
    rx-fcs: off [fixed]
    rx-all: off [fixed]
    tx-vlan-stag-hw-insert: off [fixed]
    rx-vlan-stag-hw-parse: off [fixed]
    rx-vlan-stag-filter: off [fixed]
    l2-fwd-offload: off [fixed]
    hw-tc-offload: off [fixed]
    esp-hw-offload: off [fixed]
    esp-tx-csum-hw-offload: off [fixed]
    rx-udp_tunnel-port-offload: off [fixed]

     

    I‘m using virtio on Proxmox KVM, no passthrough devices.

    Best Regards

    Dom

  • One thing;
    Is fastpath enabled and working? You can see if it is by executing: "system firewall-acceleration show" On the console

    I believe there's no support for it with the virtio driver.

     

    Thanks!

  • My network card is passthrough to the VM so maybe these are disable by default becasue the KVM image is intended to run virtualized.

    It would be interesting to see how "ethtool --show-offload Port1" looks like in an enterprise hw model of Sophos XG, anyone can post it?

  • console> system firewall-acceleration show
    Firewall Acceleration is Disabled. Fastpath Unload Failed.

    This topic was recently discussed here: community.sophos.com/.../questions-about-the-fastpath-feature

    FW accel and Fastpath should be disabled for not-ESX hypervisors, see here: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Architecture.html 

  • But does it work in physical NICs?

  • Any news above increase the CPU or RAM limit? CPU is particulary a problem in virtualized environments.

    Can something be done in this regard?

  • Hi,

    in virtual environments you need to lock CPU and memory resources to the XG otherwise you end with strange performance issues.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.