Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 94 replies
  • Answers 1 answer
  • Subscribers 54 subscribers
  • Views 13392 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 MR3 DPI slow download

Strandundmeer

Hi all,

after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly.

I am on a SG 230 hardware where the XG 18 MR3 is installed on.

Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection.

switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection.

switching back and forth between proxy and dpi I can always reproduce this.

this happens only to HTTPS sessions with DPI turned on.

The load on the FW is never higher than 20% while testing.

Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined...

I tried different DPI policies and nothing changed the behavior.

Thanks for your help

best



This thread was automatically locked due to age.
  • 0

    Hi, i have the same problem. My internetconnection has 250Mbit. With DPI on, i get round about 50Mbit...

    The strange thing, if i turn DPI off, i get 250 Mbit again. If i turn on DPI again, i get still 250 Mbit. But after serveral hours it falls at 50 Mbit and stucks there.

    Until i switch off DPI again

  • 0

    Hello Strandundmeer,

    Thank you for contacting the Sophos Community!

    If you create a SSL/TLS inspection rule for the Source IP, set to "Do not decrypt" does the issue is the same when you select Decrypt HTTPS during web proxy filtering in the Firewall rule for this Source IP?

    Does the ips.log show you any error?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi ,

    thanks for the ideas.

    I tested different setups and unlike Wireguard for my system it does not matter if I turn DPI off and on again. As long as it is enabled and the policy is active for the source the speed drops to roughly 25%.

    I did the following tests today all with Firefox from the same server to download from:

    • Proxy with SSLi enabled, IPS Policy active, AV Scan for HTTPS active: Download 12MByte/s which is roughly 100mbit/s and the max of my internet connection.
    • Proxy disabled so that DPI gets enabled, IPS Policy active, AV Scan active, Download 2,8MBytes/s <=> 22mbit/s
    • Proxy disabled so that DPI gets enabled, IPS Policy non, AV Scan off, Download 2,8MByte/s <=> 22mbit/s
    • Everything in the firewall rule diabled, DPI via rule enabled 22mbit
    • No difference if I turn HTTPS during proxy filtering on or off.

    There is nothing in the ips.log during this session and the speed degrade also happens with IPS disabled. The firewall is far away from beeing heavy loaded...

    Thanks for your help

  • 0 in reply to Strandundmeer

    Hi, here my settings. i get no issues, except the described above

    Firewall

    NAT

    DPI

    Maybe try this one, and give us feedback. 

    Here my internet connection

    DPI ON

    DPI OFF

  • 0 in reply to Wireguard

    Hi ,

    I think that our settings are equal except the fact that I don't have NAT in place.

    As I already mentioned I tested lots of different configuration / policy settings with the same result. enabling DPI instead of the webproxy with SSLi my speed drops down to 20-25% of the result I get with the proxy enabled.

    Turning app control and IPS off doesn't change anything.

    This seems to be the same for all browsers and downloading files BUT using a speed test like https://librespeed.org/

    I do get full speed even with DPI enabled.

    From my point of view it seems that DPI is doing something to the download in a way that the bandwidth can not be utilized.

    The system load is low even with DPI enabled and the decryption capacity shown in the dash is <1% so there should be no issues.

    what hardware are you using? perhaps there is something we have in common?

    I have upgraded my Appliances serveral times from eary 17ish versions, perhaps there is an issue?

    best

  • 0 in reply to Strandundmeer

    No, unfortunately not.. My xg is a virtual appliance. Fresh install from scratch with v18 mr3. I think a sophos technician have to clear up this behavior

  • 0 in reply to Wireguard

    ok thanks, I have another 230 Appliance which acts as a cold standby and I thought about doing a fresh install, but as this happens to your virtual appliance, too it would not add any benifit.

    Thanks

  • 0 in reply to Strandundmeer

    A point of interest my XG reports that as trying to setup tor connections. The speed test runs on my iPad and Mac mini. Both use the default ssl/tls firewall rule. No decrypt and scan function.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Facing the same issue i have a good internet connection with 1gbps of speed but getting 250/300 mb on Sophos XG home

  • 0

    This is just the way it is.  Also you get the bonus of it breaking random sites with no idea why or what to do about it.

Unfiltered HTML