Sophos XG 18 MR3 DPI slow download

Question

Hi all, 
 after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly. 
 I am on a SG 230 hardware where the XG 18 MR3 is installed on. 
 Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection. 
 switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection. 
 switching back and forth between proxy and dpi I can always reproduce this. 
 this happens only to HTTPS sessions with DPI turned on. 
 The load on the FW is never higher than 20% while testing. 
 Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined... 
 I tried different DPI policies and nothing changed the behavior. 
 Thanks for your help 
 best

LuCar Toni · Accepted Answer

Try V18.5 MR1, it should covers all fixes regarding the performance. 
 https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v185-mr1-eap

RichBaldry · Answer

Thanks to everyone who has provided data points and feedback here. 
 We have identified a couple of areas where DPI mode was preventing traffic running as fast as it otherwise would, due to issues with the TCP receive window. This problem is less obvious on low-latency, local network connections, but can get quite significant as network latency increases. 
 The problem is not caused by overloading of the firewall, but by the server not sending data quickly enough on a given connection. This is why many of you observed that parallel connections would all max out at the same level and increase the overall bandwidth consumption, even though the throughput seemed to be limited on each connection individually. 
 The reason the server doesn't send data quickly enough is that there are issues with the way the firewall is calculating the TCP receive window size that it advertises to the server in packet headers. The TCP receive window value tells the server how much data it should send before pausing to wait for confirmation that the data arrived safely. If that value is too small, the server will spend a lot of time waiting for confirmation and the overall flow of data will be slow. The time spent waiting increases with connection latency, so overall flow seems even lower on longer-distance connections. 
 We are working on a fix for this problem and are making plans to release it in an upcoming maintenance release. It will be included in 18.0 MR6. It is also addressed in the 18.5 GA version, for early adopters of XGS-series hardware.

Sophos XG 18 MR3 DPI slow download

Top Replies