Improvement request - Still updating a firewall requires so much time

Almost 20 seconds elapsed from the instant when you click apply to the instant you get back to Firewall rule page?

Guys, I hope that you track this as a bug and improve the performance.

Thanks

Parents
  • I know this doesn't add any further to your request but the system load of almost 100 percent per core is unsustainable in a production firewall. I was running system load over 3 on my test firewall in a vm with quad cores. Yes throwing newer, faster hardware will bring it down a little but the system load has increased significantly in v18 compared to v17 and my test lab had only one user mostly playing with the GUI.

    Regards.

  • If I am not wrong - my memory being outrageously unreliable - not long ago, you were asking the rest of the community for some understanding while v18 took so much time, because, mainly, v18 implied a full core re-write.  Have you seen such thing happening somewhere ?

    Besides the obvious few left and right, I did not spot any mountain moved.

    We are clueless mainly because technical Sophos' communications are shutdown.  And when they are not, it is merely a list of foggy concepts that taste mostly like marketing pie.

    Yesterday, few users in few posts ask what was in some technical bulletins fixing scary names vulnerabilities only to be answered, again, with a link to a criminally generic WEB page.

    No one can take sound technical decisions informed like this.  So every decision becomes like playing Russian wheel on an act of faith.

    So Project Picasso is yet another thing that risks to provoke no excitement.

    You know that story of a kid who was screaming "A Wolf !!!" a little too often with the end result that the same kid failed to attract attention while it was most important ?

    Paul Jr

  • Honestly i don't think Sophos changed the core right now, even there was some rumors they will do with v18. Same thing for project picasso. The GUI is still the same with long response times.

    But as we are all investing our time in testing v18, i think it would be fair, when someone from Sophos could explain what's up with the "core re-write story" and "project picasso". [:O]

  • Hello

    Thanks for your answer.

    I presume this would be questions for this event:  https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/webcast-firewall-v18-overview-and-live-q-a-with-the-xg-product-team---november-14-11am-est

    It would be preferable someone more polite and nuanced than I ask.  Cause I have a tendency to be aggressively unforgiving in my speeches when I'm not delivered in time what I rightfully expect since it was promised ages ago.  I'm stuck at WWII thinking era.  Kind of "If you don't you die".

    Paul Jr

  • [*-)]

    Picasso?  I think we are still trying to find nemo. 

    Kidding aside, Sophos should do themselves a favor and acknowledge v18 with respect to the internal code names floating around.  Is this the result of nemo??  Boy I sure hope not.  Cause from what I see nemo isn't done and picasso hasn't even started.  Just my eyeball test though.

  • Even more challenging, I built the J1900 from V18 EAP refresh 1 update ISO, what a pain. Different install screens, lots of blank screen while something is happening, no indication of activity, enough of that this thread is about performance.

    You thought the upgrade from v17.5.8 was slow this is even slower. Some items never complete a change, I have been trying to update etc notification settings for at least two hours including restart to see if that unstuck it, but no, still the magic circle.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Can someone form Sophos devs look at this issue?

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Hi Luk,

    I have isolated the issue to W10 PC and IE.

    I have used the same software build on two different versions of hardware with the same issue, so that left the management PC as a likely cause. Checked using FF on MBP and all the settings are correct and no spinning ball.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • No body from Sophos is considering this thread?

    This is a performance issue. Editing an existing firewall rule still require 14 seconds to update. Can this be tracked and investigate?

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • I am the only one with this issue?

    Maybe is my installation? Can someone from forum confirm the behaviour?

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Hi Luk, I tested this with a stopwatch [8-|] . I have a 4GB vm with 2vcpus and memory utilization to 80%. I have web proxy with categorization and av blocking. Also running Application categorization with allow all for pretty graphs (not blocking any apps). I don't have any DPI rules. I am also not using IPS.

    Average time for a rule update is 10.85 seconds. I did the test multiple times with different rules and it is always 10.5 plus seconds. I usually don't play with the firewall once its setup so not a problem after initial setup. I am also getting some inconsistent results with multiple NAT rules as the firewall seems to get confused if you turn on and off too many rules but that is not the topic here.

    Are you running everything on your firewall? Maybe the processor is overwhelmed with everything running? Not saying they don't need to fix this, just wondering why you are getting almost twice the time that I am getting on firewall rule update.

    Regards

Reply
  • Hi Luk, I tested this with a stopwatch [8-|] . I have a 4GB vm with 2vcpus and memory utilization to 80%. I have web proxy with categorization and av blocking. Also running Application categorization with allow all for pretty graphs (not blocking any apps). I don't have any DPI rules. I am also not using IPS.

    Average time for a rule update is 10.85 seconds. I did the test multiple times with different rules and it is always 10.5 plus seconds. I usually don't play with the firewall once its setup so not a problem after initial setup. I am also getting some inconsistent results with multiple NAT rules as the firewall seems to get confused if you turn on and off too many rules but that is not the topic here.

    Are you running everything on your firewall? Maybe the processor is overwhelmed with everything running? Not saying they don't need to fix this, just wondering why you are getting almost twice the time that I am getting on firewall rule update.

    Regards

Children