Astaro / Sophos UTM - Enabling IPS - Cuts Bandwidth in Half

posted Nov 7, 2016, 7:04 AM by Andrew Chadick   [ updated Jan 29, 2019, 1:56 PM ]
Astaro / Sophos UTM - Enabling IPS - Cuts Available Bandwidth in Half -
Reason? It's not self aware! It doesn't have logic in the installation routing to understand how many cores are available to it.
You need to manually look at how many cores you are running, then increase the number of "IPS instances" to reflect that number of cores, otherwise your firewall will not only bog down, but it won't show you why!

You will need to enable shell access.  SSH in using "loginuser".  Then sudo su to root.  

Once root:  
 
cat /proc/cpuinfo (this confirms the number of installed CPUs). 
cc get ips num_instances (this confirms the current setting). 
cc set ips num_instances x (where x is the number of CPUs installed in your UTM). 
/var/mdw/scripts/snort restart (the command to restart Snort)


(Jan 2019) - Updated information:  Just recently upgraded to a Fiber Optic connection going from a 50 Meg connection to a 500 Meg connection; and took a new performance hit, more than 50% with IPS enabled.  

I did some thinking about logic, and flow in regard to how IPS works, and how scanning should work.
I went in and did this: (I allowed the exception of skipping source traffic FROM the INTERNAL network.  Allowing that the most likely scenario, is that the attacks will come from External to the network.  


As soon as I enabled this setting, bandwidth went to maximum throughput.  

I'll do some testing over the next couple of weeks, and get some intrusion reports generated from our partners, but until then, this might be the answer...  more to follow.
Comments