Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Aug 2012
Posts: 2
#1 (permalink)  
Old 09-07-2012, 06:13 PM
Default Astaro 525 Performance

Hello,

I am using an Astaro 525 firewall as a border firewall on a project. We are doing offsite backups through this firewall and have run into performance issues. Through a series of iperf tests between various network devices we have found that tests from a system outside the Astaro firewall to the remote site we get near gigabit speed in a single thread, and inside the firewall we get the same. I then plugged servers into two different ports on the Astaro to eliminate any other devices and just have the Astaro in between. I got about 200 Mbits in a single thread, 600Mbits with parallel threads. When I check the systems resources we barely use any memory, or CPU of the device. I do not have any QoS turned on on the device either. We do run an site to site ipsec VPN on separate interfaces but this connection does not go over that, and againw e barely use any of the resources of the device. Is there any settings that I may have missed or network settings that can be tweaked for performance gain?
Reply With Quote
Moderator
Join Date: Jul 2001
Location: southern California
Posts: 12,052
#2 (permalink)  
Old 09-07-2012, 08:21 PM
Default

Hi,

The IPS and the Application Detection / Traffic Classifier can both use a lot of CPU.

The IPS can normally process one network stream per CPU, so you may not be noticing the high single-threaded CPU usage. You should be able to see it better in 'top' if you press '1' to show all the CPUs.

Anyways, as a test, try disabling the IPS and Application Detection / Traffic Classifier and PortScan/Flood prevention and see if there's a performance improvement.

If it helps, try tuning the IPS settings (remove unneeded rule groups, define your SMTP, WEB, SQL servers, etc.)

Also see http://www.astaro.org/gateway-produc...-tweaking.html

Barry
__________________
http://BlogSec.net
http://JobOyster.com
http://DealBert.net
IT Consultant specializing in high-performance Web Infrastructure and Security.
Astaro End-user since v1.x
  • ASL 9.2x, HP DL360G5 - FW, IPS, VPNs
  • ASL 9.2x, 2 Dell 1950's as WAF/proxy w HA
  • UTM 9.1x, Atom n270, 2GB RAM, 2 Intel GigE
    Netgear GS108T gigE switch & Astaro AP30 Access Point with 4 VLANs.
    60/60mbit FiOS internet.
  • Pending - UTM 9.2x, i5-4670, 4GB RAM, 2 Intel GigE
    Needs new NIC drivers before deploying
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 09:55 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.