I've been playing with the idea of adding inline AV and content filtering behind my EdgeRouter fronted home network. Over the holiday weekend I installed and configured Untangle's pre-built OVA, installed a newly built VM using Untangle's installer, and installed Sophos UTM from their latest installer.
In every case the performance is terrible. I have a 300/300 FIOS connection that in reality is more like 300/350. With a single client running through the appliance VMs that drops to ~120/120 territory. Obviously this isn't acceptable. I started turning off features one by one in Untangle and saw zero difference. I expected inline AV to be the bottleneck but even when off no change.
I ran speedtest from the gui console of Untangle and saw the same 120/120 territory so it's obviously something inherent to that machine. Other machines on the same ESXi host see full 300/350 so it's not a host/vswitch related issue.
I understand that this stuff is CPU intensive, a little research suggests that a 2011 era CPU should be able to do 200-500 MB/s of inline intrusion detection. I'm running these on a Xeon 5660 based system, with two cores configured. CPU load never goes above ~20% on the appliance VM but performance is still terrible.
Where should I be looking? I'm guessing the reasonably priced physical appliances aren't going to be any better (and likely much worse), you need to go quite a few levels up the Sophos model line before you get one that is rated at 300+ mb/s AV throughput. Although Sophos doesn't make their CPU specs readily available I'm guessing they are far less powerful than two Xeon 5660 cores.
Where is the bottleneck if not CPU?
Viper GTS
In every case the performance is terrible. I have a 300/300 FIOS connection that in reality is more like 300/350. With a single client running through the appliance VMs that drops to ~120/120 territory. Obviously this isn't acceptable. I started turning off features one by one in Untangle and saw zero difference. I expected inline AV to be the bottleneck but even when off no change.
I ran speedtest from the gui console of Untangle and saw the same 120/120 territory so it's obviously something inherent to that machine. Other machines on the same ESXi host see full 300/350 so it's not a host/vswitch related issue.
I understand that this stuff is CPU intensive, a little research suggests that a 2011 era CPU should be able to do 200-500 MB/s of inline intrusion detection. I'm running these on a Xeon 5660 based system, with two cores configured. CPU load never goes above ~20% on the appliance VM but performance is still terrible.
Where should I be looking? I'm guessing the reasonably priced physical appliances aren't going to be any better (and likely much worse), you need to go quite a few levels up the Sophos model line before you get one that is rated at 300+ mb/s AV throughput. Although Sophos doesn't make their CPU specs readily available I'm guessing they are far less powerful than two Xeon 5660 cores.
Where is the bottleneck if not CPU?
Viper GTS