Performance tuning for IPS maximum performance

[Supermule]

I am hitting no more than 300/300 with IDS/IPS and running a 16core/32GB highend server.

IDS takes a big hit on performance.

[spetrillo]

I am curious...is there a way to know which tunable options are actually in effect when the system is up? Can I run a command to list all of them as active?

[dl3it]

That's a superb question... When I check the settings with sysctl -A | grep dev.igb, everything is fine; which means is set to 0. Obviously, it isn't; else, I would not expect to see any change regarding the throughput when typing the settings on console...
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.

[spetrillo]

It definitely would be helpful to know that those options you have selected are indeed active.

As to your test it seems there is a real premium on higher frequency cores rather than many lower frequency cores, if only one core is used.

[Supermule]

what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.

That's a superb question... When I check the settings with sysctl -A | grep dev.igb, everything is fine; which means is set to 0. Obviously, it isn't; else, I would not expect to see any change regarding the throughput when typing the settings on console...
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.

[dl3it]

I use Hyperscan, promiscuous mode (due to VLANs), IDS enabled, IPS disabled. Currently are abt. 1900 rules enabled. But there is still some space for more, until I loose the 1 Gbit/s.
Where do you configure the CPU usage ? I don't have such an option, even in advanced mode. I run a 4 core CPU (AMD FX-8800 P), where 3 cores most of the time feel quite bored 

[hushcoden]

what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.

Sorry, where is it ?

[Supermule]

what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.

Sorry, where is it ?

Sorry. I mixed up OPNSense with pfsense. Running both to compare.

[mimugmail]

Profiles come with 20.7

[dl3it]

I changed to development firmware upgrade. It's 20.7 now, but still with 11.2 BSD.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.

[mimugmail]

I changed to development firmware upgrade. It's 20.7 now, but still with 11.2 BSD.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.

Switching to devel mode will only update the UI, not (yet!) the OS, but it should install Suricata 5 and allows to set profile mode.

[dl3it]

That's what it looks like now....

[dl3it]

I did an ISO upgrade and 20.7 with 12.1 is running now. Currently ~8000 rules are activated, IDS and IPS enabled, Hyperscan gives abt. 850MB/s. The other algorithms gave significantly worse results; down to 100MB/s.
Do you have any hints for me regarding the profile ? Do I have to edit the settings file, or can this be done by GUI ? 

[mimugmail]

Hit Advanced in General

[dl3it]

Thanks.... Got it...

Best results with Hyperscan and profile "High"... Abt. 780Mb/s with 8556 rules. The changes between the profiles are marginal; between 740MB/s and 780Mb/s.
The other algorithmns are far slower... Maximum 400Mb/s, down to 140Mb/s... With any profile.

Current "optimum" settings attached.

If I can test anything special for you, fell free to ask