Performance tuning for IPS maximum performance

Started by dcol, December 08, 2017, 05:13:30 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6 7 8
User actions
June 12, 2020, 09:05:33 PM #60
I am hitting no more than 300/300 with IDS/IPS and running a 16core/32GB highend server.

IDS takes a big hit on performance.
June 12, 2020, 09:08:46 PM #61
I am curious...is there a way to know which tunable options are actually in effect when the system is up? Can I run a command to list all of them as active?
June 12, 2020, 11:14:24 PM #62
That's a superb question... When I check the settings with sysctl -A | grep dev.igb, everything is fine; which means is set to 0. Obviously, it isn't; else, I would not expect to see any change regarding the throughput when typing the settings on console...
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.
June 15, 2020, 03:52:31 AM #63
It definitely would be helpful to know that those options you have selected are indeed active.

As to your test it seems there is a real premium on higher frequency cores rather than many lower frequency cores, if only one core is used.
June 15, 2020, 11:25:18 AM #64
what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.

Quote from: dl3it on June 12, 2020, 11:14:24 PM
That's a superb question... When I check the settings with sysctl -A | grep dev.igb, everything is fine; which means is set to 0. Obviously, it isn't; else, I would not expect to see any change regarding the throughput when typing the settings on console...
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.
June 15, 2020, 07:08:06 PM #65
I use Hyperscan, promiscuous mode (due to VLANs), IDS enabled, IPS disabled. Currently are abt. 1900 rules enabled. But there is still some space for more, until I loose the 1 Gbit/s.
Where do you configure the CPU usage ? I don't have such an option, even in advanced mode. I run a 4 core CPU (AMD FX-8800 P), where 3 cores most of the time feel quite bored  ;D
June 15, 2020, 10:03:23 PM #66
Quote from: Supermule on June 15, 2020, 11:25:18 AM
what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.
Sorry, where is it ?
June 16, 2020, 12:10:16 AM #67
Quote from: hushcoden on June 15, 2020, 10:03:23 PM
Quote from: Supermule on June 15, 2020, 11:25:18 AM
what IDS profile are you using??

There is a setting to change how IDS uses the process/cores.
Sorry, where is it ?

Sorry. I mixed up OPNSense with pfsense. Running both to compare.
June 16, 2020, 05:53:12 AM #68
Profiles come with 20.7
June 16, 2020, 09:09:18 AM #69
I changed to development firmware upgrade. It's 20.7 now, but still with 11.2 BSD.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.
June 16, 2020, 09:58:59 AM #70
Quote from: dl3it on June 16, 2020, 09:09:18 AM
I changed to development firmware upgrade. It's 20.7 now, but still with 11.2 BSD.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.

Switching to devel mode will only update the UI, not (yet!) the OS, but it should install Suricata 5 and allows to set profile mode.
June 16, 2020, 10:22:55 AM #71
That's what it looks like now....

June 16, 2020, 03:44:25 PM #72
I did an ISO upgrade and 20.7 with 12.1 is running now. Currently ~8000 rules are activated, IDS and IPS enabled, Hyperscan gives abt. 850MB/s. The other algorithms gave significantly worse results; down to 100MB/s.
Do you have any hints for me regarding the profile ? Do I have to edit the settings file, or can this be done by GUI ? 
June 16, 2020, 07:34:26 PM #73
Hit Advanced in General
June 16, 2020, 09:37:11 PM #74
Thanks.... Got it...

Best results with Hyperscan and profile "High"... Abt. 780Mb/s with 8556 rules. The changes between the profiles are marginal; between 740MB/s and 780Mb/s.
The other algorithmns are far slower... Maximum 400Mb/s, down to 140Mb/s... With any profile.

Current "optimum" settings attached.

If I can test anything special for you, fell free to ask  8)
Print
Go Up Pages 1 ... 3 4 5 6 7 8
User actions