Initial setup of IDP on USG40 - 10% loss of BW?

SecCon
SecCon Posts: 51  Ally Member
edited April 14 in Security

Kboom, nothing works, oh what did I do...? Connected the FW with IDP to my LAN.


So, above has not happened. Yet. :)

I am sitting updating my USG40 and downloading and activating IDP Signatures. Little did I suspect it is almost like working in Excel. So much for intelligent protection. There is none. It is all rules and rulesets. Lines. Text.



Page 5 select an IDP profile.

Now. These are many rows in the profiles. Since I will place my USG between my Router and my WAN there is a good chance I should start with ALL.

My question in this would be if there are any obvious rules I should deactivate from start? No, I really have no clue right now, I just don't want to wreck my torrenting and bitcoining network... again, just kidding.
It is a Windows based SOHO with office, games, home servers, iphones, androids... not serving anything to the Web.

What are the most common pitfalls? Any big NONO that needs to be active or not active?

I ask before I suffer. :3



Answers

  • SecCon
    SecCon Posts: 51  Ally Member
    So I am noticing 10% B/W loss on 100MBit. Testing several times over a couple of days.

    My ISP delivers 100MBit and is usually just above in many consecutive tests on my regular network, without the USG.

    Got a laptop directly connected to USG via Lan and do Speedtewst with Ookla's app. getting about 90MBit up and down which is a consistent 10% loss. I disable the Lan and connect it to my WiFi and it goes back to normal 100+/100+ . The Wifi is not via USG, the USG's WiFi is disabled. (Nor do I intend to use it).

    So there is nothing setup except for what is in my post above.  What should I look for to determine the 10% loss?
  • SecCon
    SecCon Posts: 51  Ally Member
    So much for forums, I am making a support ticket.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 198  Zyxel Employee

    Hi @SecCon

     You can add an all Base profile and enable it on security policy.

    Additionally, USG40 executes policy rules, UTM profile or other application etc.

    So, there is 10% loss of throughput performance is normal.

     

    About the IDP configuration you can refer to the following:

    Configuration > UTM Profile > IDP > Profile to add an all Base profile





    Configuration > Security Policy > Policy Control > check IDP profile on the policy which you would like to enable


  • SecCon
    SecCon Posts: 51  Ally Member
    I did that conf part. As clearly linked to and stated in my first post.

    10% loss is not what I would call acceptable. I was expecting an answer indicating that selecting "ALL" is not a very good idea due to enabling many rules that are not normally needed. I guess I may have been wrong in my assessment of that.

    More rulres, more filtering more cpu/ram load and, of course, less bandwidth. I need to focus on rules I do not need. How would one assess that? Application list?

  • Zyxel_Vic
    Zyxel_Vic Posts: 239  Zyxel Employee
    Hi @SecCon
    Apologies for the confusing to you. Actually those intrusions we identified and enabled by default are basically all with high severity. It's difficult to say which is more important than the others if they are identified as intrusions. This is the purpose that a security device have to prevent.
    Regarding to the performance dropping, since when the device needs to analyze packet by packet, more or less there will be overhead to the system loading.

    However, to categorize those identified intrusions may be a considerable direction. We will evaluate if we can have a better algorithm to categorize those intrusion signatures to have easier implementation for home users.

    Thank you for the valuable suggestion.

    Regards,
  • USG_User
    USG_User Posts: 237  Master Member
    edited February 5
    10% loss of throughput is ok for us.

    But where I agree to ... I'm also missing a short description in user manual, which IDP profile is suitable for which kind of traffic. WAN, LAN and DMZ are predefined IDP profiles where more or less signature groups are activated. At the moment we've chosen "LAN" profile for any outbound traffic from our LAN to WAN (e.g. website access) where answer packets are expected, and "DMZ" profile for web accesses to our DMZ located servers. But don't know whether this is practical and sufficient. Or should "WAN" profile being selected for any traffic originating from internet?
  • SecCon
    SecCon Posts: 51  Ally Member
    edited February 5
    I do think I understand the scope of this matter.

    It seems the throughput is 95MBit with IDP and USG40W, but if one can filter IDP and reduce the load, we would probably look at a higher throughput: https://www.zyxel.com/us/en/products_services/Unified-Security-Gateway-USG40-40W-60-60W/comparison

    Example.
    I should be able to disable filters related to running Windows IIS, anything running Oracle.. etc... along those lines. Then again, I do have Java installed on a couple of clients, so I would assume some consideration would have to go in to filtering Oracle.

    If one dig in to the list one will be able to disable a lot, since you have non of "that software" on your clients or servers, but you always risk disabling one too many. Sure I leave all the Office365 and MS Windows on, but also need to look at VMMWare since I have an ESXI instance.

Security Highlight