GFI Software Aurea SMB Solutions


Home » Product Feedback » Kerio Control Feedback » Frustrating combination of lack in performance and features (Lack of UEFI support (old kernel) and poor SNORT performances)
Frustrating combination of lack in performance and features [message #148390] Sat, 04 July 2020 00:46 Go to next message
CristianoIera is currently offline  CristianoIera
Messages: 5
Registered: February 2014
Kerio control has a really "hystorical" weak ppoint: the very well known problem of the single-thread, single-core SNORT implementation, limiting the throughput in NAT with IPS at unacceptable speed, much lower than most of the ultrawideband internet connections available on the market at really cheap prices.
A bad workaround is to use some kind of new and very powerful (and of course expensive) hardware appliance to improve the performances of SNORT to an acceptable level. But there's a problem: 99% of new hardware platforms supports ONLY UEFI boot, and it's absolutely unsupported in the current version of Kerio control, though UEFI is supported in linux since 2012.
Moreover, it's a really bad limiting factor in small and medium business implementations that require high sustained transfer speed for business purposes (cloud applications, cloud backups and similar).
We are GFI/Kerio partners, and I notice that selling your product turned into a big hassle, because most of the competitors have much better performances at lower prices and using cheaper hardware, though the usability and learning curve of kerio control remain unsurpassed.
These two issues (SNORT and UEFI) combined are really a pain the ass with this product. We are compelled to look for valid competitors and I'm really disappointed of this, because we invested in advertising your product among our customers and now we have to hear claims from customers for better performances, because they can identify clearly the problem in the firewall: asking their internet providers to improve the connection speed, they are invited to make a speed test with a PC directly connected without firewall and the speedtest says 980Mbit/sec without kerio control and less than 400 (sometimes 100-150 in less performing machines or VM) with kerio control. At that point they call the firewall supplier...
I think it could be avoided with a little effort by your development team.
Re: Frustrating combination of lack in performance and features [message #148423 is a reply to message #148390] Tue, 14 July 2020 13:30 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
For SNORT - we are looking at ways of optimizing that engine. It's not an easy fix since by design it's single-threaded. The next version of SNORT is multi-threaded but has been left in beta for a very long time. Various off the shelf next-generation firewall products use snort and it's one of the best available tools out there.

For UEFI boot we are also looking at what needs to be done. This will be easier once we upgrade the kernel to 4.19 which is expected later on this year (2020).


Ian Bugeja
GFI Software
Re: Frustrating combination of lack in performance and features [message #148428 is a reply to message #148423] Wed, 15 July 2020 01:50 Go to previous messageGo to next message
CristianoIera is currently offline  CristianoIera
Messages: 5
Registered: February 2014
Thank you very much for the insider info.
It could be amazing if both these upgrades will be available in 2020.
I know that in some implementations the multithreaded implementation of SNORT is accomplished by paralleling some instances of the process on different streams, but while this should be good in large environments, it does not solve the problem of the single stream speed limit. I hope you'll find a solution soon or adopt a different library or decide to contribute to the development/testing of the real multithreaded SNORT...
Re: Frustrating combination of lack in performance and features [message #148446 is a reply to message #148390] Thu, 16 July 2020 20:08 Go to previous messageGo to next message
ascdew is currently offline  ascdew
Messages: 4
Registered: July 2020
I will start by totally agreeing with the post by CristianoIera regarding the lack of performance improvements in Control by GFI development. It's really appalling that GFI development would be ignoring improving Control performance.

3 years ago we had a discussion with the Control dev group as we were configuring several new appliances for customers and we wanted to implement the new appliances with NVMe. At that time we were told that it wasn't possible because Control was still running on a fork of the 3.16 kernel.

So now we are at the same juncture with a number of client firewalls needing a tech refresh, so yesterday we placed a request to GFI Control as to whether NVMe support was now available with Control? Before placing the request we researched the NMVe linux driver and found that it has been back-ported all the way back thru linux kernel 2.6.

Sadly we just heard from GFI Level 2 support that the NVMe driver is not included in the latest Control kernel. How is this acceptable. Given the currently acknowledged performance constraints, making use of the NVMe driver would certainly help.

Another open issue since October 2019 is that the Control update back then broke the ability of a client to present a custom Control logo to users logging into/validating on the firewall. As of today - 8 months later this simple bug remains unresolved?

The UEFI boot issue is also unacceptable. How is it even possible that this is not already in place with Control?

Like CristianoIera, we are long-time Kerio/GFI partners and Control is our FW/UTM solution 100% of the time. But we are definitely taking major hits from clients due to the competition. Now with the virus and "WFH" being the solution, performance is ever more critical.

We fail to understand how GFI can allow Control to whither on the vine like an unwanted step-child. Is the GFI plan to deprecate Control as a product?

Please enlighten use on what the plan is for Control and why there appears to be nothing done to improve performance and implement new tech hardware features?

We are about to place several new hardware appliance orders and if these basic features are not available, we fear the clients will request that Control be replaced by a solution that takes advantage of modern hardware technology. Please do not allow this to happen!

Re: Frustrating combination of lack in performance and features [message #148447 is a reply to message #148446] Fri, 17 July 2020 09:43 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
Hi

Thanks for your feedback.

Regarding the logo issue that is part of 9.3.5 currently in beta and expected to be released soon more info here: https://groups.google.com/g/gfi-insider/c/UhJByDXn1Tg
Regarding outdated hardware we have a new lineup of hardware coming out very soon.

We are also working on updated kernel 4.19 which should be released later on this year. Stay tuned on insider.gfi.com for more updates on this as we surely will announce a wider beta period for it.


Ian Bugeja
GFI Software
Re: Frustrating combination of lack in performance and features [message #148451 is a reply to message #148447] Fri, 17 July 2020 22:54 Go to previous messageGo to next message
ascdew is currently offline  ascdew
Messages: 4
Registered: July 2020
Hey Ian:

Appreciate you responding to my post/request. As a follow up:

1 - installed V9.3.5 Beta 3 build 4224
Custom logo still does not work. Removed custom logo, installed beta 3. Re-applied custom logo - no joy! Tested with edge, firefox, vivaldi, chrome and safari.

2 - Very glad to hear that kernel 4.19 is in the works. I will press my luck and ask if it is possible to get a bit more defined on a release date for this and if it will include the latest kernel features/drivers like NVMe?

I realize that release dates are a moving target, but since it is already July, if we could get a more specific commitment it would be helpful. As I explained previously we have several customer firewall appliances that need a hdw refresh.

We are going to lose those sales because Kerio Control is no longer competitive in terms of the hdw performance curve. However we have solid if not current Hdw that we can temporarily put in place until this 4.19 kernel release is available - if it will be available this year? But we do need to manage customer expectations regarding what GFI will be doing.

Re: Frustrating combination of lack in performance and features [message #148453 is a reply to message #148451] Mon, 20 July 2020 17:41 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
Thanks for your feedback.

Regarding 1) Can you please share exact steps to reproduce? What pages is the custome logo not working? Our teams have tested it and confirmed to me that it is fixed.

For 2) I'm looking at 9.4 to be the next release after 9.3.5, so effectively in around 2 months time.


Ian Bugeja
GFI Software
Re: Frustrating combination of lack in performance and features [message #148474 is a reply to message #148453] Thu, 23 July 2020 00:32 Go to previous messageGo to next message
ascdew is currently offline  ascdew
Messages: 4
Registered: July 2020
There's not much to do to test:

1 - installed Control V9.3.5 beta 3 Build 4224 - see image 1 KerioControl-V9.3.5beta3-1.jpg

2 - on the custom logo config page - tried removing, add back, etc. to trigger change/update - see image 2 KerioControl-V9.3.5beta3-2.jpg

3 - tested login screen - custom logo is not displayed - see image 3 KerioControl-V9.3.5beta3-3.jpg

4 - Here is a snippet of xml from the winroute.cfg file - which appears to have the correct settings?
<table name="Misc">

<variable name="BrandLogoEnabled">1</variable>
<variable name="BrandPageTitle">ASC Kerio Firewall</variable>

</table>

5 - in the export of the cfg.tar.gz - it contains the brand_logo.png file - which when looked at is the correct custom logo file

So I am not quite sure what we are missing to get the custom log to work?

If there is something else we need to do to get this working, please advise.
Re: Frustrating combination of lack in performance and features [message #148520 is a reply to message #148474] Mon, 03 August 2020 23:01 Go to previous messageGo to next message
ascdew is currently offline  ascdew
Messages: 4
Registered: July 2020
Any updates/comments on my last submission with the custom logo not working?
Re: Frustrating combination of lack in performance and features [message #148523 is a reply to message #148520] Tue, 04 August 2020 12:47 Go to previous message
ian.bugeja is currently offline  ian.bugeja
Messages: 566
Registered: March 2017
Location: Malta
The custom logo is currently displayed only on blocked pages not login pages.

Ian Bugeja
GFI Software
Previous Topic: NFQUEUQ LIMIT
Next Topic: Time ranges for Wifi Interfaces
Goto Forum:
  


Current Time: Sat Sep 19 04:56:31 CEST 2020

Total time taken to generate the page: 0.03362 seconds