Skip to main content
Allwyn_Mascarenhas
Allwyn_Mascarenhas
New Member
November 17, 2015
Question

FGT 90D ips process keeps coming on and traffic load doubt

  • November 17, 2015
  • 1 reply
  • 8615 views

Hi people,

 

I have a fgt90d with os 5.2.3 setup for an office of upto 100 users. I created an IPS profile for client windows and linux machines and applied to all traffic for the internet. Also AV and app control and webfiltering is on with cert-inspection.

 

The very next day we started facing problems of the cpu usage shooting to 90-100% and so ips was disabled completely from the config>features menu but still i keep seeing the ipsengine process on diag sys top.

 

It shuts down only after i kill it with diag test application ipsmonitor 98.

 

Also how can one figure out if the fgt90D is enough for the traffic load its facing, i keep seeing up to 4k sessions and 11-20 sessions per sec.

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
November 17, 2015

hi,

 

you're talking about IPS load and not IPsec (pls edit your post; there's nothing wrong with using proper case).

Disabling the WebGUI feature won't touch the IPS process, as enabling it will not "magically" enforce IPS on your traffic. Edit your policy/policies and disable the IPS sensor applied to it.

 

Independly of the hardware in use you can always configure IPS such that the CPU will hit 100% load.

 

That is to say: select IPS signatures that you really intend to use and not whole categories. Filter the list down as much as you can: level=critical, OS=Windows, vendor=Adobe,... Scanning for 4.000 signatures on a busy policy will lead to CPU congestion, especially with AV and AppControl to top it up.

 

As for # of sessions and session setup rate, I'd say the 90D is sufficient. It will surely depend on the throughput / bandwidth across the FGT.

 

Do you happen to have an PPPoE WAN connection? Will take a toll as well as it seems that PPPoE is handled by CPU.

Allwyn_Mascarenhas
Allwyn_MascarenhasAuthor
New Member
November 20, 2015

Hi

 

Shouldn't disabling the IPS in config features disable it at the process level and in the policies both? As it takes out the IPS option from the policies itself.

 

The fortigate doc on IPS config simply says to activate it by choosing the client option with the os and leave the rest to default.

 

Also is it recommended to use IPS for normal desktop user machines or use it only for servers?  The doc says it dismantles dos type attacks, something user PCs would rarely face i guess.

 

I don't have a wan pppoe, using static ips for both the wans.

Allwyn_Mascarenhas
Allwyn_MascarenhasAuthor
New Member
November 29, 2015

The fortigate handbook simply says to choose the OS and severity for IPS and leave the rest to defaults. It recommends this for SMBs though.

 

My client has a FGT-90D with upto 100 users.

 

Also should i even be worried about IPS on normal client machines? What exact threats will IPS help in mitigating?

 

Will IPS dismantle connections like a worm, virus on the network trying to download more worms on to the network? What else can it work with?

 

Sorry if the questions just sound really noobish, IPS technology is really confusing as of now. Would really appreciate if anyone could point out good reading material on it.

Terms & ConditionsAccessibility statement