IPS performance problems

Forum|Forum|15 years ago
July 25, 2010
9 replies
6627 views

FortiGate-200B, OS 4.2.1, IPS engine 1.00164. Behind the box are a bunch of Windows web servers; outbound traffic is about 70-80mbps at peak, inbound traffic is about 10% of outbound. Despite 200B being specced for 500mbps of IPS throughput, those 80-90mbps peg ipsengine CPU usage at 60-80%. IPS sensor used is filtered to target:server, severity: medium, high, critical, protocol:HTTP, OS:Windows, application: IIS, ASP_app; total 118 signatures. Even if the claimed performance is complete BS, I don' t like to think that it' s exaggerated by a factor of 5, and in any case, I need to do something about it. Is there a way to limit IPS scanning to just the inbound traffic? I don' t really care about the stuff webservers are returning to user requests, I' m reasonably sure it' s clean, and if I could ignore it, I' d reduce IPS load by 90%...

Carl_Wallmark

New Member

the ips engine 1.00164 have a known bug that makes it go 90-99%, open a ticket and ask for 1.00165, and try that one...

bmeklerAuthor

New Member

I' m familiar with that bug, and this is not it - I' m graphing traffic flow and CPU load with MRTG, and CPU load is closely tracking the traffic flow, rising and falling, not just sticking at 100%.

Carl_Wallmark

New Member

Is there a way to limit IPS scanning to just the inbound traffic?

just remove the IPS policy from the outbound firewall policy. It will still scan traffic flowing to and from the client, as long as the client initiated the traffic.

bmeklerAuthor

New Member

It will still scan traffic flowing to and from the client, as long as the client initiated the traffic.

And that' s the problem! 90% of my traffic is flowing back on client-initiated connections, and if I could skip scanning that traffic, it' d solve all my problems...

Carl_Wallmark

New Member

hmmmm, i know when you create custom IPS signatures, you can specify flow to/from -> client/server but i dont know how to change that in predefined signatures, i would open a ticket and check with them about your configuration, as you said, i dont belive they have put in 500 mb/s IPS if it cant handle it. BUT it could depend on more things, how many sessions etc... There are some cli commands you can type to only let the IPS engine scan the first xxx bytes/kbytes of a session, and then stop scanning if its ok.

JnascECSI

New Member

I was still having this issue also with our 200A on 4.0 MR1 patch 6 running IPS engine 1.164 and just today got IPS Engine 1.167 from TAC. If your still hitting 99% and it does' nt go away open a ticket and get 1.167 from TAC. Not sure if it' s fixed the problem but i should know in the next couple hours.

ejhardin

New Member

I have been running 1.167 for a week now and it is stable but still taking it a day at a time. One of the resolved issue in 1.167 that helped in my case was the IPS memory pools.

bmeklerAuthor

New Member

They sent me 167, and then 168, and both did absolutely nothing. I think they' re not quite comprehending that this isn' t the usual ' CPU stuck at 100%' problem.

cmberry

New Member

I opened ticket and got 1.00167 yesturday. Went from having CPU at 95% for over a month to about 11%. Its' only been one day so far, but problem solved for me with 167.

bmeklerAuthor

New Member

L2 support ran some tests on my box and found that 83% of the sessions are 63 bytes or less, which causes a lot of CPU overhead. FG200B is rated for 500mbps of IPS throughput on 512 byte UDP packets, not on 63 byte TCP packets, I suppose.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded