Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎01-08-2020 02:43 AM Edited on ‎10-22-2024 08:32 AM By Staff

Article Id 191254

Technical Tip: IPS - 'socket size' and 'fail-open' mode

Description


This article describes the IPS 'socket size' and 'fail-open' functions.

 

Scope

 

IPS in FortiGate.


Solution


Fail-open.

A 'fail-open' scenario is triggered when the IPS raw socket buffer is full, which means the IPSengine does not have enough space in memory to create more sessions and needs to decide whether to drop them or bypass them without inspection.
The behavior is configurable with the following command:

 

config ips global
    set fail-open {enable | disable}
end

 

The default value is 'disable', which means IPS traffic is blocked when the IPS engine process enters fail-open mode.

If set to 'enable', all new sessions will be allowed without inspection when fail-open mode triggers.

 

IPS fail open event details can be seen in the crash log with command below:

 
    diagnose debug crashlog read

Note that nTurbo hardware acceleration does not support 'fail-open enable'.
On these units, when fail-open mode occurs, the traffic will be dropped regardless of the configuration unless nTurbo is disabled. However, it is not recommended to disable nTurbo: this will cause a higher main CPU load.


To disable nTurbo, run the following command:

 

config ips global
    set np-accel-mode none
end

 

IPS buffer size.

 

To check the current socket size (which may be the default), use the following command:

 

diagnose test application ipsmonitor 1

 

Example:

 

diagnose test application ipsmonitor 1
pid = 147, engine count = 5
0 - pid:158:158 cfg:1 master:0 run:1
1 - pid:253:253 cfg:0 master:1 run:1
2 - pid:254:254 cfg:0 master:0 run:1
3 - pid:255:255 cfg:0 master:0 run:1
4 - pid:256:256 cfg:0 master:0 run:1

         pid: 253 index:1 master version: 07002000FLEN07700-00007.00002.00212-2203222338
         up time: 5 days 23 hours 1 minutes
         init time: 0 seconds
         socket size: 32(MB)  <---IPS socket size to receive data from kernel

         database: regular
         bypass: disable
         pid: 254 index:2


Adjust the size of the IPS buffer with the command below:

 

config ips global
    set socket-size <int>
end

 

The acceptable range and the default size vary by the FortiGate model and its memory size. It is possible to see the current memory size by entering the '?' symbol after the 'set socket-size' command.
'Socket-size' determines how much data the kernel passes to the IPS engine each time the engine samples packets.
 
Setting the value too high might lead to high memory usage by the IPS engine process and potentially conserve mode.
Setting it too low may trigger fail-open mode too early.

 

If the regular traffic is triggering fail-open mode and the memory usage of the firewall is relatively low, consider increasing the size.
If the memory usage of the IPS engine process is too high and the fail-open mode still does not trigger, consider decreasing the size.
In most common situations, the default value is sufficient for a normal operation.

 

A good starting point is usually to double the previous socket size. For example, increasing from 64MB to 128MB.

When reducing the socket size, consider halving the previous size. For example, reducing from 256MB to 128MB.

 

Related article:

Troubleshooting Tip: IPS entering fail open mode

Labels:
29110
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.