Technical Tip: Introduction of IPS process

In FortiGate, IPS (Intrusion Prevention System) are used to detect or block attacks/exploits/known vulnerabilities with signature-based defense.

There are three main processes within the IPS:

1. The ipsmonitor process is used for:

• Start/Stop IPS engines, Watchdog for IPS processes.
• Killing ipsmonitor will restart all ipsengines.

diag test app ipsmonitor 1 <- Will display basic information on ipsmonitor.

2. The ipshelper process is used for:

• Configuration Management inside IPS engine.
• Monitor CMDB changes related to IPS.
• Compile IPS rule DB and generate DFA(Direct Filter Approach).
  
  

Note that ipshelper is always at index 0 in the IPS process.

3. The ipsengine process is used for:

• The work process to do packet inspection.
• Involvement in application control, Flow mode AV, Flow mode DLP and flow-based Email Filter.

The number of the engine depends on different models/hardware.

• It will be indexed starting from 1, 2, 3, 4 etc.

Index 1 will be the master IPS engine which is responsible for:

• Updating the DB in hardware.
• Performing cleanup SSL caches in Caches.

They most likely will have higher CPU/Memory usage than the other IPS engine workers.

For the last point, it is possible to see the process having a significantly higher CPU usage (i.e. in the output of command diagnose sys top). Investigate further with the following commands:

After, dump details about the process IDs:

diagnose sys process pstack <PID>        <- Dump process userspace stack.
diagnose sys process dump <PID>          <- Dump process kernel stack.

Dump process kernel stack.

The PID of the process can be found in the first column of diagnose sys top  after the name or with the following command:

diagnose sys process pidof <name of process>