Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ujnetsec
New Contributor

IPS Engine Running at 95%-99%

Im expiriencing a similar problem, whereby one of our VDOMs in a 3000D FW with connects +- 50k users, max sessions is +-400k sessions, the CPU spikes at around 9am every morning when everyone is back at work, and this affects our filtering, but as soon as we disable SSL Certificate inspection, the CPU goes back to normal. SSL is configured to inspect only 443.

 

i have upgraded the IPS engine from 3.00430 to 3.00444, but this did not resolve the issue.

 

this only happens on one of our VDOMs, we have 7 VDOMs in total including the root VDOM which is the only that is running flow-based mode the rest are running in Proxy Mode. 

 

what could the issue be?

2 REPLIES 2
romanr
Valued Contributor

Hi,

 

In a flow mode VDOM the ipsengine daemon will run all UTM features. Also Antivirus and Webfilter.

In FortiOS 5.4 disabling Certificate Inspection will cause ipsengine not to run the webfilter on https traffic. So with your amount of users and sessions you could easily knock out even a 3000D with a webfilter depending on the actual user traffic. (certficate inspection on and webfilter assigned on a policy)

 

For FortiPS 5.4 and 5.6 the actual ipsengine should be Version 3.00516 - which also did sovle some memory leaks sind 442/443.

 

I'd strongly recommend you open a support ticket with FTNT!

 

Br,

Roman

ujnetsec

Hi Romanr 

 

i have change the VDOM to run in Flow-Based mode, it is blocking http and https on when using the android default browser but when using chrome or firefox only https is blocked, i have logged a call with fortinet they say they are busy troubleshooting on their side, any idea what could cause this? i am run IPS engine v3.00444 and firmware v5.4.5 but tomorrow i am upgrading the firmware to v5.4.8. 

Labels
Top Kudoed Authors