FortiGate-200B, OS 4.2.1, IPS engine 1.00164. Behind the box are a bunch of Windows web servers; outbound traffic is about 70-80mbps at peak, inbound traffic is about 10% of outbound. Despite 200B being specced for 500mbps of IPS throughput, those 80-90mbps peg ipsengine CPU usage at 60-80%. IPS sensor used is filtered to target:server, severity: medium, high, critical, protocol:HTTP, OS:Windows, application: IIS, ASP_app; total 118 signatures.
Even if the claimed performance is complete BS, I don' t like to think that it' s exaggerated by a factor of 5, and in any case, I need to do something about it. Is there a way to limit IPS scanning to just the inbound traffic? I don' t really care about the stuff webservers are returning to user requests, I' m reasonably sure it' s clean, and if I could ignore it, I' d reduce IPS load by 90%...