topic Re: Most traffic taking PXL (medium) path, resulting in high CPU in Firewall and Security Management

Most traffic taking PXL (medium) path, resulting in high CPU

Kaspars_Zibarts — Wed, 16 Feb 2022 12:17:31 GMT

OK, I'm giving up as I can't understand why would most traffic be pushed via medium path in one of our perimeter GWs.

Setup: GW running R80.40 T139, blades enabled: fw urlf appi ips identityServer.

The only TP blade we have is IPS. Yet running ips off command makes no difference at all. Whilst fw amw unload restores expected state with most traffic being accelerated.

This does not really make sense as AMW unload should only affect TP blades except IPS. But they are not even enabled!

Here are two screenshots: before and after AMW unload:

When I look at actual connections - it's pretty much everything, even internal network to DNS is being sent to PXL.

I tried adding explicit TP policy to exclude all internal networks:

But still no joy.

What am I missing?? 🙂

Re: Most traffic taking PXL (medium) path, resulting in high CPU

Timothy_Hall — Wed, 16 Feb 2022 14:35:29 GMT

Throughput acceleration (pkts) is unaffected by the state of AMW, for you it is the Accept templating rate that is being impacted (conns) as well as causing some traffic to go Medium Path. Keep in mind that connections can migrate between different paths and be counted more than once, which is why Accelerated pkts/PXL/CPAS/F2F add up to more than 100%. Let's focus on the templating rate.

ips off only affects new connections, so you can't expect the acceleration percentage to dramatically change immediately. Try actually unchecking the IPS blade (and ensuring all other TP blades are unchecked) then reinstall the Threat Prevention policy, then reinstall the Access Control policy in a separate operation. Wait about 30 minutes for most existing connections to decay, how does it look then?

Usually Anti-bot is responsible for dramatically reducing connection templating rates (I even call this blade the "slayer" of templates in one of my books) and I'm wondering if there are still some Anti-bot hooks involved even when only IPS is enabled.

Re: Most traffic taking PXL (medium) path, resulting in high CPU

Kaspars_Zibarts — Wed, 16 Feb 2022 15:36:10 GMT

i actually run ips off -n which deletes templates, my understanding was that it would help to see effects faster. But lets try with IPS unchecked!

Re: Most traffic taking PXL (medium) path, resulting in high CPU

Kaspars_Zibarts — Wed, 16 Feb 2022 17:51:20 GMT

Great! Inactivating IPS indeed fixed it too! Ok, job in hand to tweak IPS and maybe get more cores to this VS! Thanks heaps @Timothy_Hall

Re: Most traffic taking PXL (medium) path, resulting in high CPU

Timothy_Hall — Thu, 17 Feb 2022 13:09:29 GMT

Yeah it is surprising how often IPS is the culprit in cases like this, but 90% of effective troubleshooting is knowing the right place to look...

Re: Most traffic taking PXL (medium) path, resulting in high CPU

Kaspars_Zibarts — Thu, 17 Feb 2022 14:11:21 GMT

Indeed!