Hoping someone might be able to provide some insight on a performance issue occurring on multiple clusters in our environment.
Gateways are running R77.30 with R80.10 SMS. Latest Jumbos applied to all. Most of them are running firewall and IPS blades only. IPS profile is set to optimized. No exclusions. I've gone through and made sure that no High or Critical performance signatures are active on the profile. Gateway is currently set to Detect only in the IPS section of the cluster object.
Vast majority of traffic is HTTP, HTTPS, DNS, and RTP. cpview shows HTTPS and UDP as the top traffic types hitting PXL under Advanced-Network-Path. Less than 10% of traffic is hitting F2F.
If I disable IPS blade as a test, SXL accelerates 80%+ of traffic and CPU drops in half, so IPS is clearly impacting performance. Disabling IPS is not an option, and neither is significantly reducing the protected scope.
I've read through Timothy Hall's max power a couple of times now and nothing in there is jumping out as something I missed in terms of basic IPS tuning.
A few questions really stick out in my mind
1. If IPS is set to "Protect internal hosts only" and at least 33% of the traffic is destined to an external interface with correct topology definition, how is it that over 90% of traffic is hitting PXL? It would seem that this couldn't solely be a result of IPS.
2. Does setting the gateway into detect mode in the cluster object cause any sort of issue (rather than configuring detect on the signatures and letting policy control it) ? And yes, I understand that prevent is desired, but I still need to do proper analysis on the traffic to ensure production traffic is not impacted.
3. I have yet to run a debug to look for why specific traffic is hitting PXL due to difficulty in getting a maintenance window. Is there even any benefit to this? IPS is the likely culprit and I don't need a debug to figure that out; but will it provide anything other than sent to PXL for IPS?
4. The Max Power book makes it seem that all medium or lower performance impact signatures on IPS are eligible for acceleration. If all High and Critical signatures are inactive, how can I explain this behaviour? Am I wasting time tuning the Optimized profile when gateways are still R77.30?
5. Is there any usual culprits in the firewall blade that I should be looking at? Connection templates are disabled early on in the rule base but my understanding is that it will still accelerate traffic after the initial policy decision.
Any thoughts or guidance is appreciated.