Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Collaborator

How to Tune the IPS

Hi Team,

Can anyone share the knowledge of how to fine-tune the IPS. Currently our IPS in recommended protection. And most of the signatures are in Detect mode. 

How you fine-tune the IPS based on Critical, High, Medium ? 

Can anyone guide me to fine-tune the IPS ? 

Cause we are getting this messages regularly 

Oct 26 09:45:52 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 0 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 0%


Oct 26 09:45:52 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:45:53 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 1 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 1%


Oct 26 09:45:53 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:45:53 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] Changing CUL state to ON due to high CPU usage (100%) on remote Member 0, threshold = 80%, local kernel CPU usage is 1%


Oct 26 09:45:54 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 2 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 0%


Oct 26 09:45:54 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:46:02 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one member reported high CPU usage 5 seconds ago


Oct 26 09:46:03 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one member reported high CPU usage 6 seconds ago


Oct 26 09:46:04 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb

0 Kudos
Reply
4 Replies

The message of CUL (Cluster Under Load) means a high resource usage on the firewall, in this case it seems to be because of high CPU. You can use the following sk articles to troubleshoot high cpu issues:

Performance analysis for Security Gateway NGX R65 / R7x 

Best Practices - Security Gateway Performance 

If you are sure about the problem is IPS blade, to start you can follow the document IPS Tuning - Best Practices

Regards.

0 Kudos
Reply
Collaborator

To see if it is indeed the IPS causing the high load, you can temporarily switch off the IPS with "ips off".  You can use tools like cpview (clish), top and nmon (expert mode) to track your CPU usage (Kenny mentioned sk33781 which is very useful in interpreting the output).

0 Kudos
Reply