Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

IPS bypass under load - any way to exclude certain cores ?

Hi,

 

we have a core assigned to our sync interface.

This interface now triggers the IPS bypass under load condition even though the "relevant" fw_worker cores have no high usage.

Already found this SK but it does not help: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

So is there a way to exclude a certain core from the calculation ?

 

Regards Thomas

Tags (2)
0 Kudos
Reply
4 Replies
Highlighted
Admin
Admin

It specifically says any one core (not average CPU usage).
Don't see how a specific core can be excluded.
0 Kudos
Reply
Highlighted
Champion
Champion

In my experience I wouldn't recommend enabling the IPS Bypass Under Load feature under any circumstances.  As you discovered all it takes is one core going above the thresholds (either SND or Worker) to kill all IPS enforcement, which is very likely to happen with a busy gateway and virtually guaranteed with the presence of elephant flows/heavy connections.  The real-world effect is that IPS enforcement is pretty much always disabled; this Bypass feature made sense in the old days when firewalls only had a few cores and any one of them becoming saturated by IPS enforcement duties caused a very noticeable effect.  However with so many firewall cores these days, time has passed this feature by as implemented and it is frankly no longer relevant or advisable.   Here are the notes from my IPS Immersion Video class about this topic:

Spoiler
This controversial feature will disable all IPS inspection completely (essentially running the ips off command) when both High
Thresholds are exceeded, and re–enable IPS inspection when both Low thresholds are met. Note that all it takes is for ONE
core to reach these thresholds for IPS enforcement to be disabled on ALL Firewall Worker cores FOR THE ENTIRE GATEWAY.
See the following SK for more information about this potentially unexpected effect: sk107334: IPS Bypass is triggered even when CPU utilization is not over the defined threshold.  

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Highlighted
Collaborator

Hi Timothy,

 

while disabling the feature solves the issue afaik it was also designed to cope with kind of DOS attacks caused by high IPS load (I know that its a bad work around for wrong sizing 😎).

It is not ideal to bypass IPS but the design with calculating bypass through all Cores is quite bad. It should be triggered by some other "intelligent" thresholds.

 

Regards Thomas

0 Kudos
Reply
Highlighted
Champion
Champion

Agreed the calculation mechanism for IPS Bypass needs to be updated to consider the presence of so many more cores on today's firewalls, and is why I can't recommend ever enabling IPS Bypass in its present form.  Tuning the IPS feature to reduce CPU load is far more likely to be fruitful, I think some guy wrote a book about that very topic...

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply