cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Performance Impact of Prevent versus Detect with IPS

We run IPS in recommended profile. Most of the Critical and High performance are in Inactive and Detect mode. Since memory consumption is high Checkpoint TAC engineer advice us fine tune Critical and High Performance signatures into Prevent.

What is relation between detect and prevent mode when it comes to memory and cpu consumption ?

fwaccel stats -s
Accelerated conns/Total conns : 14/7707 (0%)
Accelerated pkts/Total pkts : 28742/10460438 (0%)
F2Fed pkts/Total pkts : 1381972/10460438 (13%)
PXL pkts/Total pkts : 9049724/10460438 (86%)
QXL pkts/Total pkts : 0/10460438 (0%)

0 Kudos
8 Replies
Admin
Admin

Re: IPS Impact

With IPS, there should be no difference between detect and prevent mode in terms of CPU usage.

Re: IPS Impact

Hi Dameon,

Thank you for your prompt reply.

I did go through sk98348 -(3-9) IPS optimization it shows that "Avoid setting protections to run in "Detect" mode - it might increase CPU consumption (without increasing the security)."

Also according to TAC engineer "Basing on sk98348 -(3-9) IPS optimization - setting the profile protections on Prevent will utilize LESS of the machine's resources, and provide a better performance."

So what are the methods of fine tune the IPS ? We had to fine tune the IPS cause we are getting following messages repeatedly 

Oct 24 12:06:55 2017 DC-IRDOFW1 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb
        er reported high CPU usage 5 seconds ago
        Oct 24 12:06:56 2017 DC-IRDOFW1 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb
        er reported high CPU usage 6 seconds ago

Thanks 

0 Kudos
Admin
Admin

Re: IPS Impact

I suppose in general there is a little less of a performance impact because packets are dropped and don't egress an interface.

Some other suggestions for tuning are here: Best Practices - IPS 

Re: IPS Impact

Thank you Dameon

0 Kudos

Re: IPS Impact

If CUL is getting invoked, your CPUs are getting pounded.  You need to figure out if it is happening in process space (us) or in kernel space (sy/si/hi) for starters with the top command.  If in process space you should be able to see what process(es) are beating up the CPU and take action to fix it.  If the high utilization is in kernel space, run enabled_blades to see which blades you have active and post it here. 

To conclusively see if it is IPS and not some other blade causing the high CPU, run ips off and see if the idle percentage immediately improves.  Don't forget to turn IPS back on!

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: IPS Impact

Hi Tim,

Thank you for your thoughts 

Please find the outputs Active and Standby device

Active 

enabled_blades
fw urlf av ips anti_bot

top - 09:24:48 up 4 days, 6:42, 1 user, load average: 0.58, 0.77, 0.72
Tasks: 123 total, 3 running, 120 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.1%us, 0.4%sy, 0.0%ni, 83.5%id, 0.0%wa, 0.9%hi, 14.1%si, 0.0%st
Mem: 4043336k total, 3655204k used, 388132k free, 55032k buffers
Swap: 10514532k total, 592k used, 10513940k free, 631532k cached

PID USER PR NI VIRT RES \SHR S %CPU %MEM   TIME+         COMMAND
7763 admin 15 0     0       0       0    R    18        0.0    569:29.98      fw_worker_1
7764 admin 15 0     0       0       0    R    16        0.0    557:48.79      fw_worker_2
7762 admin 15 0     0       0       0    S     14       0.0    593:00.09      fw_worker_0
8897 admin 15 0   343m 104m 30m S    3        2.6       42:51.97          cpd
9373 admin 15 0   1397m 969m 26m S  1        24.6     97:06.83       fw_full

Standby

enabled_blades
fw urlf av ips anti_bot

top - 09:25:02 up 4 days, 6:14, 1 user, load average: 0.08, 0.02, 0.01
Tasks: 123 total, 2 running, 121 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2%us, 0.2%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 4043336k total, 3472300k used, 571036k free, 200604k buffers
Swap: 10514532k total, 568k used, 10513964k free, 551636k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7514 admin 15 0    0       0       0    R       1          0.0 5:57.76 fw_worker_0
7515 admin 15 0    0       0       0    S       0          0.0 6:40.10 fw_worker_1
7516 admin 15 0    0       0       0    S       0          0.0 6:25.12 fw_worker_2
9139 admin 15 0 1384m 959m 26m S    0       24.3 67:45.25 fw_full

0 Kudos

Re: IPS Impact

I have to disagree my friend.

In Prevent you kill the connection and you are done. In Detect you have to keep the connection open and keep spending CPU cycles on tracking that traffic.

Admin
Admin

Re: IPS Impact

I conceded this already, for the points you mentioned Smiley Happy