Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

IPS Bypass.

Good night.


We have some branch office firewalls using R77.20.
The equipment model is 1450.
SMS uses version R80.10.
Sometimes IPS BYPASS happens and analyzing the logs is reporting high CPU consumption.
The problem is that every time I see the CPU consumption in the MONITOR CPU consumption is low.
Since the MONITORING blade is disabled on the firewall, I can not see the CPU usage history on the MONITOR.
In some research I found that the cause might be that in firewalls with more than one processor, even if the overall CPU utilization is low if one of the cores reaches a high value the firewall can activate the BYPASS IPS.
The problem may be caused by some process trapped in a particular CPU.
The problem reaches firewalls using version R77.20.

Is there any way to check CPU history via CLI?

12345.jpg

 

0 Kudos
9 Replies
Highlighted
Admin
Admin

I don't believe this is possible on the SMB appliances, which do not support Monitor Blade or cpview.
Highlighted
Platinum

Monitor blade is not disabled, it is just missing 🙂

The only way to monitor CPU usage over time is via SNMP. 

If bypass happens for brief period of time there is nothing to worry about. But if it is for long time then you shall investigate it.

Highlighted
Nickel

Thank you.

0 Kudos
Highlighted
Nickel

Thanks.

0 Kudos
Highlighted

See if the sar command is available on embedded Gaia, if present there should be 30 days of system history including CPU utilization per core.  Really don't recommend enabling the IPS Bypass feature since as you mentioned all it takes is just one CPU to exceed the high utilization water mark to disable/bypass IPS enforcement on ALL cores...

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted
Sapphire

The sar command is not available on SMB devices GAiA Embedded. I use a little script (attached) that notes every 30s the output from cat /proc/meminfo, cpstat os -f multi_cpu, top -n1 -b, ps auxf and the time of the generated output. You can change to record data in other intervals or change commands.

Highlighted
Platinum

I also keep IPS Bypass disabled here but for different reasons. 1. Don't want to compromise security and 2. Don't think CPU usage is definitive criteria to disable it, load average is better indicator.

Highlighted
Nickel

Thanks

0 Kudos
Highlighted
Nickel

Thanks

0 Kudos