This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wislleym
Contributor
‎2019-03-25 03:45 PM
Jump to solution

IPS Bypass.

Good night.


We have some branch office firewalls using R77.20.
The equipment model is 1450.
SMS uses version R80.10.
Sometimes IPS BYPASS happens and analyzing the logs is reporting high CPU consumption.
The problem is that every time I see the CPU consumption in the MONITOR CPU consumption is low.
Since the MONITORING blade is disabled on the firewall, I can not see the CPU usage history on the MONITOR.
In some research I found that the cause might be that in firewalls with more than one processor, even if the overall CPU utilization is low if one of the cores reaches a high value the firewall can activate the BYPASS IPS.
The problem may be caused by some process trapped in a particular CPU.
The problem reaches firewalls using version R77.20.

Is there any way to check CPU history via CLI?

12345.jpg

 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-03-28 05:37 AM
In response to Timothy_Hall
Jump to solution

The sar command is not available on SMB devices GAiA Embedded. I use a little script (attached) that notes every 30s the output from cat /proc/meminfo, cpstat os -f multi_cpu, top -n1 -b, ps auxf and the time of the generated output. You can change to record data in other intervals or change commands.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Preview file
3 KB
12 Replies
PhoneBoy
Admin
Admin
‎2019-03-27 04:15 PM
Jump to solution

I don't believe this is possible on the SMB appliances, which do not support Monitor Blade or cpview.
HristoGrigorov
Mentor
Mentor
‎2019-03-27 11:43 PM
In response to PhoneBoy
Jump to solution

Monitor blade is not disabled, it is just missing 🙂

The only way to monitor CPU usage over time is via SNMP. 

If bypass happens for brief period of time there is nothing to worry about. But if it is for long time then you shall investigate it.

wislleym
Contributor
‎2019-03-29 03:00 PM
In response to HristoGrigorov
Jump to solution

Thank you.

0 Kudos
wislleym
Contributor
‎2019-03-29 02:59 PM
In response to PhoneBoy
Jump to solution

Thanks.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-03-28 05:00 AM
Jump to solution

See if the sar command is available on embedded Gaia, if present there should be 30 days of system history including CPU utilization per core.  Really don't recommend enabling the IPS Bypass feature since as you mentioned all it takes is just one CPU to exceed the high utilization water mark to disable/bypass IPS enforcement on ALL cores...

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
G_W_Albrecht
Legend Legend
Legend
‎2019-03-28 05:37 AM
In response to Timothy_Hall
Jump to solution

The sar command is not available on SMB devices GAiA Embedded. I use a little script (attached) that notes every 30s the output from cat /proc/meminfo, cpstat os -f multi_cpu, top -n1 -b, ps auxf and the time of the generated output. You can change to record data in other intervals or change commands.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Preview file
3 KB
HristoGrigorov
Mentor
Mentor
‎2019-03-28 05:55 AM
In response to G_W_Albrecht
Jump to solution

I also keep IPS Bypass disabled here but for different reasons. 1. Don't want to compromise security and 2. Don't think CPU usage is definitive criteria to disable it, load average is better indicator.

wislleym
Contributor
‎2019-03-29 04:23 PM
In response to HristoGrigorov
Jump to solution

Thanks

0 Kudos
wislleym
Contributor
‎2019-03-29 03:03 PM
In response to G_W_Albrecht
Jump to solution

Thanks

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-02-17 12:49 PM
In response to wislleym
Jump to solution

I am having a similar problem in my lab  immediately since I upgraded to r80.40 take 91. I didn't use to get IPS bypass events in take 87.
There is almost not traffic - 20 concurrent tcp sessions coming from one host I use for testing - and the cpu is idle most of the time. I see the cpu sometimes reaches 40% in cpview historic data.

I am certain the issue has to do with take 91 but I was wondering if there is a way to get more verbose logging to see how the system decides to bypass the IPS blade.
In a lab environment with almost not traffic, only one user, what % of packets is expected to go through the slow path? I have URL filtering, Anti bot , Antivirus, IPS enabled. I have disabled HTTPS inspection recently. 

0 Kudos
Vladimir
Champion
Champion
‎2021-02-17 07:07 PM
In response to Luis_Miguel_Mig
Jump to solution

Are you talking about R80.40 JHFA 91 on your management server?

Because original post was about SMB appliance running embedded R77.20, so not likely to be relevant issues.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2021-02-18 01:50 AM
In response to Vladimir
Jump to solution

okay

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events