Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
wislleym
Contributor

IPS Bypass.

Jump to solution

Good night.


We have some branch office firewalls using R77.20.
The equipment model is 1450.
SMS uses version R80.10.
Sometimes IPS BYPASS happens and analyzing the logs is reporting high CPU consumption.
The problem is that every time I see the CPU consumption in the MONITOR CPU consumption is low.
Since the MONITORING blade is disabled on the firewall, I can not see the CPU usage history on the MONITOR.
In some research I found that the cause might be that in firewalls with more than one processor, even if the overall CPU utilization is low if one of the cores reaches a high value the firewall can activate the BYPASS IPS.
The problem may be caused by some process trapped in a particular CPU.
The problem reaches firewalls using version R77.20.

Is there any way to check CPU history via CLI?

12345.jpg

 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

The sar command is not available on SMB devices GAiA Embedded. I use a little script (attached) that notes every 30s the output from cat /proc/meminfo, cpstat os -f multi_cpu, top -n1 -b, ps auxf and the time of the generated output. You can change to record data in other intervals or change commands.

View solution in original post

12 Replies
PhoneBoy
Admin
Admin
I don't believe this is possible on the SMB appliances, which do not support Monitor Blade or cpview.

Monitor blade is not disabled, it is just missing 🙂

The only way to monitor CPU usage over time is via SNMP. 

If bypass happens for brief period of time there is nothing to worry about. But if it is for long time then you shall investigate it.

wislleym
Contributor

Thank you.

0 Kudos
wislleym
Contributor

Thanks.

0 Kudos
Timothy_Hall
Champion
Champion

See if the sar command is available on embedded Gaia, if present there should be 30 days of system history including CPU utilization per core.  Really don't recommend enabling the IPS Bypass feature since as you mentioned all it takes is just one CPU to exceed the high utilization water mark to disable/bypass IPS enforcement on ALL cores...

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
G_W_Albrecht
Legend
Legend

The sar command is not available on SMB devices GAiA Embedded. I use a little script (attached) that notes every 30s the output from cat /proc/meminfo, cpstat os -f multi_cpu, top -n1 -b, ps auxf and the time of the generated output. You can change to record data in other intervals or change commands.

View solution in original post

I also keep IPS Bypass disabled here but for different reasons. 1. Don't want to compromise security and 2. Don't think CPU usage is definitive criteria to disable it, load average is better indicator.

wislleym
Contributor

Thanks

0 Kudos
wislleym
Contributor

Thanks

0 Kudos
Luis_Miguel_Mig
Specialist

I am having a similar problem in my lab  immediately since I upgraded to r80.40 take 91. I didn't use to get IPS bypass events in take 87.
There is almost not traffic - 20 concurrent tcp sessions coming from one host I use for testing - and the cpu is idle most of the time. I see the cpu sometimes reaches 40% in cpview historic data.

I am certain the issue has to do with take 91 but I was wondering if there is a way to get more verbose logging to see how the system decides to bypass the IPS blade.
In a lab environment with almost not traffic, only one user, what % of packets is expected to go through the slow path? I have URL filtering, Anti bot , Antivirus, IPS enabled. I have disabled HTTPS inspection recently. 

0 Kudos
Vladimir
Champion
Champion

Are you talking about R80.40 JHFA 91 on your management server?

Because original post was about SMB appliance running embedded R77.20, so not likely to be relevant issues.

0 Kudos
Luis_Miguel_Mig
Specialist

okay

0 Kudos