This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prashan_Attanay
Collaborator
‎2017-10-25 09:27 PM

How to Tune the IPS

Hi Team,

Can anyone share the knowledge of how to fine-tune the IPS. Currently our IPS in recommended protection. And most of the signatures are in Detect mode. 

How you fine-tune the IPS based on Critical, High, Medium ? 

Can anyone guide me to fine-tune the IPS ? 

Cause we are getting this messages regularly 

Oct 26 09:45:52 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 0 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 0%


Oct 26 09:45:52 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:45:53 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 1 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 1%


Oct 26 09:45:53 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:45:53 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] Changing CUL state to ON due to high CPU usage (100%) on remote Member 0, threshold = 80%, local kernel CPU usage is 1%


Oct 26 09:45:54 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze_on_remote][CUL - Cluster] CUL state is ON for 2 seconds, remote Member 0 reporting high kernel CPU usage (100%), threshold=80%, local kernel CPU usage is 0%


Oct 26 09:45:54 2017 DC-IRDOFW2 last message repeated 6 times


Oct 26 09:46:02 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one member reported high CPU usage 5 seconds ago


Oct 26 09:46:03 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one member reported high CPU usage 6 seconds ago


Oct 26 09:46:04 2017 DC-IRDOFW2 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb

0 Kudos
4 Replies
KennyManrique
Advisor
‎2017-10-26 09:02 AM

The message of CUL (Cluster Under Load) means a high resource usage on the firewall, in this case it seems to be because of high CPU. You can use the following sk articles to troubleshoot high cpu issues:

Performance analysis for Security Gateway NGX R65 / R7x 

Best Practices - Security Gateway Performance 

If you are sure about the problem is IPS blade, to start you can follow the document IPS Tuning - Best Practices

Regards.

0 Kudos
Jason_Dance
Collaborator
‎2017-10-26 10:33 AM

To see if it is indeed the IPS causing the high load, you can temporarily switch off the IPS with "ips off".  You can use tools like cpview (clish), top and nmon (expert mode) to track your CPU usage (Kenny mentioned sk33781 which is very useful in interpreting the output).

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-05 11:48 PM

Please see the following https://community.checkpoint.com/message/13840-r8010-ips-best-practices-guide 

EdesLC
Collaborator
‎2018-02-07 03:47 AM

There are tree documents that can help, take a look:

IPS Tuning Document (PDF). - http://dl3.checkpoint.com/paid/35/35b0b702d1728500b54c04da5ee05b96/CP_IPS_BestPractices.pdf?HashKey=... 

How to measure CPU time consumed by IPS protections 

How to tune the "Bypass under Load" IPS settings 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events