This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_DeBaggis
Employee
Employee
‎2022-06-22 04:00 PM

IPS bypass and Dynamic Balance

I hopefully have a quick question for you all regarding IPS bypass. If we turn on dynamic balance on a gateway that also has IPS bypass enabled will dynamic balance work in a manner that offloads the inspection to other workers before IPS bypass is triggered? We can set the bypass threshold to a higher percentage if needed, but I’m just trying to understand the mechanics here because we have gateways going into bypass for hours per day in some locations. From my understanding this should be a viable method to prevent bypass from engaging. I just want to confirm.

If this method will not prevent IPS bypass from being triggered is there any other feature available to force inspection to other workers before it is triggered? I have not come across anything so I’m curious to find out the answer.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-06-22 04:32 PM

All it takes for IPS Bypass to be triggered is for one CPU to be high.
The whole purpose of Dynamic Balancing is to mitigate exactly that from happening.
I would therefore assume that enabling Dynamic Balancing would reduce the amount of time IPS Bypass would need to be triggered.
All bets are off if the issue is caused by an elephant flow, of course.

Chris_DeBaggis
Employee
Employee
‎2022-06-22 06:29 PM
In response to PhoneBoy

Thank you. We have a solution coming for elephant flows so that should assist in that scenario. I appreciate the quick reply. 

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-06-23 06:17 AM
In response to Chris_DeBaggis

Dynamic Balancing combined with Hyperflow being introduced in R81.20 should reduce the incidence of the IPS Bypass being activated. 

When IPS Bypass was first introduced in R70, firewalls had relatively few cores such as 2, 4, or even perhaps 8.  If one of them got saturated by IPS it would cause a noticeable impact and it was appropriate in that scenario to disable IPS on all cores because there were so few of them.  Unfortunately in todays world of 40+ core systems that methodology is completely inappropriate and essentially results in IPS being disabled on all cores all the time.  What really needs to happen is the IPS Bypass feature averaging the utilization of all cores when deciding whether to go into bypass mode.  Until that happens my recommendation is to leave the IPS Bypass feature off.  See my other response on this topic here which has some content from one of my courses:

https://community.checkpoint.com/t5/Security-Gateways/IPS-Bypass-is-triggered-even-when-CPU-utilizat...

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos